BASELINE: Update Chromium to 59.0.3071.134

Change-Id: Id02ef6fb2204c5fd21668a1c3e6911c83b17585a
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>

7 files changed, 60 insertions, 97 deletions

diff --git a/chromium/crypto/BUILD.gn b/chromium/crypto/BUILD.gn
index 6b45c9d6332..6299b594399 100644
--- a/chromium/crypto/BUILD.gn
+++ b/chromium/crypto/BUILD.gn
@@ -39,6 +39,7 @@ component("crypto") {
     "mock_apple_keychain.h",
     "mock_apple_keychain_ios.cc",
     "mock_apple_keychain_mac.cc",
+    "nss_crypto_module_delegate.h",
     "nss_key_util.cc",
     "nss_key_util.h",
     "nss_util.cc",
@@ -68,6 +69,7 @@ component("crypto") {
     "signature_verifier.h",
     "symmetric_key.cc",
     "symmetric_key.h",
+    "wincrypt_shim.h",
   ]
 
   # TODO(jschuh): crbug.com/167187 fix size_t to int truncations.
diff --git a/chromium/crypto/OWNERS b/chromium/crypto/OWNERS
index 42d0d3b58b3..019db92cacc 100644
--- a/chromium/crypto/OWNERS
+++ b/chromium/crypto/OWNERS
@@ -1,3 +1,5 @@
 agl@chromium.org
 davidben@chromium.org
 rsleevi@chromium.org
+
+# COMPONENT: Internals>Network>SSL
diff --git a/chromium/crypto/ec_private_key.cc b/chromium/crypto/ec_private_key.cc
index 08fd75dec3c..75b86c0c057 100644
--- a/chromium/crypto/ec_private_key.cc
+++ b/chromium/crypto/ec_private_key.cc
@@ -11,52 +11,16 @@
 
 #include "base/logging.h"
 #include "crypto/openssl_util.h"
-#include "third_party/boringssl/src/include/openssl/bio.h"
 #include "third_party/boringssl/src/include/openssl/bn.h"
 #include "third_party/boringssl/src/include/openssl/bytestring.h"
 #include "third_party/boringssl/src/include/openssl/ec.h"
 #include "third_party/boringssl/src/include/openssl/ec_key.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
 #include "third_party/boringssl/src/include/openssl/mem.h"
-#include "third_party/boringssl/src/include/openssl/pkcs12.h"
-#include "third_party/boringssl/src/include/openssl/x509.h"
+#include "third_party/boringssl/src/include/openssl/pkcs8.h"
 
 namespace crypto {
 
-namespace {
-
-// Function pointer definition, for injecting the required key export function
-// into ExportKeyWithBio, below. |bio| is a temporary memory BIO object, and
-// |key| is a handle to the input key object. Return 1 on success, 0 otherwise.
-// NOTE: Used with OpenSSL functions, which do not comply with the Chromium
-//       style guide, hence the unusual parameter placement / types.
-typedef int (*ExportBioFunction)(BIO* bio, const void* key);
-
-// Helper to export |key| into |output| via the specified ExportBioFunction.
-bool ExportKeyWithBio(const void* key,
-                      ExportBioFunction export_fn,
-                      std::vector<uint8_t>* output) {
-  if (!key)
-    return false;
-
-  bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
-  if (!bio)
-    return false;
-
-  if (!export_fn(bio.get(), key))
-    return false;
-
-  const uint8_t* data;
-  size_t len;
-  if (!BIO_mem_contents(bio.get(), &data, &len))
-    return false;
-
-  output->assign(data, data + len);
-  return true;
-}
-
-}  // namespace
-
 ECPrivateKey::~ECPrivateKey() {}
 
