Update the NSS patches. Add snapstart2.patch and peercertchain.patch....

net/third_party/nss/patches/clientauth.patch

 Index: mozilla/security/nss/lib/ssl/ssl.h
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v
 retrieving revision 1.38
 diff -p -u -8 -r1.38 ssl.h
 --- mozilla/security/nss/lib/ssl/ssl.h  17 Feb 2010 02:29:07 -0000      1.38
-+++ mozilla/security/nss/lib/ssl/ssl.h  16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl.h  16 Feb 2011 23:30:37 -0000
 @@ -275,16 +275,49 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
   * and certificate.
   *     fd - the file descriptor for the connection in question
   *     f - the application's callback that delivers the key and cert
   *     a - application specific data
   */
  SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, 
                                                SSLGetClientAuthData f, void *a);
  
 +/*
@@ skipping 36 matching lines @@
  ** Upon this callback invocation, application is responsible to reconfigure the
  ** socket with the data for a particular server name.
  ** There are three potential outcomes of this function invocation:
  **    * application does not recognize the name or the type and wants the
 Index: mozilla/security/nss/lib/ssl/ssl3con.c
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
 retrieving revision 1.142
 diff -p -u -8 -r1.142 ssl3con.c
 --- mozilla/security/nss/lib/ssl/ssl3con.c      24 Jun 2010 19:53:20 -0000      1.142
-+++ mozilla/security/nss/lib/ssl/ssl3con.c      16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl3con.c      16 Feb 2011 23:30:37 -0000
 @@ -2007,16 +2007,19 @@ ssl3_ComputeRecordMAC(
         rv = SECFailure;
         ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
      }
      return rv;
  }
  
  static PRBool
  ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
@@ skipping 12 matching lines @@
         (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
         isPresent = PR_FALSE;
      } 
      if (slot) {
         PK11_FreeSlot(slot);
      }
      return isPresent;
 +#endif /* NSS_PLATFORM_CLIENT_AUTH */
  }
  
- static SECStatus
+ SECStatus
  ssl3_CompressMACEncryptRecord(sslSocket *        ss,
                                SSL3ContentType    type,
                               const SSL3Opaque * pIn,
                               PRUint32           contentLen)
  {
 @@ -4812,40 +4816,41 @@ ssl3_SendCertificateVerify(sslSocket *ss
      ssl_GetSpecReadLock(ss);
      rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
      ssl_ReleaseSpecReadLock(ss);
      if (rv != SECSuccess) {
@@ skipping 310 matching lines @@
      if (ss->ssl3.clientCertChain != NULL) {
         CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
         ss->ssl3.clientCertChain = NULL;
      }
 Index: mozilla/security/nss/lib/ssl/ssl3ext.c
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3ext.c,v
 retrieving revision 1.14
 diff -p -u -8 -r1.14 ssl3ext.c
 --- mozilla/security/nss/lib/ssl/ssl3ext.c      3 Apr 2010 19:19:07 -0000       1.14
-+++ mozilla/security/nss/lib/ssl/ssl3ext.c      16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/ssl3ext.c      16 Feb 2011 23:30:37 -0000
 @@ -41,18 +41,18 @@
   * ***** END LICENSE BLOCK ***** */
  
  /* TLS extension code moved here from ssl3ecc.c */
  /* $Id: ssl3ext.c,v 1.14 2010/04/03 19:19:07 nelson%bolyard.com Exp $ */
  
  #include "nssrenam.h"
  #include "nss.h"
  #include "ssl.h"
 -#include "sslproto.h"
  #include "sslimpl.h"
 +#include "sslproto.h"
  #include "pk11pub.h"
  #include "blapi.h"
  #include "prinit.h"
  
  static unsigned char  key_name[SESS_TICKET_KEY_NAME_LEN];
  static PK11SymKey    *session_ticket_enc_key_pkcs11 = NULL;
  static PK11SymKey    *session_ticket_mac_key_pkcs11 = NULL;
  
