Update to NSS 3.15.5 and NSPR 4.10.3.

nss/lib/certhigh/certvfy.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "nspr.h"
 #include "secerr.h"
 #include "secport.h"
 #include "seccomon.h"
 #include "secoid.h"
 #include "sslerr.h"
 #include "genname.h"
@@ skipping 1225 matching lines @@
             certUsage, t, wincx, log,
             &revoked);
 
         if (rv != SECSuccess) {
             /* EXIT_IF_NOT_LOGGING(log); XXX ???? */
             INVALID_USAGE();
         }
 
         /*
          * Check OCSP revocation status, but only if the cert we are checking
-         * is not a status reponder itself.  We only do this in the case
+         * is not a status responder itself. We only do this in the case
          * where we checked the cert chain (above); explicit trust "wins"
          * (avoids status checking, just as it avoids CRL checking) by
          * bypassing this code.
          */
 
         if (PR_FALSE == checkedOCSP) {
             checkedOCSP = PR_TRUE; /* only check OCSP once */
             statusConfig = CERT_GetStatusConfig(handle);
             if (requiredUsages != certificateUsageStatusResponder &&
                 statusConfig != NULL) {
@@ skipping 14 matching lines @@
     
 loser:
     return(valid);
 }
 
 SECStatus
 CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
                 PRBool checkSig, SECCertUsage certUsage, PRTime t,
                 void *wincx, CERTVerifyLog *log)
 {
+    return cert_VerifyCertWithFlags(handle, cert, checkSig, certUsage, t,
+                                    CERT_VERIFYCERT_USE_DEFAULTS, wincx, log);
+}
+
+SECStatus
+cert_VerifyCertWithFlags(CERTCertDBHandle *handle, CERTCertificate *cert,
+                         PRBool checkSig, SECCertUsage certUsage, PRTime t,
+                         PRUint32 flags, void *wincx, CERTVerifyLog *log)
+{
     SECStatus rv;
     unsigned int requiredKeyUsage;
     unsigned int requiredCertType;
-    unsigned int flags;
+    unsigned int failedFlags;
     unsigned int certType;
     PRBool       trusted;
     PRBool       allowOverride;
     SECCertTimeValidity validity;
     CERTStatusConfig *statusConfig;
    
 #ifdef notdef 
     /* check if this cert is in the Evil list */
     rv = CERT_CheckForEvilCert(cert);
     if ( rv != SECSuccess ) {
@@ skipping 48 matching lines @@
     }
     if ( CERT_CheckKeyUsage(cert, requiredKeyUsage) != SECSuccess ) {
         PORT_SetError(SEC_ERROR_INADEQUATE_KEY_USAGE);
         LOG_ERROR_OR_EXIT(log,cert,0,requiredKeyUsage);
     }
     if ( !( certType & requiredCertType ) ) {
         PORT_SetError(SEC_ERROR_INADEQUATE_CERT_TYPE);
         LOG_ERROR_OR_EXIT(log,cert,0,requiredCertType);
     }
 
-    rv = cert_CheckLeafTrust(cert,certUsage, &flags, &trusted);
+    rv = cert_CheckLeafTrust(cert, certUsage, &failedFlags, &trusted);
     if (rv  == SECFailure) {
         PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-        LOG_ERROR_OR_EXIT(log,cert,0,flags);
+        LOG_ERROR_OR_EXIT(log, cert, 0, failedFlags);
     } else if (trusted) {
         goto done;
     }
 
 
     rv = CERT_VerifyCertChain(handle, cert, checkSig, certUsage,
                               t, wincx, log);
     if (rv != SECSuccess) {
         EXIT_IF_NOT_LOGGING(log);
     }
 
     /*
-     * Check revocation status, but only if the cert we are checking
-     * is not a status reponder itself.  We only do this in the case
-     * where we checked the cert chain (above); explicit trust "wins"
-     * (avoids status checking, just as it avoids CRL checking, which
-     * is all done inside VerifyCertChain) by bypassing this code.
+     * Check revocation status, but only if the cert we are checking is not a
+     * status responder itself and the caller did not ask us to skip the check.
+     * We only do this in the case where we checked the cert chain (above);
+     * explicit trust "wins" (avoids status checking, just as it avoids CRL
+     * checking, which is all done inside VerifyCertChain) by bypassing this
+     * code.
      */
-    statusConfig = CERT_GetStatusConfig(handle);
-    if (certUsage != certUsageStatusResponder && statusConfig != NULL) {
-        if (statusConfig->statusChecker != NULL) {
+    if (!(flags & CERT_VERIFYCERT_SKIP_OCSP) &&
+        certUsage != certUsageStatusResponder) {
+        statusConfig = CERT_GetStatusConfig(handle);
+        if (statusConfig && statusConfig->statusChecker) {
             rv = (* statusConfig->statusChecker)(handle, cert,
                                                          t, wincx);
             if (rv != SECSuccess) {
                 LOG_ERROR_OR_EXIT(log,cert,0,0);
             }
         }
     }
 
 done:
     if (log && log->head) {
@@ skipping 478 matching lines @@
             return chain;
         }
 
         cert = CERT_FindCertIssuer(cert, time, usage);
     }
 
     /* return partial chain */
     PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
     return chain;
 }