Revert 209278 "Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2"

> Update dependency to NSS >= 3.14.3 and NSPR >= 4.9.2
> 
> Technically NSS 3.14.3 depends on NSPR 4.9.5, but Debian stable still
> ships 4.9.2 on stable, so this is the lower bound.
> 
> 3.14.3 contains a number of important security fixes, and support for
> older systems is no longer desirable.
> 
> BUG=245370
> R=thestig@chromium.org, wtc@chromium.org
> 
> Review URL: https://chromiumcodereview.appspot.com/18063013

TBR=rsleevi@chromium.org

Review URL: https://codereview.chromium.org/18181019

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@209282 0039d316-1c4b-4281-b951-d872f2087c98

13 files changed, 156 insertions, 16 deletions

diff --git a/chrome/installer/linux/debian/build.sh b/chrome/installer/linux/debian/build.sh
index 48df8e9..d9d98a1 100755
--- a/chrome/installer/linux/debian/build.sh
+++ b/chrome/installer/linux/debian/build.sh
@@ -295,7 +295,7 @@ ADDITION_DEPS="ca-certificates, libcurl3, \
 # exists, but it was moved to "universe" repository, which isn't installed by
 # default).
 DPKG_SHLIB_DEPS=$(sed \
-    's/\(libnspr4-0d ([^)]*)\), /\1 | libnspr4 (>= 4.9.5-0ubuntu0), /g' \
+    's/\(libnspr4-0d ([^)]*)\), /\1 | libnspr4 (>= 4.8.7-0ubuntu1), /g' \
     <<< $DPKG_SHLIB_DEPS)
 
 # Fix-up libudev dependency because Ubuntu 13.04 has libudev1 instead of
diff --git a/chrome/installer/linux/debian/expected_deps b/chrome/installer/linux/debian/expected_deps
index 2668316..0e16912 100644
--- a/chrome/installer/linux/debian/expected_deps
+++ b/chrome/installer/linux/debian/expected_deps
@@ -14,8 +14,8 @@ libgcrypt11 (>= 1.4.5)
 libgdk-pixbuf2.0-0 (>= 2.22.0)
 libglib2.0-0 (>= 2.18.0)
 libgtk2.0-0 (>= 2.24.0)
-libnspr4 (>= 4.9.2)
-libnss3 (>= 3.14.3)
+libnspr4 (>= 1.8.0.10)
+libnss3 (>= 3.12.6)
 libpango1.0-0 (>= 1.22.0)
 libstdc++6 (>= 4.6)
 libudev0 (>= 147)
diff --git a/chrome/installer/linux/rpm/build.sh b/chrome/installer/linux/rpm/build.sh
index 7134e59..544a46a 100755
--- a/chrome/installer/linux/rpm/build.sh
+++ b/chrome/installer/linux/rpm/build.sh
@@ -124,7 +124,7 @@ do_package() {
   # https://bugzilla.novell.com/show_bug.cgi?id=556248
   DEPENDS="lsb >= 4.0, \
   libcurl.so.4${EMPTY_VERSION}${PKG_ARCH}, \
-  libnss3.so(NSS_3.14.3)${PKG_ARCH}, \
+  libnss3.so(NSS_3.12.3)${PKG_ARCH}, \
   wget, \
   xdg-utils, \
   zlib, \
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index f7c5fc4..bbbaa70 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -384,17 +384,23 @@ class NSSInitSingleton {
     base::TimeTicks start_time = base::TimeTicks::Now();
     EnsureNSPRInit();
 