 // static
@@ -97,40 +61,32 @@ std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromPrivateKeyInfo(
 std::unique_ptr<ECPrivateKey> ECPrivateKey::CreateFromEncryptedPrivateKeyInfo(
     const std::vector<uint8_t>& encrypted_private_key_info,
     const std::vector<uint8_t>& subject_public_key_info) {
-  // NOTE: The |subject_public_key_info| can be ignored here, it is only
-  // useful for the NSS implementation (which uses the public key's SHA1
-  // as a lookup key when storing the private one in its store).
-  if (encrypted_private_key_info.empty())
-    return nullptr;
-
+  // TODO(davidben): The |subject_public_key_info| parameter is a remnant of
+  // the NSS implementation. Remove it.
   OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
-  const uint8_t* data = &encrypted_private_key_info[0];
-  const uint8_t* ptr = data;
-  bssl::UniquePtr<X509_SIG> p8_encrypted(
-      d2i_X509_SIG(nullptr, &ptr, encrypted_private_key_info.size()));
-  if (!p8_encrypted || ptr != data + encrypted_private_key_info.size())
-    return nullptr;
+  CBS cbs;
+  CBS_init(&cbs, encrypted_private_key_info.data(),
+           encrypted_private_key_info.size());
+  bssl::UniquePtr<EVP_PKEY> pkey(
+      PKCS8_parse_encrypted_private_key(&cbs, "", 0));
 
   // Hack for reading keys generated by an older version of the OpenSSL code.
   // Some implementations encode the empty password as "\0\0" (passwords are
   // normally encoded in big-endian UCS-2 with a NUL terminator) and some
-  // encode as the empty string. PKCS8_decrypt distinguishes the two by whether
-  // the password is nullptr.
-  bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> p8_decrypted(
-      PKCS8_decrypt(p8_encrypted.get(), "", 0));
-  if (!p8_decrypted)
-    p8_decrypted.reset(PKCS8_decrypt(p8_encrypted.get(), nullptr, 0));
-
-  if (!p8_decrypted)
-    return nullptr;
+  // encode as the empty string. PKCS8_parse_encrypted_private_key
+  // distinguishes the two by whether the password is nullptr.
+  if (!pkey) {
+    CBS_init(&cbs, encrypted_private_key_info.data(),
+             encrypted_private_key_info.size());
+    pkey.reset(PKCS8_parse_encrypted_private_key(&cbs, nullptr, 0));
+  }
 
-  // Create a new EVP_PKEY for it.
-  std::unique_ptr<ECPrivateKey> result(new ECPrivateKey());
-  result->key_.reset(EVP_PKCS82PKEY(p8_decrypted.get()));
-  if (!result->key_ || EVP_PKEY_id(result->key_.get()) != EVP_PKEY_EC)
+  if (!pkey || CBS_len(&cbs) != 0 || EVP_PKEY_id(pkey.get()) != EVP_PKEY_EC)
     return nullptr;
 
+  std::unique_ptr<ECPrivateKey> result(new ECPrivateKey());
+  result->key_ = std::move(pkey);
   return result;
 }
 
@@ -161,25 +117,26 @@ bool ECPrivateKey::ExportPrivateKey(std::vector<uint8_t>* output) const {
 bool ECPrivateKey::ExportEncryptedPrivateKey(
     std::vector<uint8_t>* output) const {
   OpenSSLErrStackTracer err_tracer(FROM_HERE);
-  // Convert into a PKCS#8 object.
-  bssl::UniquePtr<PKCS8_PRIV_KEY_INFO> pkcs8(EVP_PKEY2PKCS8(key_.get()));
-  if (!pkcs8)
-    return false;
 
