refactor: Use nss-rs instead of neqo-crypto

.codecov.yml

@@ -23,9 +23,6 @@ component_management:
     - component_id: "neqo-common"
       paths:
         - "neqo-common/"
-    - component_id: "neqo-crypto"
-      paths:
-        - "neqo-crypto/"
     - component_id: "neqo-http3"
       paths:
         - "neqo-http3/"

.deny.toml

@@ -33,7 +33,10 @@ version = "0.4"
 unknown-registry = "deny"
 unknown-git = "deny"
 required-git-spec = "rev"
-# TODO: Remove this once Gecko switches back to the official mio crate.
+
 allow-git = [
+    # TODO: Remove this once Gecko switches back to the official mio crate.
     "https://github.com/kinetiknz/mio",
+    # TODO: Revert this once nss-rs is on crates.io
+    "https://github.com/mozilla/nss-rs.git",
 ]

.dockerignore

@@ -5,6 +5,5 @@
 !**/*.rs
 !**/*.h
 !**/*.hpp
-!neqo-crypto/min_version.txt
 !qns
 !Cargo.lock

.github/actions/build-neqo/action.yml

@@ -17,6 +17,9 @@ inputs:
   baseline-ref:
     description: Git ref to build baseline binaries from
     default: "origin/main"
+  nss-minimum-version:
+    description: Minimum NSS version required by nss-rs
+    required: true
 
 runs:
   using: composite
@@ -36,7 +39,7 @@ runs:
     - name: Install NSS
       uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
       with:
-        version-file: neqo/neqo-crypto/min_version.txt
+        minimum-version: ${{ inputs.nss-minimum-version }}
         token: ${{ inputs.token }}
 
     - name: Build neqo

.github/actions/minimum-version/action.yml

@@ -0,0 +1,35 @@
+name: Minimum NSS version
+description: Get minimum NSS version compatible with nss-rs
+
+inputs:
+  directory:
+    description: "Directory in which neqo has been cloned"
+    required: false
+    default: "neqo"
+
+outputs:
+  minimum:
+    description: Minimum NSS version supported by nss-rs
+    value: ${{ steps.version.outputs.minimum }}
+
+runs:
+  using: composite
+  steps:
+    - name: Get minimum NSS version
+      id: version
+      shell: bash
+      env:
+        NEQO: ${{ inputs.directory }}
+      run: |
+        cd "$NEQO"
+        pkg_dir=$(cargo metadata --format-version=1 -q \
+          | jq -r '.packages[]
+                   | select(.name=="nss-rs")
+                   | .manifest_path
+                   | gsub("\\\\"; "/")
+                   | sub("/[^/]+$"; "")')
+        if [ -z "$pkg_dir" ] || [ "$pkg_dir" = "null" ] || [ ! -f "$pkg_dir/min_version.txt" ]; then
+          echo "::error::Could not find nss package or min_version.txt"
+          exit 1
+        fi
+        echo "minimum=$(cat "$pkg_dir/min_version.txt")" >> "$GITHUB_OUTPUT"

.github/copilot-instructions.md

@@ -4,7 +4,7 @@
 Neqo is Mozilla's production QUIC, HTTP/3, and QPACK implementation used in Firefox. Written in Rust with NSS as the TLS backend. The server functionality is experimental and not production-ready.
 
 **Repository Structure**: Cargo workspace with 9 member crates plus support directories.
-- **Core crates**: `neqo-common` (shared utilities), `neqo-crypto` (TLS/NSS bindings), `neqo-transport` (QUIC protocol), `neqo-http3` (HTTP/3), `neqo-qpack` (QPACK compression), `neqo-udp` (UDP socket handling)
+- **Core crates**: `neqo-common` (shared utilities), `neqo-transport` (QUIC protocol), `neqo-http3` (HTTP/3), `neqo-qpack` (QPACK compression), `neqo-udp` (UDP socket handling)
 - **Binary crate**: `neqo-bin` (CLI tools: `neqo-client`, `neqo-server`)
 - **Support crates**: `test-fixture` (test utilities), `fuzz` (fuzzing), `mtu` (MTU detection)
 - **Config files**: Root `.rustfmt.toml`, `.clippy.toml`, `.deny.toml`, `Cargo.toml` (workspace lints)
@@ -16,7 +16,7 @@ In addition to the instructions in this file, also follow the detailed instructi
 ## Building and Testing
 
 ### Prerequisites
-- NSS library version as specified in the `neqo-crypto/min_version.txt` file
+- NSS library version as specified in the `min_version.txt` file of the [`nss`](https://github.com/mozilla/nss-rs) crate
 - System NSS will be used if available and new enough; otherwise, build will fetch and compile NSS automatically
 