-    // We *must* have NSS >= 3.14.3.
+    // We *must* have NSS >= 3.12.3.  See bug 26448.
     COMPILE_ASSERT(
-        (NSS_VMAJOR == 3 && NSS_VMINOR == 14 && NSS_VPATCH >= 3) ||
-        (NSS_VMAJOR == 3 && NSS_VMINOR > 14) ||
+        (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 3) ||
+        (NSS_VMAJOR == 3 && NSS_VMINOR > 12) ||
         (NSS_VMAJOR > 3),
         nss_version_check_failed);
     // Also check the run-time NSS version.
     // NSS_VersionCheck is a >= check, not strict equality.
-    if (!NSS_VersionCheck("3.14.3")) {
-      LOG(FATAL) << "NSS_VersionCheck(\"3.14.3\") failed. NSS >= 3.14.3 is "
-                    "required. Please upgrade to the latest NSS, and if you "
+    if (!NSS_VersionCheck("3.12.3")) {
+      // It turns out many people have misconfigured NSS setups, where
+      // their run-time NSPR doesn't match the one their NSS was compiled
+      // against.  So rather than aborting, complain loudly.
+      LOG(ERROR) << "NSS_VersionCheck(\"3.12.3\") failed.  "
+                    "We depend on NSS >= 3.12.3, and this error is not fatal "
+                    "only because many people have busted NSS setups (for "
+                    "example, using the wrong version of NSPR). "
+                    "Please upgrade to the latest NSS and NSPR, and if you "
                     "still get this error, contact your distribution "
                     "maintainer.";
     }
diff --git a/crypto/signature_creator_nss.cc b/crypto/signature_creator_nss.cc
index 82e4444..3a30efb 100644
--- a/crypto/signature_creator_nss.cc
+++ b/crypto/signature_creator_nss.cc
@@ -44,7 +44,11 @@ SignatureCreator* SignatureCreator::Create(RSAPrivateKey* key) {
 }
 
 bool SignatureCreator::Update(const uint8* data_part, int data_part_len) {
-  SECStatus rv = SGN_Update(sign_context_, data_part, data_part_len);
+  // TODO(wtc): Remove this const_cast when we require NSS 3.12.5.
+  // See NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=518255
+  SECStatus rv = SGN_Update(sign_context_,
+                            const_cast<unsigned char*>(data_part),
+                            data_part_len);
   if (rv != SECSuccess) {
     NOTREACHED();
     return false;
diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index c3b3ae8..2a944e6 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -158,6 +158,10 @@ CertStatus MapCertErrorToCertStatus(int err) {
 void GetCertChainInfo(CERTCertList* cert_list,
                       CERTCertificate* root_cert,
                       CertVerifyResult* verify_result) {
+  // NOTE: Using a NSS library before 3.12.3.1 will crash below.  To see the
+  // NSS version currently in use:
+  // 1. use ldd on the chrome executable for NSS's location (ie. libnss3.so*)
+  // 2. use ident libnss3.so* for the library's version
   DCHECK(cert_list);
 
   CERTCertificate* verified_cert = NULL;
@@ -342,6 +346,31 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
   bool use_crl = check_revocation;
   bool use_ocsp = check_revocation;
 
+  // These CAs have multiple keys, which trigger two bugs in NSS's CRL code.
+  // 1. NSS may use one key to verify a CRL signed with another key,
+  //    incorrectly concluding that the CRL's signature is invalid.
+  //    Hopefully this bug will be fixed in NSS 3.12.9.
+  // 2. NSS considers all certificates issued by the CA as revoked when it
+  //    receives a CRL with an invalid signature.  This overly strict policy
+  //    has been relaxed in NSS 3.12.7.  See
+  //    https://bugzilla.mozilla.org/show_bug.cgi?id=562542.
+  // So we have to turn off CRL checking for these CAs.  See
+  // http://crbug.com/55695.
+  static const char* const kMultipleKeyCA[] = {
+    "CN=Microsoft Secure Server Authority,"
+    "DC=redmond,DC=corp,DC=microsoft,DC=com",
+    "CN=Microsoft Secure Server Authority",
+  };
+
+  if (!NSS_VersionCheck("3.12.7")) {
+    for (size_t i = 0; i < arraysize(kMultipleKeyCA); ++i) {
+      if (strcmp(cert_handle->issuerName, kMultipleKeyCA[i]) == 0) {
+        use_crl = false;
+        break;
+      }
+    }
+  }
+
   PRUint64 revocation_method_flags =
       CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD |
       CERT_REV_M_ALLOW_NETWORK_FETCHING |
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index d722c3f..371155c 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1262,6 +1262,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
     PRFileDesc* socket,
     PRBool checksig,
     PRBool is_server) {
+#ifdef SSL_ENABLE_FALSE_START
   Core* core = reinterpret_cast<Core*>(arg);
   if (!core->handshake_callback_called_) {
     // Only need to turn off False Start in the initial handshake. Also, it is
@@ -1278,6 +1279,7 @@ SECStatus SSLClientSocketNSS::Core::OwnAuthCertHandler(
       SSL_OptionSet(socket, SSL_ENABLE_FALSE_START, PR_FALSE);
     }
   }
+#endif
 
