Update net/third_party/nss to NSS 3.13.3.

net/third_party/nss/patches/clientauth.patch

-From 1ebf459243cea430614e1958ecab1ad10457ccc2 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Mon, 3 Oct 2011 12:44:48 -0400
-Subject: [PATCH] clientauth.patch
-
----
- mozilla/security/nss/lib/ssl/ssl.h      |   39 +++
- mozilla/security/nss/lib/ssl/ssl3con.c  |  163 ++++++++++---
- mozilla/security/nss/lib/ssl/ssl3ext.c  |    2 +-
- mozilla/security/nss/lib/ssl/sslauth.c  |   22 ++
- mozilla/security/nss/lib/ssl/sslimpl.h  |   45 ++++
- mozilla/security/nss/lib/ssl/sslplatf.c |  399 +++++++++++++++++++++++++++++++
- mozilla/security/nss/lib/ssl/sslsock.c  |   14 +
- 7 files changed, 647 insertions(+), 37 deletions(-)
- create mode 100644 mozilla/security/nss/lib/ssl/sslplatf.c
-
-diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
-index 7e748bd..03535f3 100644
---- a/mozilla/security/nss/lib/ssl/ssl.h
-+++ b/mozilla/security/nss/lib/ssl/ssl.h
-@@ -353,6 +353,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetClientAuthData)(void *arg,
+diff -upN a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-28 20:04:24.039351965 -0800
+@@ -421,6 +421,45 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
  SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd, 
                                                SSLGetClientAuthData f, void *a);
  
 +/*
 + * Prototype for SSL callback to get client auth data from the application,
 + * optionally using the underlying platform's cryptographic primitives.
 + * To use the platform cryptographic primitives, caNames and pRetCerts
 + * should be set.  To use NSS, pRetNSSCert and pRetNSSKey should be set.
 + * Returning SECFailure will cause the socket to send no client certificate.
 + *     arg - application passed argument
@@ skipping 25 matching lines @@
 + *     fd - the file descriptor for the connection in question
 + *     f - the application's callback that delivers the key and cert
 + *     a - application specific data
 + */
 +SSL_IMPORT SECStatus
 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *fd,
 +                                  SSLGetPlatformClientAuthData f, void *a);
  
  /*
  ** SNI extension processing callback function.
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index d372ee2..ad8f4cd 100644
---- a/mozilla/security/nss/lib/ssl/ssl3con.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
-@@ -2018,6 +2018,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID *sid) {
+diff -upN a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
+--- a/src/net/third_party/nss/ssl/ssl3con.c     2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/ssl3con.c     2012-02-28 20:07:04.101579541 -0800
+@@ -2015,6 +2015,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
      PRBool isPresent = PR_TRUE;
  
      /* we only care if we are doing client auth */
 +    /* If NSS_PLATFORM_CLIENT_AUTH is defined and a platformClientKey is being
 +     * used, u.ssl3.clAuthValid will be false and this function will always
 +     * return PR_TRUE. */
      if (!sid || !sid->u.ssl3.clAuthValid) {
         return PR_TRUE;
      }
-@@ -4865,27 +4868,30 @@ ssl3_SendCertificateVerify(sslSocket *ss)
+@@ -4893,24 +4896,33 @@ ssl3_SendCertificateVerify(sslSocket *ss
      }
  
      isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
 -    rv = ssl3_SignHashes(&hashes, ss->ssl3.clientPrivateKey, &buf, isTLS);
 -    if (rv == SECSuccess) {
 -       PK11SlotInfo * slot;
 -       sslSessionID * sid   = ss->sec.ci.sid;
 +    if (ss->ssl3.platformClientKey) {
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +       rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
@@ skipping 10 matching lines @@
 -       /* Remember the info about the slot that did the signing.
 -       ** Later, when doing an SSL restart handshake, verify this.
 -       ** These calls are mere accessors, and can't fail.
 -       */
 -       slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
 -       sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
 -       sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
 -       sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
 -       sid->u.ssl3.clAuthValid      = PR_TRUE;
 -       PK11_FreeSlot(slot);
--    }
--    /* If we're doing RSA key exchange, we're all done with the private key
--     * here.  Diffie-Hellman key exchanges need the client's
--     * private key for the key exchange.
--     */
--    if (ss->ssl3.hs.kea_def->exchKeyType == kt_rsa) {
 +           /* Remember the info about the slot that did the signing.
 +           ** Later, when doing an SSL restart handshake, verify this.
 +           ** These calls are mere accessors, and can't fail.
 +           */
 +           slot = PK11_GetSlotFromPrivateKey(ss->ssl3.clientPrivateKey);
 +           sid->u.ssl3.clAuthSeries     = PK11_GetSlotSeries(slot);
 +           sid->u.ssl3.clAuthSlotID     = PK11_GetSlotID(slot);
 +           sid->u.ssl3.clAuthModuleID   = PK11_GetModuleID(slot);
 +           sid->u.ssl3.clAuthValid      = PR_TRUE;
 +           PK11_FreeSlot(slot);
 +       }
-        SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-        ss->ssl3.clientPrivateKey = NULL;
++       SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
++       ss->ssl3.clientPrivateKey = NULL;
      }
-@@ -4943,6 +4949,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-        goto alert_loser;
+-    SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+-    ss->ssl3.clientPrivateKey = NULL;
+     if (rv != SECSuccess) {
+        goto done;      /* err code was set by ssl3_SignHashes */
      }
- 
-+    /* clean up anything left from previous handshake. */
-+    if (ss->ssl3.clientCertChain != NULL) {
-+       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
-+       ss->ssl3.clientCertChain = NULL;
-+    }
-+    if (ss->ssl3.clientCertificate != NULL) {
-+       CERT_DestroyCertificate(ss->ssl3.clientCertificate);
-+       ss->ssl3.clientCertificate = NULL;
-+    }
-+    if (ss->ssl3.clientPrivateKey != NULL) {
-+       SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-+       ss->ssl3.clientPrivateKey = NULL;
-+    }
+@@ -4978,6 +4990,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+        SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+        ss->ssl3.clientPrivateKey = NULL;
+     }
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    if (ss->ssl3.platformClientKey) {
 +       ssl_FreePlatformKey(ss->ssl3.platformClientKey);
 +       ss->ssl3.platformClientKey = (PlatformKey)NULL;
 +    }
 +#endif  /* NSS_PLATFORM_CLIENT_AUTH */
-+
+ 
      temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
      if (temp < 0) {
-        goto loser;     /* alert has been sent */
-@@ -5485,6 +5511,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -5522,6 +5540,10 @@ ssl3_HandleCertificateRequest(sslSocket 
      SSL3AlertDescription desc        = illegal_parameter;
      SECItem              cert_types  = {siBuffer, NULL, 0};
      CERTDistNames        ca_list;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    CERTCertList *       platform_cert_list = NULL;
 +    CERTCertListNode *   certNode = NULL;
 +#endif  /* NSS_PLATFORM_CLIENT_AUTH */
  
      SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
                 SSL_GETPID(), ss->fd));
-@@ -5498,19 +5528,10 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-        goto alert_loser;
-     }
- 
--    /* clean up anything left from previous handshake. */
--    if (ss->ssl3.clientCertChain != NULL) {
--       CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
--       ss->ssl3.clientCertChain = NULL;
--    }
--    if (ss->ssl3.clientCertificate != NULL) {
--       CERT_DestroyCertificate(ss->ssl3.clientCertificate);
--       ss->ssl3.clientCertificate = NULL;
--    }
--    if (ss->ssl3.clientPrivateKey != NULL) {
--       SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
--       ss->ssl3.clientPrivateKey = NULL;
--    }
-+    PORT_Assert(ss->ssl3.clientCertChain == NULL);
-+    PORT_Assert(ss->ssl3.clientCertificate == NULL);
-+    PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
+@@ -5538,6 +5560,7 @@ ssl3_HandleCertificateRequest(sslSocket 
+     PORT_Assert(ss->ssl3.clientCertChain == NULL);
+     PORT_Assert(ss->ssl3.clientCertificate == NULL);
+     PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
 +    PORT_Assert(ss->ssl3.platformClientKey == (PlatformKey)NULL);
  
      isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
      rv = ssl3_ConsumeHandshakeVariable(ss, &cert_types, 1, &b, &length);
-@@ -5577,6 +5598,20 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -5604,6 +5627,20 @@ ssl3_HandleCertificateRequest(sslSocket 
      desc = no_certificate;
      ss->ssl3.hs.ws = wait_hello_done;
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    if (ss->getPlatformClientAuthData == NULL) {
 +       rv = SECFailure; /* force it to send a no_certificate alert */
 +    } else {
 +       /* XXX Should pass cert_types in this call!! */
 +        rv = (SECStatus)(*ss->getPlatformClientAuthData)(
 +                                        ss->getPlatformClientAuthDataArg,
 +                                        ss->fd, &ca_list,
 +                                        &platform_cert_list,
 +                                        (void**)&ss->ssl3.platformClientKey,
 +                                        &ss->ssl3.clientCertificate,
 +                                        &ss->ssl3.clientPrivateKey);
 +    }
 +#else
      if (ss->getClientAuthData == NULL) {
         rv = SECFailure; /* force it to send a no_certificate alert */
      } else {
-@@ -5586,12 +5621,52 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -5613,12 +5650,52 @@ ssl3_HandleCertificateRequest(sslSocket 
                                                  &ss->ssl3.clientCertificate,
                                                  &ss->ssl3.clientPrivateKey);
      }
 +#endif   /* NSS_PLATFORM_CLIENT_AUTH */
      switch (rv) {
      case SECWouldBlock:        /* getClientAuthData has put up a dialog box. */
-        ssl_SetAlwaysBlock(ss);
+        ssl3_SetAlwaysBlock(ss);
         break;  /* not an error */
  
      case SECSuccess:
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +        if (!platform_cert_list || CERT_LIST_EMPTY(platform_cert_list) ||
 +            !ss->ssl3.platformClientKey) {
 +            if (platform_cert_list) {
 +                CERT_DestroyCertList(platform_cert_list);
 +                platform_cert_list = NULL;
 +            }
@@ skipping 25 matching lines @@
 +                   ss->ssl3.platformClientKey = (PlatformKey)NULL;
 +               }
 +               goto send_no_certificate;
 +           }
 +           break;  /* not an error */
 +       }
 +#endif   /* NSS_PLATFORM_CLIENT_AUTH */
          /* check what the callback function returned */
          if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
              /* we are missing either the key or cert */
-@@ -5654,6 +5729,10 @@ loser:
+@@ -5681,6 +5758,10 @@ loser:
  done:
      if (arena != NULL)
         PORT_FreeArena(arena, PR_FALSE);
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    if (platform_cert_list)
 +        CERT_DestroyCertList(platform_cert_list);
 +#endif
      return rv;
  }
  