 Index: mozilla/security/nss/lib/ssl/sslauth.c
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslauth.c,v
 retrieving revision 1.16
 diff -p -u -8 -r1.16 sslauth.c
 --- mozilla/security/nss/lib/ssl/sslauth.c      20 Apr 2006 00:20:45 -0000      1.16
-+++ mozilla/security/nss/lib/ssl/sslauth.c      16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslauth.c      16 Feb 2011 23:30:37 -0000
 @@ -204,16 +204,38 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
         return SECFailure;
      }
  
      ss->getClientAuthData = func;
      ss->getClientAuthDataArg = arg;
      return SECSuccess;
  }
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
@@ skipping 25 matching lines @@
      sslSocket *ss;
  
      ss = ssl_FindSocket(s);
      if (!ss) {
 Index: mozilla/security/nss/lib/ssl/sslimpl.h
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslimpl.h,v
 retrieving revision 1.77
 diff -p -u -8 -r1.77 sslimpl.h
 --- mozilla/security/nss/lib/ssl/sslimpl.h      10 Feb 2010 00:33:50 -0000      1.77
-+++ mozilla/security/nss/lib/ssl/sslimpl.h      16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslimpl.h      16 Feb 2011 23:30:37 -0000
 @@ -60,16 +60,25 @@
  #if defined(XP_UNIX) || defined(XP_BEOS)
  #include "unistd.h"
  #endif
  #include "nssrwlk.h"
  #include "prthread.h"
  
  #include "sslt.h" /* for some formerly private types, now public */
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +#if defined(XP_WIN32)
 +#include <windows.h>
 +#include <wincrypt.h>
 +#elif defined(XP_MACOSX)
 +#include <Security/Security.h>
 +#endif
 +#endif
 +
  /* to make some of these old enums public without namespace pollution,
  ** it was necessary to prepend ssl_ to the names.
  ** These #defines preserve compatibility with the old code here in libssl.
  */
  typedef SSLKEAType      SSL3KEAType;
  typedef SSLMACAlgorithm SSL3MACAlgorithm;
  typedef SSLSignType     SSL3SignType;
  
-@@ -782,16 +791,25 @@ const ssl3CipherSuiteDef *suite_def;
-        SSL3Hashes        sFinished[2];
-        SSL3Opaque        data[72];
-     }                     finishedMsgs;
- #ifdef NSS_ENABLE_ECC
-     PRUint32              negotiatedECCurves; /* bit mask */
- #endif /* NSS_ENABLE_ECC */
- } SSL3HandshakeState;
+@@ -450,16 +459,26 @@ typedef SECStatus (*SSLCipher)(void *   
+ typedef SECStatus (*SSLCompressor)(void *               context,
+                                    unsigned char *      out,
+                                    int *                outlen,
+                                    int                  maxout,
+                                    const unsigned char *in,
+                                    int                  inlen);
+ typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +#if defined(XP_WIN32)
 +typedef PCERT_KEY_CONTEXT PlatformKey;
 +#elif defined(XP_MACOSX)
 +typedef SecKeyRef PlatformKey;
 +#else
 +typedef void *PlatformKey;
 +#endif
 +#endif
++
  
  
  /*
- ** This is the "ssl3" struct, as in "ss->ssl3".
- ** note:
- ** usually,   crSpec == cwSpec and prSpec == pwSpec.  
- ** Sometimes, crSpec == pwSpec and prSpec == cwSpec.
- ** But there are never more than 2 actual specs.  
-@@ -805,16 +823,19 @@ struct ssl3StateStr {
+ ** ssl3State and CipherSpec structs
+ */
+ 
+ /* The SSL bulk cipher definition */
+ typedef enum {
+@@ -805,16 +824,19 @@ struct ssl3StateStr {
      */
      ssl3CipherSpec *     crSpec;       /* current read spec. */
      ssl3CipherSpec *     prSpec;       /* pending read spec. */
      ssl3CipherSpec *     cwSpec;       /* current write spec. */
      ssl3CipherSpec *     pwSpec;       /* pending write spec. */
  
