Bug 1883321 - Part 1: Messaging Layer Security module, prefs and FFI. r=mt,glandium,nika,emilio

Messaging Layer Security (RFC 9420) rust module, prefs and FFI from Rust to C++.

This patch implements mls_gk which is a thin wrapper on the external mls-platform-api rust crate.

Differential Revision: https://phabricator.services.mozilla.com/D203680

.cargo/config.toml.in

@@ -15,6 +15,21 @@ git = "https://github.com/FirefoxGraphics/wpf-gpu-raster"
 rev = "99979da091fd58fba8477e7fcdf5ec0727102916"
 replace-with = "vendored-sources"
 
+[source."git+https://github.com/beurdouche/mls-platform-api?rev=4dcf3ccbb4d04f4084bba25a9ad0f9248a7a5d02"]
+git = "https://github.com/beurdouche/mls-platform-api"
+rev = "4dcf3ccbb4d04f4084bba25a9ad0f9248a7a5d02"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde"]
+git = "https://github.com/beurdouche/mls-rs"
+rev = "27c6bc41d3d7698d2b170625503513d446460bde"
+replace-with = "vendored-sources"
+
+[source."git+https://github.com/beurdouche/nss-gk-api?rev=9bec3c1a7509f3c594cb3394c9353bcb1a1dd853"]
+git = "https://github.com/beurdouche/nss-gk-api"
+rev = "9bec3c1a7509f3c594cb3394c9353bcb1a1dd853"
+replace-with = "vendored-sources"
+
 [source."git+https://github.com/chris-zen/coremidi.git?rev=fc68464b5445caf111e41f643a2e69ccce0b4f83"]
 git = "https://github.com/chris-zen/coremidi.git"
 rev = "fc68464b5445caf111e41f643a2e69ccce0b4f83"

Cargo.lock

@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
 name = "aa-stroke"
@@ -1416,6 +1416,15 @@ dependencies = [
  "libdbus-sys",
 ]
 
+[[package]]
+name = "debug_tree"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2d1ec383f2d844902d3c34e4253ba11ae48513cdaddc565cf1a6518db09a8e57"
+dependencies = [
+ "once_cell",
+]
+
 [[package]]
 name = "debugid"
 version = "0.8.0"
@@ -2334,8 +2343,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "wasi 0.11.0+wasi-snapshot-preview1",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -2440,6 +2451,7 @@ dependencies = [
  "mdns_service",
  "midir_impl",
  "mime-guess-ffi",
+ "mls_gk",
  "moz_asserts",
  "mozannotation_client",
  "mozannotation_server",
@@ -3779,6 +3791,17 @@ version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5"
 
+[[package]]
+name = "maybe-async"
+version = "0.2.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cf92c10c7e361d6b99666ec1c6f9805b0bea2c3bd8c78dc6fe98ac5bd78db11"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "md-5"
 version = "0.10.5"
@@ -4032,6 +4055,169 @@ dependencies = [
  "windows-sys",
 ]
 
