Fold away now dead NSS code.

Anything not built on iOS can now assume USE_OPENSSL is set. Most notably, the
libc urandom override is now gone.

BUG=519504

Review URL: https://codereview.chromium.org/1364023003

Cr-Commit-Position: refs/heads/master@{#352061}

2 files changed, 0 insertions, 158 deletions

diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 4e8aab4..d13170c 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -670,14 +670,6 @@ class NSSInitSingleton {
   }
 #endif  // defined(USE_NSS_CERTS)
 
-#if !defined(USE_OPENSSL)
-  // This method is used to force NSS to be initialized without a DB.
-  // Call this method before NSSInitSingleton() is constructed.
-  static void ForceNoDBInit() {
-    force_nodb_init_ = true;
-  }
-#endif
-
  private:
   friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>;
 
@@ -712,12 +704,6 @@ class NSSInitSingleton {
     SECStatus status = SECFailure;
     bool nodb_init = false;
 
-#if !defined(USE_OPENSSL)
-    // ForceNoDBInit was called.
-    if (force_nodb_init_)
-      nodb_init = true;
-#endif
-
 #if !defined(USE_NSS_CERTS)
     // Use the system certificate store, so initialize NSS without database.
     nodb_init = true;
@@ -875,11 +861,6 @@ class NSSInitSingleton {
     }
   }
 
-#if !defined(USE_OPENSSL)
-  // If this is set to true NSS is forced to be initialized without a DB.
-  static bool force_nodb_init_;
-#endif
-
   bool tpm_token_enabled_for_nss_;
   bool initializing_tpm_token_;
   typedef std::vector<base::Closure> TPMReadyCallbackList;
@@ -901,11 +882,6 @@ class NSSInitSingleton {
   base::ThreadChecker thread_checker_;
 };
 
-#if !defined(USE_OPENSSL)
-// static
-bool NSSInitSingleton::force_nodb_init_ = false;
-#endif
-
 base::LazyInstance<NSSInitSingleton>::Leaky
     g_nss_singleton = LAZY_INSTANCE_INITIALIZER;
 }  // namespace
@@ -939,19 +915,6 @@ void EnsureNSPRInit() {
   g_nspr_singleton.Get();
 }
 
-#if !defined(USE_OPENSSL)
-void InitNSSSafely() {
-  // We might fork, but we haven't loaded any security modules.
-  DisableNSSForkCheck();
-  // If we're sandboxed, we shouldn't be able to open user security modules,
-  // but it's more correct to tell NSS to not even try.
-  // Loading user security modules would have security implications.
-  ForceNSSNoDBInit();
-  // Initialize NSS.
-  EnsureNSSInit();
-}
-#endif  // !defined(USE_OPENSSL)
-
 void EnsureNSSInit() {
   // Initializing SSL causes us to do blocking IO.
   // Temporarily allow it until we fix
@@ -960,73 +923,6 @@ void EnsureNSSInit() {
   g_nss_singleton.Get();
 }
 
