Ensure the patched NSS libssl used on Win and Mac behaves the same as upstream when handling client…

net/third_party/nss/patches/clientauth.patch

 diff -puN -r a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
 --- a/net/third_party/nss/ssl/ssl3con.c 2012-11-09 15:34:12.258133766 -0800
 +++ b/net/third_party/nss/ssl/ssl3con.c 2012-11-09 15:35:08.488958561 -0800
 @@ -2033,6 +2033,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
      PRBool isPresent = PR_TRUE;
  
      /* we only care if we are doing client auth */
 +    /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
 +     * used, u.ssl3.clAuthValid will be false and this function will always
 +     * return PR_TRUE. */
@@ skipping 75 matching lines @@
      SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
                 SSL_GETPID(), ss->fd));
 @@ -5917,6 +5939,7 @@ ssl3_HandleCertificateRequest(sslSocket 
      PORT_Assert(ss->ssl3.clientCertChain == NULL);
      PORT_Assert(ss->ssl3.clientCertificate == NULL);
      PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
 +    PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
  
      isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
      rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
-@@ -5983,6 +6006,20 @@ ssl3_HandleCertificateRequest(sslSocket 
+@@ -5983,6 +6006,18 @@ ssl3_HandleCertificateRequest(sslSocket 
      desc = no_certificate;
      ss->ssl3.hs.ws = wait_hello_done;
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
-+    if (ss->getPlatformClientAuthData == NULL) {
-+       rv = SECFailure; /* force it to send a no_certificate alert */
-+    } else {
++    if (ss->getPlatformClientAuthData != NULL) {
 +       /* XXX Should pass cert_types in this call!! */
 +        rv = (SECStatus)(*ss->getPlatformClientAuthData)(
 +                                        ss->getPlatformClientAuthDataArg,
 +                                        ss->fd, &ca_list,
 +                                        &platform_cert_list,
 +                                        (void**)&ss->ssl3.platformClientKey,
 +                                        &ss->ssl3.clientCertificate,
 +                                        &ss->ssl3.clientPrivateKey);
-+    }
-+#else
++    } else
++#endif
      if (ss->getClientAuthData == NULL) {
         rv = SECFailure; /* force it to send a no_certificate alert */
      } else {
 @@ -5992,12 +6029,52 @@ ssl3_HandleCertificateRequest(sslSocket 
                                                  &ss->ssl3.clientCertificate,
                                                  &ss->ssl3.clientPrivateKey);
      }
-+#endif   /* NSS_PLATFORM_CLIENT_AUTH */
++
      switch (rv) {
      case SECWouldBlock:        /* getClientAuthData has put up a dialog box. */
         ssl3_SetAlwaysBlock(ss);
         break;  /* not an error */
  
      case SECSuccess:
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +        if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
 +            !ss->ssl3.platformClientKey) {
 +            if (platform_cert_list) {
@@ skipping 108 matching lines @@
 +    return SECSuccess;
 +}
 +#endif   /* NSS_PLATFORM_CLIENT_AUTH */
 +
  /* NEED LOCKS IN HERE.  */
  SECStatus 
  SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
 diff -puN -r a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
 --- a/net/third_party/nss/ssl/ssl.h     2012-11-09 15:34:12.258133766 -0800
 +++ b/net/third_party/nss/ssl/ssl.h     2012-11-09 15:35:08.488958561 -0800
-@@ -483,6 +483,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
+@@ -483,6 +483,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
  SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, 
                                                SSLGetClientAuthData f, void *a);
  
 +/*
 + * Prototype for SSL callback to get client auth data from the application,
 + * optionally using the underlying platform's cryptographic primitives.
 + * To use the platform cryptographic primitives, caNames and pRetCerts
 + * should be set.  To use NSS, pRetNSSCert and pRetNSSKey should be set.
 + * Returning SECFailure will cause the socket to send no client certificate.
 + *     arg - application passed argument
@@ skipping 15 matching lines @@
 +                                PRFileDesc *fd,
 +                                CERTDistNames *caNames,
 +                                CERTCertList **pRetCerts,/*return */
 +                                void **pRetKey,/* return */
 +                                CERTCertificate **pRetNSSCert,/*return */
 +                                SECKEYPrivateKey **pRetNSSKey);/* return */
 +
 +/*
 + * Set the client side callback for SSL to retrieve user's private key
 + * and certificate.
++ * Note: If a platform client auth callback is set, the callback configured by
++ * SSL_GetClientAuthDataHook, if any, will not be called.
++ *
 + *     fd - the file descriptor for the connection in question
 + *     f - the application's callback that delivers the key and cert
 + *     a - application specific data
 + */
 +SSL_IMPORT SECStatus
 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd,
 +                                  SSLGetPlatformClientAuthData f, void *a);
  
  /*
  ** SNI extension processing callback function.
@@ skipping 522 matching lines @@
          ss->sniSocketConfig    = NULL;
          ss->sniSocketConfigArg = NULL;
         ss->getClientAuthData  = NULL;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +       ss->getPlatformClientAuthData = NULL;
 +       ss->getPlatformClientAuthDataArg = NULL;
 +#endif   /* NSS_PLATFORM_CLIENT_AUTH */
         ss->handleBadCert      = NULL;
         ss->badCertArg         = NULL;
         ss->pkcs11PinArg       = NULL;