+[[package]]
+name = "mls-platform-api"
+version = "0.1.0"
+source = "git+https://github.com/beurdouche/mls-platform-api?rev=4dcf3ccbb4d04f4084bba25a9ad0f9248a7a5d02#4dcf3ccbb4d04f4084bba25a9ad0f9248a7a5d02"
+dependencies = [
+ "bincode",
+ "hex",
+ "mls-rs",
+ "mls-rs-crypto-nss",
+ "mls-rs-provider-sqlite",
+ "serde",
+ "serde_json",
+ "sha2",
+ "thiserror",
+]
+
+[[package]]
+name = "mls-rs"
+version = "0.39.1"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "async-trait",
+ "cfg-if",
+ "debug_tree",
+ "futures",
+ "getrandom",
+ "hex",
+ "itertools",
+ "maybe-async",
+ "mls-rs-codec",
+ "mls-rs-core",
+ "mls-rs-identity-x509",
+ "mls-rs-provider-sqlite",
+ "rand_core",
+ "rayon",
+ "serde",
+ "thiserror",
+ "wasm-bindgen",
+ "zeroize",
+]
+
+[[package]]
+name = "mls-rs-codec"
+version = "0.5.3"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "mls-rs-codec-derive",
+ "thiserror",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "mls-rs-codec-derive"
+version = "0.1.1"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "mls-rs-core"
+version = "0.18.0"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "async-trait",
+ "hex",
+ "maybe-async",
+ "mls-rs-codec",
+ "serde",
+ "serde_bytes",
+ "thiserror",
+ "wasm-bindgen",
+ "zeroize",
+]
+
+[[package]]
+name = "mls-rs-crypto-hpke"
+version = "0.9.0"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "async-trait",
+ "cfg-if",
+ "maybe-async",
+ "mls-rs-core",
+ "mls-rs-crypto-traits",
+ "thiserror",
+ "zeroize",
+]
+
+[[package]]
+name = "mls-rs-crypto-nss"
+version = "0.1.0"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "getrandom",
+ "hex",
+ "maybe-async",
+ "mls-rs-core",
+ "mls-rs-crypto-hpke",
+ "mls-rs-crypto-traits",
+ "nss-gk-api",
+ "rand_core",
+ "serde",
+ "thiserror",
+ "zeroize",
+]
+
+[[package]]
+name = "mls-rs-crypto-traits"
+version = "0.10.0"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "async-trait",
+ "maybe-async",
+ "mls-rs-core",
+]
+
+[[package]]
+name = "mls-rs-identity-x509"
+version = "0.11.0"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "async-trait",
+ "maybe-async",
+ "mls-rs-core",
+ "thiserror",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "mls-rs-provider-sqlite"
+version = "0.11.0"
+source = "git+https://github.com/beurdouche/mls-rs?rev=27c6bc41d3d7698d2b170625503513d446460bde#27c6bc41d3d7698d2b170625503513d446460bde"
+dependencies = [
+ "async-trait",
+ "hex",
+ "maybe-async",
+ "mls-rs-core",
+ "rand",
+ "rusqlite",
+ "thiserror",
+ "zeroize",
+]
+
+[[package]]
+name = "mls_gk"
+version = "0.1.0"
+dependencies = [
+ "hex",
+ "log",
+ "mls-platform-api",
+ "nserror",
+ "nss-gk-api",
+ "nsstring",
+ "rusqlite",
+ "static_prefs",
+ "thin-vec",
+ "xpcom",
+]
+
 [[package]]
 name = "moz_asserts"
 version = "0.1.0"
@@ -4493,10 +4679,10 @@ dependencies = [
 [[package]]
 name = "nss-gk-api"
 version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c17aec6d4e1822c023689899f09311592a36cbf6de8f85dfaf5f01976790d8d"
+source = "git+https://github.com/beurdouche/nss-gk-api?rev=9bec3c1a7509f3c594cb3394c9353bcb1a1dd853#9bec3c1a7509f3c594cb3394c9353bcb1a1dd853"
 dependencies = [
  "bindgen 0.69.4",
+ "log",
  "mozbuild",
  "once_cell",
  "pkcs11-bindings",
@@ -7546,6 +7732,27 @@ dependencies = [
  "synstructure",
 ]
 
+[[package]]
+name = "zeroize"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+dependencies = [
+ "serde",
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "zerovec"
 version = "0.10.4"

Cargo.toml

@@ -14,6 +14,7 @@ members = [
   "security/manager/ssl/tests/unit/test_builtins",
   "security/manager/ssl/ipcclientcerts",
   "security/manager/ssl/osclientcerts",
+  "security/mls/mls_gk",
   "testing/geckodriver",
   "toolkit/components/uniffi-bindgen-gecko-js",
   "toolkit/crashreporter/client/app",
@@ -199,6 +200,7 @@ plist = { path = "third_party/rust/plist" }
 