-#if !defined(USE_OPENSSL)
-
-void ForceNSSNoDBInit() {
-  NSSInitSingleton::ForceNoDBInit();
-}
-
-void DisableNSSForkCheck() {
-  scoped_ptr<base::Environment> env(base::Environment::Create());
-  env->SetVar("NSS_STRICT_NOFORK", "DISABLED");
-}
-
-void LoadNSSLibraries() {
-  // Some NSS libraries are linked dynamically so load them here.
-#if defined(USE_NSS_CERTS)
-  // Try to search for multiple directories to load the libraries.
-  std::vector<base::FilePath> paths;
-
-  // Use relative path to Search PATH for the library files.
-  paths.push_back(base::FilePath());
-
-  // For Debian derivatives NSS libraries are located here.
-  paths.push_back(base::FilePath("/usr/lib/nss"));
-
-  // Ubuntu 11.10 (Oneiric) and Debian Wheezy place the libraries here.
-#if defined(ARCH_CPU_X86_64)
-  paths.push_back(base::FilePath("/usr/lib/x86_64-linux-gnu/nss"));
-#elif defined(ARCH_CPU_X86)
-  paths.push_back(base::FilePath("/usr/lib/i386-linux-gnu/nss"));
-#elif defined(ARCH_CPU_ARMEL)
-#if defined(__ARM_PCS_VFP)
-  paths.push_back(base::FilePath("/usr/lib/arm-linux-gnueabihf/nss"));
-#else
-  paths.push_back(base::FilePath("/usr/lib/arm-linux-gnueabi/nss"));
-#endif  // defined(__ARM_PCS_VFP)
-#elif defined(ARCH_CPU_MIPSEL)
-  paths.push_back(base::FilePath("/usr/lib/mipsel-linux-gnu/nss"));
-#endif  // defined(ARCH_CPU_X86_64)
-
-  // A list of library files to load.
-  std::vector<std::string> libs;
-  libs.push_back("libsoftokn3.so");
-  libs.push_back("libfreebl3.so");
-
-  // For each combination of library file and path, check for existence and
-  // then load.
-  size_t loaded = 0;
-  for (size_t i = 0; i < libs.size(); ++i) {
-    for (size_t j = 0; j < paths.size(); ++j) {
-      base::FilePath path = paths[j].Append(libs[i]);
-      base::NativeLibrary lib = base::LoadNativeLibrary(path, NULL);
-      if (lib) {
-        ++loaded;
-        break;
-      }
-    }
-  }
-
-  if (loaded == libs.size()) {
-    VLOG(3) << "NSS libraries loaded.";
-  } else {
-    LOG(ERROR) << "Failed to load NSS libraries.";
-  }
-#endif  // defined(USE_NSS_CERTS)
-}
-
-#endif  // !defined(USE_OPENSSL)
-
 bool CheckNSSVersion(const char* version) {
   return !!NSS_VersionCheck(version);
 }
diff --git a/crypto/nss_util.h b/crypto/nss_util.h
index 98b0f72..06c1e5d 100644
--- a/crypto/nss_util.h
+++ b/crypto/nss_util.h
@@ -33,65 +33,11 @@ CRYPTO_EXPORT void EarlySetupForNSSInit();
 // thread-safe, and NSPR will only ever be initialized once.
 CRYPTO_EXPORT void EnsureNSPRInit();
 
-#if !defined(USE_OPENSSL)
-// Initialize NSS safely for strict sandboxing.  This function tells NSS to not
-// load user security modules, and makes sure NSS will have proper entropy in a
-// restricted, sandboxed environment.
-//
-// As a defense in depth measure, this function should be called in a sandboxed
-// environment.  That way, in the event of a bug, NSS will still not be able to
-// load security modules that could expose private data and keys.
-//
-// Make sure to get an LGTM from the Chrome Security Team if you use this.
-CRYPTO_EXPORT void InitNSSSafely();
-#endif  // !defined(USE_OPENSSL)
-
 // Initialize NSS if it isn't already initialized.  This must be called before
 // any other NSS functions.  This function is thread-safe, and NSS will only
 // ever be initialized once.
 CRYPTO_EXPORT void EnsureNSSInit();
 
-#if !defined(USE_OPENSSL)
-
-// Call this before calling EnsureNSSInit() will force NSS to initialize
-// without a persistent DB.  This is used for the special case where access of
-// persistent DB is prohibited.
-//
-// TODO(hclam): Isolate loading default root certs.
-//
-// NSS will be initialized without loading any user security modules, including
-// the built-in root certificates module. User security modules need to be
-// loaded manually after NSS initialization.
-//
-// If EnsureNSSInit() is called before then this function has no effect.
-//
-// Calling this method only has effect on Linux.
-//
-// WARNING: Use this with caution.
-CRYPTO_EXPORT void ForceNSSNoDBInit();
-
-// This method is used to disable checks in NSS when used in a forked process.
-// NSS checks whether it is running a forked process to avoid problems when
-// using user security modules in a forked process.  However if we are sure
-// there are no modules loaded before the process is forked then there is no
-// harm disabling the check.
-//
-// This method must be called before EnsureNSSInit() to take effect.
-//
-// WARNING: Use this with caution.
-CRYPTO_EXPORT void DisableNSSForkCheck();
-
-// Load NSS library files. This function has no effect on Mac and Windows.
-// This loads the necessary NSS library files so that NSS can be initialized
-// after loading additional library files is disallowed, for example when the
-// sandbox is active.
-//
-// Note that this does not load libnssckbi.so which contains the root
-// certificates.
-CRYPTO_EXPORT void LoadNSSLibraries();
-
-#endif  // !USE_OPENSSL
-
 // Check if the current NSS version is greater than or equals to |version|.
 // A sample version string is "3.12.3".
 bool CheckNSSVersion(const char* version);