-@@ -5785,9 +5864,17 @@ ssl3_HandleServerHelloDone(sslSocket *ss)
-        if (rv != SECSuccess) {
-            goto loser; /* error code is set. */
-        }
--    } else
--    if (ss->ssl3.clientCertChain  != NULL &&
--       ss->ssl3.clientPrivateKey != NULL) {
-+    } else if (ss->ssl3.clientCertChain != NULL &&
-+               ss->ssl3.platformClientKey) {
-+#ifdef NSS_PLATFORM_CLIENT_AUTH
-+        send_verify = PR_TRUE;
-+        rv = ssl3_SendCertificate(ss);
-+        if (rv != SECSuccess) {
-+            goto loser; /* error code is set. */
-+        }
-+#endif /* NSS_PLATFORM_CLIENT_AUTH */
-+    } else if (ss->ssl3.clientCertChain  != NULL &&
-+               ss->ssl3.clientPrivateKey != NULL) {
-        send_verify = PR_TRUE;
-        rv = ssl3_SendCertificate(ss);
-        if (rv != SECSuccess) {
-@@ -9856,6 +9943,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -5755,7 +5836,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
+ 
+     sendClientCert = !ss->ssl3.sendEmptyCert &&
+                     ss->ssl3.clientCertChain  != NULL &&
+-                    ss->ssl3.clientPrivateKey != NULL;
++                    (ss->ssl3.platformClientKey ||
++                    ss->ssl3.clientPrivateKey != NULL);
+ 
+     /* We must wait for the server's certificate to be authenticated before
+      * sending the client certificate in order to disclosing the client
+@@ -9725,6 +9807,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
  
      if (ss->ssl3.clientPrivateKey != NULL)
         SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    if (ss->ssl3.platformClientKey)
 +       ssl_FreePlatformKey(ss->ssl3.platformClientKey);
 +#endif /* NSS_PLATFORM_CLIENT_AUTH */
  
      if (ss->ssl3.peerCertArena != NULL)
         ssl3_CleanupPeerCerts(ss);
-diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
-index 887344b..e54b4fd 100644
---- a/mozilla/security/nss/lib/ssl/ssl3ext.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
+diff -upN a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
+--- a/src/net/third_party/nss/ssl/ssl3ext.c     2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/ssl3ext.c     2012-02-28 20:20:35.392842118 -0800
 @@ -46,8 +46,8 @@
  #include "nssrenam.h"
  #include "nss.h"
  #include "ssl.h"
 -#include "sslproto.h"
  #include "sslimpl.h"
 +#include "sslproto.h"
  #include "pk11pub.h"
  #include "blapi.h"
  #include "prinit.h"
-diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c
-index fcd15ca..8da5c66 100644
---- a/mozilla/security/nss/lib/ssl/sslauth.c
-+++ b/mozilla/security/nss/lib/ssl/sslauth.c
-@@ -292,6 +292,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
+diff -upN a/src/net/third_party/nss/ssl/sslauth.c b/src/net/third_party/nss/ssl/sslauth.c
+--- a/src/net/third_party/nss/ssl/sslauth.c     2012-02-28 18:34:23.263186340 -0800
++++ b/src/net/third_party/nss/ssl/sslauth.c     2012-02-28 20:04:24.039351965 -0800
+@@ -251,6 +251,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
      return SECSuccess;
  }
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +/* NEED LOCKS IN HERE.  */
 +SECStatus 
 +SSL_GetPlatformClientAuthDataHook(PRFileDesc *s,
 +                                  SSLGetPlatformClientAuthData func,
 +                                  void *arg)
 +{
 +    sslSocket *ss;
 +
 +    ss = ssl_FindSocket(s);
 +    if (!ss) {
 +       SSL_DBG(("%d: SSL[%d]: bad socket in GetPlatformClientAuthDataHook",
 +                SSL_GETPID(), s));
 +       return SECFailure;
 +    }
 +
 +    ss->getPlatformClientAuthData = func;
 +    ss->getPlatformClientAuthDataArg = arg;
 +    return SECSuccess;
 +}
 +#endif   /* NSS_PLATFORM_CLIENT_AUTH */
 +
  /* NEED LOCKS IN HERE.  */
  SECStatus 
  SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
-diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
-index 70ff4c3..d73a0e3 100644
---- a/mozilla/security/nss/lib/ssl/sslimpl.h
-+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+diff -upN a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
+--- a/src/net/third_party/nss/ssl/sslimpl.h     2012-02-28 19:26:04.047351199 -0800
++++ b/src/net/third_party/nss/ssl/sslimpl.h     2012-02-28 20:04:24.039351965 -0800
 @@ -65,6 +65,15 @@
  