   // Encrypt the object.
   // NOTE: NSS uses SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC
   // so use NID_pbe_WithSHA1And3_Key_TripleDES_CBC which should be the OpenSSL
   // equivalent.
-  bssl::UniquePtr<X509_SIG> encrypted(
-      PKCS8_encrypt(NID_pbe_WithSHA1And3_Key_TripleDES_CBC, nullptr, nullptr, 0,
-                    nullptr, 0, 1, pkcs8.get()));
-  if (!encrypted)
+  uint8_t* der;
+  size_t der_len;
+  bssl::ScopedCBB cbb;
+  if (!CBB_init(cbb.get(), 0) ||
+      !PKCS8_marshal_encrypted_private_key(
+          cbb.get(), NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
+          nullptr /* cipher */, nullptr /* no password */, 0 /* pass_len */,
+          nullptr /* salt */, 0 /* salt_len */, 1 /* iterations */,
+          key_.get()) ||
+      !CBB_finish(cbb.get(), &der, &der_len)) {
     return false;
-
-  // Write it into |*output|
-  return ExportKeyWithBio(encrypted.get(),
-                          reinterpret_cast<ExportBioFunction>(i2d_PKCS8_bio),
-                          output);
+  }
+  output->assign(der, der + der_len);
+  OPENSSL_free(der);
+  return true;
 }
 
 bool ECPrivateKey::ExportPublicKey(std::vector<uint8_t>* output) const {
diff --git a/chromium/crypto/nss_util.cc b/chromium/crypto/nss_util.cc
index 35865679007..5ed2fa06740 100644
--- a/chromium/crypto/nss_util.cc
+++ b/chromium/crypto/nss_util.cc
@@ -172,7 +172,7 @@ void UseLocalCacheOfNSSDatabaseIfNFS(const base::FilePath& database_dir) {
 // singleton.
 class NSPRInitSingleton {
  private:
-  friend struct base::DefaultLazyInstanceTraits<NSPRInitSingleton>;
+  friend struct base::LazyInstanceTraitsBase<NSPRInitSingleton>;
 
   NSPRInitSingleton() {
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
@@ -657,7 +657,7 @@ class NSSInitSingleton {
   }
 
  private:
-  friend struct base::DefaultLazyInstanceTraits<NSSInitSingleton>;
+  friend struct base::LazyInstanceTraitsBase<NSSInitSingleton>;
 
   NSSInitSingleton()
       : tpm_token_enabled_for_nss_(false),
diff --git a/chromium/crypto/openssl_util.cc b/chromium/crypto/openssl_util.cc
index 0d044c76d4f..65be615a505 100644
--- a/chromium/crypto/openssl_util.cc
+++ b/chromium/crypto/openssl_util.cc
@@ -40,7 +40,7 @@ void EnsureOpenSSLInit() {
 }
 
 void ClearOpenSSLERRStack(const tracked_objects::Location& location) {
-  if (logging::DEBUG_MODE && VLOG_IS_ON(1)) {
+  if (DCHECK_IS_ON() && VLOG_IS_ON(1)) {
     uint32_t error_num = ERR_peek_error();
     if (error_num == 0)
       return;
diff --git a/chromium/crypto/signature_verifier.cc b/chromium/crypto/signature_verifier.cc
index 852f822fcc6..2a9f0879729 100644
--- a/chromium/crypto/signature_verifier.cc
+++ b/chromium/crypto/signature_verifier.cc
@@ -10,6 +10,7 @@
 #include <vector>
 
 #include "base/logging.h"
+#include "base/numerics/safe_conversions.h"
 #include "crypto/openssl_util.h"
 #include "third_party/boringssl/src/include/openssl/bytestring.h"
 #include "third_party/boringssl/src/include/openssl/digest.h"
@@ -42,9 +43,9 @@ SignatureVerifier::~SignatureVerifier() {}
 
 bool SignatureVerifier::VerifyInit(SignatureAlgorithm signature_algorithm,
                                    const uint8_t* signature,
-                                   int signature_len,
+                                   size_t signature_len,
                                    const uint8_t* public_key_info,
-                                   int public_key_info_len) {
+                                   size_t public_key_info_len) {
   int pkey_type = EVP_PKEY_NONE;
   const EVP_MD* digest = nullptr;
   switch (signature_algorithm) {
@@ -70,11 +71,11 @@ bool SignatureVerifier::VerifyInit(SignatureAlgorithm signature_algorithm,
 