 # To-be-published changes.
 unicode-bidi = { git = "https://github.com/servo/unicode-bidi", rev = "ca612daf1c08c53abe07327cb3e6ef6e0a760f0c" }
+nss-gk-api = { git = "https://github.com/beurdouche/nss-gk-api", rev = "9bec3c1a7509f3c594cb3394c9353bcb1a1dd853" }
 
 # Other overrides
 any_all_workaround = { git = "https://github.com/hsivonen/any_all_workaround", rev = "7fb1b7034c9f172aade21ee1c8554e8d8a48af80" }

modules/libpref/init/StaticPrefList.yaml

@@ -16313,6 +16313,12 @@
   value: true
   mirror: always
 
+# MLS
+- name: security.mls.enabled
+  type: RelaxedAtomicBool
+  value: false
+  mirror: always
+
 #---------------------------------------------------------------------------
 # Prefs starting with "signon."
 #---------------------------------------------------------------------------

security/mls/mls_gk/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "mls_gk"
+version = "0.1.0"
+edition = "2021"
+license = "Apache-2.0 OR MIT"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+nserror = { path = "../../../xpcom/rust/nserror" }
+nsstring = { path = "../../../xpcom/rust/nsstring" }
+xpcom = { path = "../../../xpcom/rust/xpcom" }
+static_prefs = { path = "../../../modules/libpref/init/static_prefs" }
+
+mls-platform-api = { git = "https://github.com/beurdouche/mls-platform-api", rev="4dcf3ccbb4d04f4084bba25a9ad0f9248a7a5d02", features = ["gecko"] }
+nss-gk-api = { git = "https://github.com/beurdouche/nss-gk-api", rev = "9bec3c1a7509f3c594cb3394c9353bcb1a1dd853", default-features = false }
+thin-vec = { version = "^0.2.12", features = ["gecko-ffi"] }
+hex = "^0.4.3"
+rusqlite = "^0.31.0"
+log = "^0.4.20"

security/mls/mls_gk/cbindgen.toml

@@ -0,0 +1,43 @@
+header = """/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */"""
+autogen_warning = """/* DO NOT MODIFY THIS MANUALLY! This file was generated using cbindgen. See RunCbindgen.py */
+"""
+include_guard = "mozilla_dom_MlsGkFFI_h"
+include_version = true
+braces = "SameLine"
+line_length = 100
+tab_width = 2
+language = "C++"
+includes = ["nsStringFwd.h", "nsTArrayForwardDeclare.h"]
+# Put FFI calls in the `mozilla::security::mls` namespace.
+namespaces = ["mozilla", "security", "mls"]
+
+[enum]
+derive_const_casts = true
+derive_tagged_enum_destructor = true
+cast_assert_name = "MOZ_DIAGNOSTIC_ASSERT"
+
+[export.body]
+"GkReceived" = """
+  GkReceived() : tag(Tag::None) {}
+  GkReceived(GkReceived&& other) : tag(other.tag) {
+    switch (tag) {
+      case Tag::ApplicationMessage:
+        new (&application_message) ApplicationMessage_Body(std::move(other.application_message));
+        break;
+      case Tag::GroupIdEpoch:
+        new (&group_id_epoch) GroupIdEpoch_Body(std::move(other.group_id_epoch));
+        break;
+      case Tag::CommitOutput:
+        new (&commit_output) CommitOutput_Body(std::move(other.commit_output));
+        break;
+      case Tag::None:
+        break;
+    }
+  }
+"""
+
+# Export `ThinVec` references as `nsTArray`.
+[export.rename]
+"ThinVec" = "nsTArray"