   // Tell NSS to not verify the certificate.
   return SECSuccess;
@@ -2471,8 +2473,8 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
          SSL_CONNECTION_COMPRESSION_MASK) <<
         SSL_CONNECTION_COMPRESSION_SHIFT;
 
-    // NSS 3.14.x doesn't have a version macro for TLS 1.2 (because NSS didn't
-    // support it yet), so use 0x0303 directly.
+    // NSS 3.12.x doesn't have version macros for TLS 1.1 and 1.2 (because NSS
+    // doesn't support them yet), so we use 0x0302 and 0x0303 directly.
     int version = SSL_CONNECTION_VERSION_UNKNOWN;
     if (channel_info.protocolVersion < SSL_LIBRARY_VERSION_3_0) {
       // All versions less than SSL_LIBRARY_VERSION_3_0 are treated as SSL
@@ -2482,7 +2484,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
       version = SSL_CONNECTION_VERSION_SSL3;
     } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_3_1_TLS) {
       version = SSL_CONNECTION_VERSION_TLS1;
-    } else if (channel_info.protocolVersion == SSL_LIBRARY_VERSION_TLS_1_1) {
+    } else if (channel_info.protocolVersion == 0x0302) {
       version = SSL_CONNECTION_VERSION_TLS1_1;
     } else if (channel_info.protocolVersion == 0x0303) {
       version = SSL_CONNECTION_VERSION_TLS1_2;
@@ -2492,6 +2494,10 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
         SSL_CONNECTION_VERSION_SHIFT;
   }
 
+  // SSL_HandshakeNegotiatedExtension was added in NSS 3.12.6.
+  // Since SSL_MAX_EXTENSIONS was added at the same time, we can test
+  // SSL_MAX_EXTENSIONS for the presence of SSL_HandshakeNegotiatedExtension.
+#if defined(SSL_MAX_EXTENSIONS)
   PRBool peer_supports_renego_ext;
   ok = SSL_HandshakeNegotiatedExtension(nss_fd_, ssl_renegotiation_info_xtn,
                                         &peer_supports_renego_ext);
@@ -2525,6 +2531,7 @@ void SSLClientSocketNSS::Core::UpdateConnectionStatus() {
                             peer_supports_renego_ext == PR_TRUE);
     }
   }
+#endif
 
   if (ssl_config_.version_fallback) {
     nss_handshake_state_.ssl_connection_status |=
@@ -3173,18 +3180,25 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
     SSL_CipherPrefSet(nss_fd_, *it, PR_FALSE);
   }
 
+#ifdef SSL_ENABLE_SESSION_TICKETS
   // Support RFC 5077
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_SESSION_TICKETS, PR_TRUE);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
   }
+#else
+  #error "You need to install NSS-3.12 or later to build chromium"
+#endif
 
+#ifdef SSL_ENABLE_FALSE_START
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
                      ssl_config_.false_start_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
+#endif
 
+#ifdef SSL_ENABLE_RENEGOTIATION
   // We allow servers to request renegotiation. Since we're a client,
   // prohibiting this is rather a waste of time. Only servers are in a
   // position to prevent renegotiation attacks.
@@ -3196,12 +3210,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
   }
+#endif  // SSL_ENABLE_RENEGOTIATION
 
+#ifdef SSL_CBC_RANDOM_IV
   rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
+#endif
 
-// Added in NSS 3.15
 #ifdef SSL_ENABLE_OCSP_STAPLING
   if (IsOCSPStaplingSupported()) {
     rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
@@ -3212,7 +3228,6 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
   }
 #endif
 
-// Chromium patch to libssl
 #ifdef SSL_ENABLE_CACHED_INFO
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_CACHED_INFO,
                      ssl_config_.cached_info_enabled);
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 4c7e137..197c2d6 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -75,6 +75,10 @@ Patches:
     patches/cbc.patch
     https://code.google.com/p/chromium/issues/detail?id=172658#c12
 