  #include "sslt.h" /* for some formerly private types, now public */
  
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +#if defined(XP_WIN32)
 +#include <windows.h>
 +#include <wincrypt.h>
 +#elif defined(XP_MACOSX)
 +#include <Security/Security.h>
 +#endif
 +#endif
 +
  /* to make some of these old enums public without namespace pollution,
  ** it was necessary to prepend ssl_ to the names.
  ** These #defines preserve compatibility with the old code here in libssl.
-@@ -464,6 +473,14 @@ typedef SECStatus (*SSLCompressor)(void *               context,
+@@ -462,6 +471,14 @@ typedef SECStatus (*SSLCompressor)(void 
                                     int                  inlen);
  typedef SECStatus (*SSLDestroy)(void *context, PRBool freeit);
  
 +#if defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_WIN32)
 +typedef PCERT_KEY_CONTEXT PlatformKey;
 +#elif defined(NSS_PLATFORM_CLIENT_AUTH) && defined(XP_MACOSX)
 +typedef SecKeyRef PlatformKey;
 +#else
 +typedef void *PlatformKey;
 +#endif
 +
  
  
  /*
 @@ -836,6 +853,10 @@ struct ssl3StateStr {
  
      CERTCertificate *    clientCertificate;  /* used by client */
      SECKEYPrivateKey *   clientPrivateKey;   /* used by client */
 +    /* platformClientKey is present even when NSS_PLATFORM_CLIENT_AUTH is not
 +     * defined in order to allow cleaner conditional code.
 +     * At most one of clientPrivateKey and platformClientKey may be set. */
 +    PlatformKey          platformClientKey;  /* used by client */
      CERTCertificateList *clientCertChain;    /* used by client */
      PRBool               sendEmptyCert;      /* used by client */
  
-@@ -1097,6 +1118,10 @@ const unsigned char *  preferredCipher;
+@@ -1082,6 +1103,10 @@ const unsigned char *  preferredCipher;
      void                     *authCertificateArg;
      SSLGetClientAuthData      getClientAuthData;
      void                     *getClientAuthDataArg;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    SSLGetPlatformClientAuthData getPlatformClientAuthData;
 +    void                        *getPlatformClientAuthDataArg;
 +#endif  /* NSS_PLATFORM_CLIENT_AUTH */
      SSLSNISocketConfig        sniSocketConfig;
      void                     *sniSocketConfigArg;
      SSLBadCertHandler         handleBadCert;
-@@ -1663,6 +1688,26 @@ extern SECStatus ssl_InitSessionCacheLocks(PRBool lazyInit);
+@@ -1644,6 +1669,26 @@ extern SECStatus ssl_InitSessionCacheLoc
  
  extern SECStatus ssl_FreeSessionCacheLocks(void);
  
 +/***************** platform client auth ****************/
 +
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +// Releases the platform key.
 +extern void ssl_FreePlatformKey(PlatformKey key);
 +
 +// Implement the client CertificateVerify message for SSL3/TLS1.0
 +extern SECStatus ssl3_PlatformSignHashes(SSL3Hashes *hash,
 +                                         PlatformKey key, SECItem *buf,
 +                                         PRBool isTLS);
 +
 +// Converts a CERTCertList* (A collection of CERTCertificates) into a
 +// CERTCertificateList* (A collection of SECItems), or returns NULL if
 +// it cannot be converted.
 +// This is to allow the platform-supplied chain to be created with purely
 +// public API functions, using the preferred CERTCertList mutators, rather
 +// pushing this hack to clients.
 +extern CERTCertificateList* hack_NewCertificateListFromCertList(
 +        CERTCertList* list);
 +#endif  /* NSS_PLATFORM_CLIENT_AUTH */
  