security/mls/mls_gk/src/storage.rs

@@ -0,0 +1,44 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+use nsstring::nsACString;
+use std::fs;
+use std::io;
+
+pub fn get_storage_path(storage_prefix: &nsACString) -> String {
+    format!("{storage_prefix}.sqlite.enc")
+}
+
+pub fn get_key_path(storage_prefix: &nsACString) -> String {
+    format!("{storage_prefix}.key")
+}
+
+fn read_existing_storage_key(key_path: &str) -> io::Result<[u8; 32]> {
+    let key_hex = fs::read_to_string(key_path)?;
+    let bytes = hex::decode(&key_hex).map_err(|e| io::Error::other(e))?;
+    bytes[..].try_into().map_err(|e| io::Error::other(e))
+}
+
+pub fn get_storage_key(storage_prefix: &nsACString) -> io::Result<[u8; 32]> {
+    // Get the key path
+    let key_path = get_key_path(storage_prefix);
+
+    // Try to read the existing key
+    if let Ok(key) = read_existing_storage_key(&key_path) {
+        return Ok(key);
+    }
+
+    // We failed to read the key, so it must either not exist, or is invalid.
+    // Generate a new one.
+    nss_gk_api::init();
+    let key: [u8; 32] = nss_gk_api::p11::random(32)[..]
+        .try_into()
+        .expect("nss returned the wrong number of bytes");
+
+    // Write the key to the file
+    std::fs::write(key_path, &hex::encode(&key))?;
+
+    // Return the key
+    Ok(key)
+}

security/mls/moz.build

@@ -0,0 +1,17 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+    BUG_COMPONENT = ("Core", "Security: MLS")
+
+if CONFIG["COMPILE_ENVIRONMENT"]:
+    CbindgenHeader("mls_gk_ffi_generated.h", inputs=["/security/mls/mls_gk"])
+
+    EXPORTS.mozilla.security.mls += [
+        "!mls_gk_ffi_generated.h",
+    ]
+
+FINAL_LIBRARY = "xul"

security/moz.build

@@ -7,6 +7,10 @@
 with Files("**"):
     BUG_COMPONENT = ("Core", "Security: PSM")
 
+DIRS += [
+    "/security/mls",
+]
+
 with Files("generate*.py"):
     BUG_COMPONENT = ("Firefox Build System", "General")
 

supply-chain/audits.toml

@@ -1679,6 +1679,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
 delta = "2.3.2 -> 2.3.3"
 
+[[audits.debug_tree]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.4.0"
+
 [[audits.debugid]]
 who = "Gabriele Svelto <gsvelto@mozilla.com>"
 criteria = "safe-to-deploy"
@@ -3031,6 +3036,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
 delta = "0.1.9 -> 0.1.10"
 
+[[audits.maybe-async]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.2.10"
+
 [[audits.md-5]]
 who = "Dana Keeler <dkeeler@mozilla.com>"
 criteria = "safe-to-deploy"
@@ -3218,6 +3228,95 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
 delta = "0.8.8 -> 1.0.1"
 
+[[audits.mls-rs]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.39.1"
+
+[[audits.mls-rs]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.39.1 -> 0.39.1@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
+[[audits.mls-rs-codec]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.5.3"
+
+[[audits.mls-rs-codec]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.5.3 -> 0.5.3@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
+[[audits.mls-rs-codec-derive]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.1.1"
+notes = "No unsafe code"
+
+[[audits.mls-rs-codec-derive]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.1.1 -> 0.1.1@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
+[[audits.mls-rs-core]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.18.0"
+
+[[audits.mls-rs-core]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.18.0 -> 0.18.0@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
+[[audits.mls-rs-crypto-hpke]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.9.0"
+
+[[audits.mls-rs-crypto-hpke]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.9.0 -> 0.9.0@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
+[[audits.mls-rs-crypto-traits]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.10.0"
+
+[[audits.mls-rs-crypto-traits]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.10.0 -> 0.10.0@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
+[[audits.mls-rs-identity-x509]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.11.0"
+
+[[audits.mls-rs-identity-x509]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.11.0 -> 0.11.0@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
+[[audits.mls-rs-provider-sqlite]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.11.0"
+
+[[audits.mls-rs-provider-sqlite]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.11.0 -> 0.11.0@git:27c6bc41d3d7698d2b170625503513d446460bde"
+importable = false
+
 [[audits.moz_cbor]]
 who = "Bobby Holley <bobbyholley@gmail.com>"
 criteria = "safe-to-deploy"
@@ -3358,6 +3457,12 @@ criteria = "safe-to-deploy"
 version = "0.2.1"
 notes = "Maintained by the CryptoEng team at Mozilla."
 