 bool SignatureVerifier::VerifyInitRSAPSS(HashAlgorithm hash_alg,
                                          HashAlgorithm mask_hash_alg,
-                                         int salt_len,
+                                         size_t salt_len,
                                          const uint8_t* signature,
-                                         int signature_len,
+                                         size_t signature_len,
                                          const uint8_t* public_key_info,
-                                         int public_key_info_len) {
+                                         size_t public_key_info_len) {
   OpenSSLErrStackTracer err_tracer(FROM_HERE);
   const EVP_MD* const digest = ToOpenSSLDigest(hash_alg);
   DCHECK(digest);
@@ -97,15 +98,16 @@ bool SignatureVerifier::VerifyInitRSAPSS(HashAlgorithm hash_alg,
     return false;
   }
   return EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf_digest) &&
-         EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, salt_len);
+         EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx,
+                                          base::checked_cast<int>(salt_len));
 }
 
 void SignatureVerifier::VerifyUpdate(const uint8_t* data_part,
-                                     int data_part_len) {
+                                     size_t data_part_len) {
   DCHECK(verify_context_);
   OpenSSLErrStackTracer err_tracer(FROM_HERE);
-  int rv = EVP_DigestVerifyUpdate(verify_context_->ctx.get(),
-                                  data_part, data_part_len);
+  int rv = EVP_DigestVerifyUpdate(verify_context_->ctx.get(), data_part,
+                                  data_part_len);
   DCHECK_EQ(rv, 1);
 }
 
@@ -122,9 +124,9 @@ bool SignatureVerifier::VerifyFinal() {
 bool SignatureVerifier::CommonInit(int pkey_type,
                                    const EVP_MD* digest,
                                    const uint8_t* signature,
-                                   int signature_len,
+                                   size_t signature_len,
                                    const uint8_t* public_key_info,
-                                   int public_key_info_len,
+                                   size_t public_key_info_len,
                                    EVP_PKEY_CTX** pkey_ctx) {
   if (verify_context_)
     return false;
diff --git a/chromium/crypto/signature_verifier.h b/chromium/crypto/signature_verifier.h
index f1ea58062cf..e9d5fe7b2ba 100644
--- a/chromium/crypto/signature_verifier.h
+++ b/chromium/crypto/signature_verifier.h
@@ -54,9 +54,9 @@ class CRYPTO_EXPORT SignatureVerifier {
   //       subjectPublicKey     BIT STRING  }
   bool VerifyInit(SignatureAlgorithm signature_algorithm,
                   const uint8_t* signature,
-                  int signature_len,
+                  size_t signature_len,
                   const uint8_t* public_key_info,
-                  int public_key_info_len);
+                  size_t public_key_info_len);
 
   // Initiates a RSA-PSS signature verification operation.  This should be
   // followed by one or more VerifyUpdate calls and a VerifyFinal call.
@@ -76,14 +76,14 @@ class CRYPTO_EXPORT SignatureVerifier {
   //       subjectPublicKey     BIT STRING  }
   bool VerifyInitRSAPSS(HashAlgorithm hash_alg,
                         HashAlgorithm mask_hash_alg,
-                        int salt_len,
+                        size_t salt_len,
                         const uint8_t* signature,
-                        int signature_len,
+                        size_t signature_len,
                         const uint8_t* public_key_info,
-                        int public_key_info_len);
+                        size_t public_key_info_len);
 
   // Feeds a piece of the data to the signature verifier.
-  void VerifyUpdate(const uint8_t* data_part, int data_part_len);
+  void VerifyUpdate(const uint8_t* data_part, size_t data_part_len);
 
   // Concludes a signature verification operation.  Returns true if the
   // signature is valid.  Returns false if the signature is invalid or an
@@ -94,9 +94,9 @@ class CRYPTO_EXPORT SignatureVerifier {
   bool CommonInit(int pkey_type,
                   const EVP_MD* digest,
                   const uint8_t* signature,
-                  int signature_len,
+                  size_t signature_len,
                   const uint8_t* public_key_info,
-                  int public_key_info_len,
+                  size_t public_key_info_len,
                   EVP_PKEY_CTX** pkey_ctx);
 
   void Reset();