 ### Essential Commands (Always Use --locked)
@@ -90,9 +90,6 @@ Run these commands in order before submitting a PR. All must pass:
 neqo/
 ├── Cargo.toml          # Workspace manifest with shared dependencies and lints
 ├── neqo-common/        # Shared utilities: codecs, time, logging, qlog
-├── neqo-crypto/        # NSS bindings, TLS, AEAD, key derivation
-│   ├── bindings/       # NSS FFI bindings
-│   └── min_version.txt # Minimum NSS version
 ├── neqo-transport/     # QUIC protocol: connections, streams, recovery, congestion control
 ├── neqo-http3/         # HTTP/3 protocol: client/server, streams, settings
 ├── neqo-qpack/         # QPACK compression for HTTP/3 headers
@@ -112,7 +109,6 @@ neqo/
 - `.rustfmt.toml`: Format config (edition 2021, import grouping, comment formatting)
 - `.clippy.toml`: Clippy config (unwrap/dbg allowed in tests, disallows std::dbg macro, 32-byte pass-by-value limit)
 - `.deny.toml`: Cargo-deny config (license allowlist, advisory checks)
-- `neqo-crypto/min_version.txt`: NSS minimum version (checked by CI and build scripts)
 
 ## CI/CD Pipeline
 
@@ -160,7 +156,7 @@ cargo test --locked --features ci
 
 2. **Clippy warnings**: CI fails on any clippy warnings. Fix all warnings or add `#[expect(clippy::lint_name, reason = "justification")]`.
 
-3. **"error: could not compile `neqo-crypto`"**: NSS build failure. Check that you have required build tools (GYP, Ninja, Mercurial if building NSS from source).
+3. **"error: could not compile `nss`"**: NSS build failure. Check that you have required build tools (GYP, Ninja, Mercurial if building NSS from source).
 
 ## Trust These Instructions
 

.github/workflows/bench.yml

@@ -42,12 +42,15 @@ jobs:
           submodules: "recursive"
           persist-credentials: false
 
+      - id: nss-version
+        uses: ./neqo/.github/actions/minimum-version
       - uses: ./neqo/.github/actions/build-neqo
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           artifact-name: bench-build
           benches: "true"
           baseline-ref: origin/${{ env.BASE_REF }}
+          nss-minimum-version: ${{ steps.nss-version.outputs.minimum }}
 
   bench:
     name: cargo bench

.github/workflows/check.yml

@@ -86,9 +86,13 @@ jobs:
           tools: ${{ matrix.rust-toolchain == 'stable' && 'cargo-llvm-cov' || '' }} ${{ matrix.rust-toolchain == 'nightly' && startsWith(matrix.os, 'ubuntu') && !endsWith(matrix.os, 'arm') && 'cargo-careful ' || '' }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Check
@@ -189,7 +193,9 @@ jobs:
         with:
           persist-credentials: false
       - id: nss-version
-        run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT"
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: ./.github/actions/check-android
         with:
           target: ${{ matrix.target }}

.github/workflows/clippy.yml

@@ -50,9 +50,13 @@ jobs:
           tools: cargo-hack
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       # Use cargo-hack to run clippy on each crate individually with its

.github/workflows/codspeed.yml

@@ -56,9 +56,13 @@ jobs:
           tools: cargo-codspeed
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build bench

.github/workflows/firefox.yml

@@ -91,7 +91,7 @@ jobs:
 
           cargo metadata --manifest-path ../neqo/Cargo.toml --format-version 1 --no-deps | jq '[.packages[] | {name, version}]' > ../neqo-versions.json
 
-          NEQO_CRATES="mtu neqo-common neqo-crypto neqo-http3 neqo-qpack neqo-transport neqo-udp"
+          NEQO_CRATES="mtu neqo-common neqo-http3 neqo-qpack neqo-transport neqo-udp"
           {
             echo '[patch."https://github.com/mozilla/neqo"]'
             for crate in $NEQO_CRATES; do

.github/workflows/fuzz-bench.yml

@@ -37,9 +37,13 @@ jobs:
         # binstall provides prebuilt binaries that may target a different architecture.
         run: cargo install cargo-fuzz
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - if: ${{ matrix.check == 'fuzz' }}

.github/workflows/fuzz-corpus.yml

@@ -47,9 +47,13 @@ jobs:
         # binstall provides prebuilt binaries that may target a different architecture.
         run: cargo install cargo-fuzz
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - id: filter

.github/workflows/mutants-pr.yml

@@ -24,9 +24,13 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0

.github/workflows/mutants.yml

@@ -29,9 +29,13 @@ jobs:
         with:
           persist-credentials: false
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
@@ -64,9 +68,13 @@ jobs:
         with:
           persist-credentials: false
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: mozilla/actions/rust@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0

.github/workflows/perfcompare.yml

@@ -42,11 +42,14 @@ jobs:
           persist-credentials: false
           clean: false
 
+      - id: nss-version
+        uses: ./neqo/.github/actions/minimum-version
       - uses: ./neqo/.github/actions/build-neqo
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           artifact-name: build-neqo
           baseline-ref: origin/${{ env.BASE_REF }}
+          nss-minimum-version: ${{ steps.nss-version.outputs.minimum }}
 
   build-msquic:
     name: Build msquic

.github/workflows/profile.yml

@@ -58,9 +58,13 @@ jobs:
           tools: samply
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build benchmark
@@ -126,9 +130,13 @@ jobs:
           tools: samply
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build neqo

.github/workflows/sanitize.yml

@@ -45,9 +45,13 @@ jobs:
           tools: cargo-hack
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - id: nss-version
+        uses: ./.github/actions/minimum-version
+        with:
+          directory: .
       - uses: mozilla/actions/nss@25cb84d060946c0ad6d2c3f79da479b16d180d71 # v1.1.0
         with:
-          version-file: neqo-crypto/min_version.txt
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run tests with sanitizers