Windows port and Firefox 3.6 addon fixes:
malloc -> PR_Malloc
In 3.6, session state is deleted by firefox when ChallengeReceived()
sets identityInvalid true, so allocate session state as necessary in
GenerateCredentials() instead of ChallengeReceived().
Also, use continuation state instead of session state until
authentication completes. If we don't do this, firefox
will sometimes restart the authentication in the middle of the
negotiation with a NULL username and password.
Use a smart pointer for session state to avoid leaking in error cases.