Workaround a bug in NSS when using DHE+client authentication.

net/third_party/nss/patches/dheclientauth.patch

Index: net/third_party/nss/patches/dheclientauth.patch
diff --git a/net/third_party/nss/patches/dheclientauth.patch b/net/third_party/nss/patches/dheclientauth.patch
new file mode 100644
index 0000000000000000000000000000000000000000..92d1d97ecfded77937aa1f49ed236e8758e6b3fd
--- /dev/null
+++ b/net/third_party/nss/patches/dheclientauth.patch
@@ -0,0 +1,98 @@
+Index: mozilla/security/nss/lib/ssl/ssl3con.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
+retrieving revision 1.142.2.4
+diff -u -p -u -8 -r1.142.2.4 ssl3con.c
+--- mozilla/security/nss/lib/ssl/ssl3con.c	1 Sep 2010 19:47:11 -0000	1.142.2.4
++++ mozilla/security/nss/lib/ssl/ssl3con.c	8 Dec 2010 06:55:49 -0000
+@@ -4832,24 +4832,18 @@ ssl3_SendCertificateVerify(sslSocket *ss
+ 	*/
+ 	slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
+ 	sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
+ 	sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
+ 	sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
+ 	sid->u.ssl3.clAuthValid      = PR_TRUE;
+ 	PK11_FreeSlot(slot);
+     }
+-    /* If we're doing RSA key exchange, we're all done with the private key
+-     * here.  Diffie-Hellman key exchanges need the client's
+-     * private key for the key exchange.
+-     */
+-    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
+-	SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+-	ss->ssl3.clientPrivateKey = NULL;
+-    }
++    SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++    ss->ssl3.clientPrivateKey = NULL;
+     if (rv != SECSuccess) {
+ 	goto done;	/* err code was set by ssl3_SignHashes */
+     }
+ 
+     rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, buf.len + 2);
+     if (rv != SECSuccess) {
+ 	goto done;	/* error code set by AppendHandshake */
+     }
+@@ -4894,16 +4888,30 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+ 	goto alert_loser;
+     }
+     if (ss->ssl3.hs.ws != wait_server_hello) {
+         errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO;
+ 	desc    = unexpected_message;
+ 	goto alert_loser;
+     }
+ 
++    /* clean up anything left from previous handshake. */
++    if (ss->ssl3.clientCertChain != NULL) {
++       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
++       ss->ssl3.clientCertChain = NULL;
++    }
++    if (ss->ssl3.clientCertificate != NULL) {
++       CERT_DestroyCertificate(ss->ssl3.clientCertificate);
++       ss->ssl3.clientCertificate = NULL;
++    }
++    if (ss->ssl3.clientPrivateKey != NULL) {
++       SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++       ss->ssl3.clientPrivateKey = NULL;
++    }
++
+     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
+     if (temp < 0) {
+     	goto loser; 	/* alert has been sent */
+     }
+     version = (SSL3ProtocolVersion)temp;
+ 
+     /* this is appropriate since the negotiation is complete, and we only
+     ** know SSL 3.x.
+@@ -5449,29 +5457,19 @@ ssl3_HandleCertificateRequest(sslSocket 
+ 
+     if (ss->ssl3.hs.ws != wait_cert_request &&
+     	ss->ssl3.hs.ws != wait_server_key) {
+ 	desc    = unexpected_message;
+ 	errCode = SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST;
+ 	goto alert_loser;
+     }
+ 
+-    /* clean up anything left from previous handshake. */
+-    if (ss->ssl3.clientCertChain != NULL) {
+-       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
+-       ss->ssl3.clientCertChain = NULL;
+-    }
+-    if (ss->ssl3.clientCertificate != NULL) {
+-       CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+-       ss->ssl3.clientCertificate = NULL;
+-    }
+-    if (ss->ssl3.clientPrivateKey != NULL) {
+-       SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+-       ss->ssl3.clientPrivateKey = NULL;
+-    }
++    PORT_Assert(ss->ssl3.clientCertChain == NULL);
++    PORT_Assert(ss->ssl3.clientCertificate == NULL);
++    PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
+ 
+     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+     rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
+     if (rv != SECSuccess)
+     	goto loser;		/* malformed, alert has been sent */
+ 
+     arena = ca_list.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+     if (arena == NULL)