NSS: reject DH groups smaller than 1024 bits.

Since some platforms are still using NSS for now, this change mirrors https://boringssl-review.googlesource.com/#/c/4813/ in NSS.

BUG=490240

Review URL: https://codereview.chromium.org/1143303002

Cr-Commit-Position: refs/heads/master@{#330791}

net/third_party/nss/README.chromium

@@ -107,6 +107,9 @@ Patches:
     patches/norenegotiatelock.patch
     https://bugzilla.mozilla.org/show_bug.cgi?id=1162521
 
+  * Increase the minimum DH group size to 1024
+    patches/dh1024.patch
+
 Apply the patches to NSS by running the patches/applypatches.sh script.  Read
 the comments at the top of patches/applypatches.sh for instructions.
 

net/third_party/nss/patches/applypatches.sh

@@ -50,3 +50,5 @@ patch -p2 < $patches_dir/reorderextensions.patch
 patch -p2 < $patches_dir/removebuildmetadata.patch
 
 patch -p2 < $patches_dir/norenegotiatelock.patch
+
+patch -p2 < $patches_dir/dh1024.patch

net/third_party/nss/patches/dh1024.patch

+diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
+index 89c98ea..861d434 100644
+--- a/ssl/ssl3con.c
++++ b/ssl/ssl3con.c
+@@ -6946,7 +6946,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+     	if (rv != SECSuccess) {
+ 	    goto loser;		/* malformed. */
+ 	}
+-	if (dh_p.len < 512/8) {
++	if (dh_p.len < 1024/8 ||
++	    (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) {
+ 	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
+ 	    goto alert_loser;
+ 	}

net/third_party/nss/ssl/ssl3con.c

@@ -6946,7 +6946,8 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
     	if (rv != SECSuccess) {
 	    goto loser;		/* malformed. */
 	}
-	if (dh_p.len < 512/8) {
+	if (dh_p.len < 1024/8 ||
+	    (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) {
 	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
 	    goto alert_loser;
 	}