+[[audits.nss-gk-api]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.3.0 -> 0.3.0@git:9bec3c1a7509f3c594cb3394c9353bcb1a1dd853"
+importable = false
+
 [[audits.ntapi]]
 who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
@@ -5729,6 +5834,20 @@ who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
 criteria = "safe-to-deploy"
 version = "0.1.3"
 
+[[audits.zeroize]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "1.8.1"
+notes = """
+This code DOES contain unsafe code required to internally call volatiles
+for deleting data. This is expected and documented behavior.
+"""
+
+[[audits.zeroize_derive]]
+who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "1.4.2"
+
 [[audits.zerovec]]
 who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
 criteria = "safe-to-deploy"

supply-chain/config.toml

@@ -107,6 +107,38 @@ notes = "This is a first-party crate which is also published to crates.io. We ce
 audit-as-crates-io = true
 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
 
+[policy.mls-rs]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
+[policy.mls-rs-codec]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
+[policy.mls-rs-codec-derive]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
+[policy.mls-rs-core]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
+[policy.mls-rs-crypto-hpke]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
+[policy.mls-rs-crypto-traits]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
+[policy.mls-rs-identity-x509]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
+[policy.mls-rs-provider-sqlite]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
 [policy.mozbuild]
 audit-as-crates-io = false
 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
@@ -146,6 +178,10 @@ audit-as-crates-io = false
 audit-as-crates-io = true
 notes = "Part of the wgpu repository, pinned as the rest of wgpu crates."
 
+[policy.nss-gk-api]
+audit-as-crates-io = true
+notes = "This is a pinned version of the upstream code, pending update of the crate."
+
 [policy.peek-poke]
 audit-as-crates-io = false
 

toolkit/components/telemetry/app/TelemetryEnvironment.sys.mjs

@@ -360,6 +360,7 @@ const DEFAULT_ENVIRONMENT_PREFS = new Map([
   ["security.pki.mitm_detected", { what: RECORD_PREF_VALUE }],
   ["security.mixed_content.block_active_content", { what: RECORD_PREF_VALUE }],
   ["security.mixed_content.block_display_content", { what: RECORD_PREF_VALUE }],
+  ["security.mls.enabled", { what: RECORD_PREF_VALUE }],
   ["security.tls.version.enable-deprecated", { what: RECORD_PREF_VALUE }],
   ["signon.management.page.breach-alerts.enabled", { what: RECORD_PREF_VALUE }],
   ["signon.autofillForms", { what: RECORD_PREF_VALUE }],

toolkit/crashreporter/client/app/Cargo.toml

@@ -23,7 +23,7 @@ once_cell = "1"
 phf = "0.11"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-sha2 = "0.10"
+sha2 = "^0.10.7"
 sys-locale = "0.3"
 time = { version = "0.3", features = ["formatting", "macros", "serde"] }
 unic-langid = { version = "0.9.1" }

toolkit/library/rust/shared/Cargo.toml

@@ -79,6 +79,7 @@ dap_ffi = { path = "../../../components/telemetry/dap/ffi" }
 data-encoding-ffi = { path = "../../../../dom/fs/parent/rust/data-encoding-ffi" }
 binary_http = { path = "../../../../netwerk/protocol/http/binary_http" }
 oblivious_http = { path = "../../../../netwerk/protocol/http/oblivious_http" }
+mls_gk = { path = "../../../../security/mls/mls_gk" }
 mime-guess-ffi = { path = "../../../../dom/fs/parent/rust/mime-guess-ffi" }
 
 # Note: `modern_sqlite` means rusqlite's bindings file be for a sqlite with

toolkit/library/rust/shared/lib.rs

@@ -117,6 +117,7 @@ extern crate dap_ffi;
 extern crate data_encoding_ffi;
 
 extern crate binary_http;
+extern crate mls_gk;
 extern crate oblivious_http;
 
 extern crate mime_guess_ffi;