+  * Define AES_256_KEY_LENGTH if the system blapit.h header doesn't define it.
+    Remove this patch when all system NSS packages are NSS 3.12.10 or later.
+    patches/aes256keylength.patch
+
   * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS
     versions older than 3.15 report an EC key size range of 112 bits to 571
     bits, even when it is compiled to support only the NIST P-256, P-384, and
diff --git a/net/third_party/nss/patches/aes256keylength.patch b/net/third_party/nss/patches/aes256keylength.patch
new file mode 100644
index 0000000..e77e16e
--- /dev/null
+++ b/net/third_party/nss/patches/aes256keylength.patch
@@ -0,0 +1,15 @@
+diff -pu a/nss/lib/ssl/sslsnce.c b/nss/lib/ssl/sslsnce.c
+--- a/nss/lib/ssl/sslsnce.c	2013-04-27 09:17:17.216390477 -0700
++++ b/nss/lib/ssl/sslsnce.c	2013-04-27 09:41:36.887048239 -0700
+@@ -87,6 +87,11 @@
+ #include "nspr.h"
+ #include "sslmutex.h"
+ 
++/* AES_256_KEY_LENGTH was added to blapit.h in NSS 3.12.10. */
++#ifndef AES_256_KEY_LENGTH
++#define AES_256_KEY_LENGTH      32  /* bytes */
++#endif
++
+ /*
+ ** Format of a cache entry in the shared memory.
+ */ 
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index aee9fb0..e8d9f5f 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -38,6 +38,8 @@ patch -p4 < $patches_dir/secretexporterlocks.patch
 
 patch -p4 < $patches_dir/cbc.patch
 
+patch -p4 < $patches_dir/aes256keylength.patch
+
 patch -p4 < $patches_dir/suitebonly.patch
 
 patch -p4 < $patches_dir/secitemarray.patch
diff --git a/net/third_party/nss/ssl.gyp b/net/third_party/nss/ssl.gyp
index c5d7ede..31567c2 100644
--- a/net/third_party/nss/ssl.gyp
+++ b/net/third_party/nss/ssl.gyp
@@ -68,6 +68,7 @@
         'ssl/win32err.c',
         'ssl/win32err.h',
         'ssl/bodge/secitem_array.c',
+        'ssl/bodge/secure_memcmp.c',
       ],
       'sources!': [
         'ssl/os2_err.c',
diff --git a/net/third_party/nss/ssl/bodge/secure_memcmp.c b/net/third_party/nss/ssl/bodge/secure_memcmp.c
new file mode 100644
index 0000000..b18579c
--- /dev/null
+++ b/net/third_party/nss/ssl/bodge/secure_memcmp.c
@@ -0,0 +1,59 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+// This file exists to provide the secure memcmp function. This was added in
+// NSS 3.12.5.
+
+#include <stdlib.h>
+
+/*
+ * Perform a constant-time compare of two memory regions. The return value is
+ * 0 if the memory regions are equal and non-zero otherwise.
+ */
+int
+NSS_SecureMemcmp(const void *ia, const void *ib, size_t n)
+{
+    const unsigned char *a = (const unsigned char*) ia;
+    const unsigned char *b = (const unsigned char*) ib;
+    size_t i;
+    unsigned char r = 0;
+
+    for (i = 0; i < n; ++i) {
+        r |= *a++ ^ *b++;
+    }
+
+    return r;
+}
diff --git a/net/third_party/nss/ssl/sslsnce.c b/net/third_party/nss/ssl/sslsnce.c
index eb39b5d..6b30f7d 100644
--- a/net/third_party/nss/ssl/sslsnce.c
+++ b/net/third_party/nss/ssl/sslsnce.c
@@ -87,6 +87,11 @@
 #include "nspr.h"
 #include "sslmutex.h"
 
+/* AES_256_KEY_LENGTH was added to blapit.h in NSS 3.12.10. */
+#ifndef AES_256_KEY_LENGTH
+#define AES_256_KEY_LENGTH      32  /* bytes */
+#endif
+
 /*
 ** Format of a cache entry in the shared memory.
 */