  /********************** misc calls *********************/
  
-diff --git a/mozilla/security/nss/lib/ssl/sslplatf.c b/mozilla/security/nss/lib/ssl/sslplatf.c
-new file mode 100644
-index 0000000..208956f
---- /dev/null
-+++ b/mozilla/security/nss/lib/ssl/sslplatf.c
+diff -upN a/src/net/third_party/nss/ssl/sslplatf.c b/src/net/third_party/nss/ssl/sslplatf.c
+--- a/src/net/third_party/nss/ssl/sslplatf.c    1969-12-31 16:00:00.000000000 -0800
++++ b/src/net/third_party/nss/ssl/sslplatf.c    2012-02-28 20:04:24.039351965 -0800
 @@ -0,0 +1,399 @@
 +/*
 + * Platform specific crypto wrappers
 + *
 + * ***** BEGIN LICENSE BLOCK *****
 + * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 + *
 + * The contents of this file are subject to the Mozilla Public License Version
 + * 1.1 (the "License"); you may not use this file except in compliance with
 + * the License. You may obtain a copy of the License at
@@ skipping 380 matching lines @@
 +SECStatus
 +ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf,
 +                        PRBool isTLS)
 +{
 +    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
 +    return SECFailure;
 +}
 +#endif
 +
 +#endif /* NSS_PLATFORM_CLIENT_AUTH */
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index 7d12bfe..68fd3cb 100644
---- a/mozilla/security/nss/lib/ssl/sslsock.c
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c
+diff -upN a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
+--- a/src/net/third_party/nss/ssl/sslsock.c     2012-02-28 19:26:04.057351342 -0800
++++ b/src/net/third_party/nss/ssl/sslsock.c     2012-02-28 20:04:24.049352104 -0800
 @@ -339,6 +339,10 @@ ssl_DupSocket(sslSocket *os)
             ss->authCertificateArg    = os->authCertificateArg;
             ss->getClientAuthData     = os->getClientAuthData;
             ss->getClientAuthDataArg  = os->getClientAuthDataArg;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +           ss->getPlatformClientAuthData    = os->getPlatformClientAuthData;
 +           ss->getPlatformClientAuthDataArg = os->getPlatformClientAuthDataArg;
 +#endif
              ss->sniSocketConfig       = os->sniSocketConfig;
              ss->sniSocketConfigArg    = os->sniSocketConfigArg;
             ss->handleBadCert         = os->handleBadCert;
-@@ -1468,6 +1472,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
+@@ -1530,6 +1534,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
          ss->getClientAuthData     = sm->getClientAuthData;
      if (sm->getClientAuthDataArg)
          ss->getClientAuthDataArg  = sm->getClientAuthDataArg;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +    if (sm->getPlatformClientAuthData)
 +        ss->getPlatformClientAuthData    = sm->getPlatformClientAuthData;
 +    if (sm->getPlatformClientAuthDataArg)
 +        ss->getPlatformClientAuthDataArg = sm->getPlatformClientAuthDataArg;
 +#endif
      if (sm->sniSocketConfig)
          ss->sniSocketConfig       = sm->sniSocketConfig;
      if (sm->sniSocketConfigArg)
-@@ -2525,6 +2535,10 @@ ssl_NewSocket(PRBool makeLocks)
+@@ -2617,6 +2627,10 @@ ssl_NewSocket(PRBool makeLocks)
          ss->sniSocketConfig    = NULL;
          ss->sniSocketConfigArg = NULL;
         ss->getClientAuthData  = NULL;
 +#ifdef NSS_PLATFORM_CLIENT_AUTH
 +       ss->getPlatformClientAuthData = NULL;
 +       ss->getPlatformClientAuthDataArg = NULL;
 +#endif   /* NSS_PLATFORM_CLIENT_AUTH */
         ss->handleBadCert      = NULL;
         ss->badCertArg         = NULL;
         ss->pkcs11PinArg       = NULL;