Update NSS libSSL to NSS_3_15_BETA2.

net/third_party/nss/ssl/sslauth.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: sslauth.c,v 1.18 2012/04/25 14:50:12 gerv%gerv.net Exp $ */
+/* $Id$ */
 #include "cert.h"
 #include "secitem.h"
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "pk11func.h"
+#include "ocsp.h"
 
 /* NEED LOCKS IN HERE.  */
 CERTCertificate *
 SSL_PeerCertificate(PRFileDesc *fd)
 {
     sslSocket *ss;
 
     ss = ssl_FindSocket(fd);
     if (!ss) {
         SSL_DBG(("%d: SSL[%d]: bad socket in PeerCertificate",
@@ skipping 261 matching lines @@
  * has not registered an authCert callback function.
  */
 SECStatus
 SSL_AuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
 {
     SECStatus          rv;
     CERTCertDBHandle * handle;
     sslSocket *        ss;
     SECCertUsage       certUsage;
     const char *             hostname    = NULL;
+    PRTime             now = PR_Now();
+    SECItemArray *certStatusArray;
+    unsigned int i;
     
     ss = ssl_FindSocket(fd);
     PORT_Assert(ss != NULL);
     if (!ss) {
         return SECFailure;
     }
 
     handle = (CERTCertDBHandle *)arg;
+    certStatusArray = &ss->sec.ci.sid->peerCertStatus;
+
+    for (i = 0; i < certStatusArray->len; ++i) {
+        CERT_CacheOCSPResponseFromSideChannel(handle, ss->sec.peerCert,
+                                        now, &certStatusArray->items[i], arg);

[wtc, 2013/04/29 17:44:36]

The last argument should be ss->pkcs11PinArg.

This for loop should only be executed for i=0 (leaf cert), which
corresponds to ss->sec.peerCert.

+    }
 
     /* this may seem backwards, but isn't. */
     certUsage = isServer ? certUsageSSLClient : certUsageSSLServer;
 
-    rv = CERT_VerifyCertNow(handle, ss->sec.peerCert, checkSig, certUsage,
-                            ss->pkcs11PinArg);
+    rv = CERT_VerifyCert(handle, ss->sec.peerCert, checkSig, certUsage,
+                         now, ss->pkcs11PinArg, NULL);
 
     if ( rv != SECSuccess || isServer )
         return rv;
   
     /* cert is OK.  This is the client side of an SSL connection.
      * Now check the name field in the cert against the desired hostname.
      * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
      */
     hostname = ss->url;
     if (hostname && hostname[0])
         rv = CERT_VerifyCertName(ss->sec.peerCert, hostname);
     else 
         rv = SECFailure;
     if (rv != SECSuccess)
         PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
 
     return rv;
 }