      CERTCertificate *    clientCertificate;  /* used by client */
      SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    PlatformKey          platformClientKey;  /* used by client */
 +#endif  /* NSS_PLATFORM_CLIENT_AUTH */
      CERTCertificateList *clientCertChain;    /* used by client */
      PRBool               sendEmptyCert;      /* used by client */
  
      int                  policy;
                         /* This says what cipher suites we can do, and should 
                          * be either SSL_ALLOWED or SSL_RESTRICTED 
                          */
      PRArenaPool *        peerCertArena;  
-@@ -1045,16 +1066,20 @@ const unsigned char *  preferredCipher;
+@@ -1045,16 +1067,20 @@ const unsigned char *  preferredCipher;
  
      ssl3KeyPair *         stepDownKeyPair;     /* RSA step down keys */
  
      /* Callbacks */
      SSLAuthCertificate        authCertificate;
      void                     *authCertificateArg;
      SSLGetClientAuthData      getClientAuthData;
      void                     *getClientAuthDataArg;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    SSLGetPlatformClientAuthData getPlatformClientAuthData;
 +    void                        *getPlatformClientAuthDataArg;
 +#endif  /* NSS_PLATFORM_CLIENT_AUTH */
      SSLSNISocketConfig        sniSocketConfig;
      void                     *sniSocketConfigArg;
      SSLBadCertHandler         handleBadCert;
      void                     *badCertArg;
      SSLHandshakeCallback      handshakeCallback;
      void                     *handshakeCallbackData;
      void                     *pkcs11PinArg;
  
-@@ -1587,16 +1612,36 @@ extern SECStatus SSL3_ShutdownServerCach
+@@ -1587,16 +1613,36 @@ extern SECStatus SSL3_ShutdownServerCach
  extern SECStatus ssl_InitSymWrapKeysLock(void);
  
  extern SECStatus ssl_FreeSymWrapKeysLock(void);
  
  extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
  
  extern SECStatus ssl_FreeSessionCacheLocks(void);
  
 +/***************** platform client auth ****************/
 +
@@ skipping 22 matching lines @@
  
  extern PRUint32 ssl_Time(void);
  
  extern void SSL_AtomicIncrementLong(long * x);
 Index: mozilla/security/nss/lib/ssl/sslsock.c
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
 retrieving revision 1.67
 diff -p -u -8 -r1.67 sslsock.c
 --- mozilla/security/nss/lib/ssl/sslsock.c      25 Apr 2010 23:37:38 -0000      1.67
-+++ mozilla/security/nss/lib/ssl/sslsock.c      16 Feb 2011 02:40:21 -0000
++++ mozilla/security/nss/lib/ssl/sslsock.c      16 Feb 2011 23:30:37 -0000
 @@ -329,16 +329,20 @@ ssl_DupSocket(sslSocket *os)
  /*
   * XXX the preceding CERT_ and SECKEY_ functions can fail and return NULL.
   * XXX We should detect this, and not just march on with NULL pointers.
   */
             ss->authCertificate       = os->authCertificate;
             ss->authCertificateArg    = os->authCertificateArg;
             ss->getClientAuthData     = os->getClientAuthData;
             ss->getClientAuthDataArg  = os->getClientAuthDataArg;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
@@ skipping 45 matching lines @@
 +       ss->getPlatformClientAuthDataArg = NULL;
 +#endif   /* NSS_PLATFORM_CLIENT_AUTH */
         ss->handleBadCert      = NULL;
         ss->badCertArg         = NULL;
         ss->pkcs11PinArg       = NULL;
  
         ssl_ChooseOps(ss);
         ssl2_InitSocketPolicy(ss);
         ssl3_InitSocketPolicy(ss);