$OpenBSD$

index 09ed4b0..270e9a1 100644
--- security/certverifier/CertVerifier.h.orig	Fri Feb 20 15:40:38 2015
+++ security/certverifier/CertVerifier.h	Fri Feb 20 15:40:38 2015
@@ -12,6 +12,8 @@
 
 namespace mozilla { namespace psm {
 
+struct ChainValidationCallbackState;
+
 class CertVerifier
 {
 public:
@@ -24,11 +26,12 @@ public:
   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
   // Only one usage per verification is supported.
   SECStatus VerifyCert(CERTCertificate* cert,
-          /*optional*/ const SECItem* stapledOCSPResponse,
                        const SECCertificateUsage usage,
                        const PRTime time,
                        void* pinArg,
+                       const char* hostname,
                        const Flags flags = 0,
+       /*optional in*/ const SECItem* stapledOCSPResponse = nullptr,
       /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain = nullptr,
       /*optional out*/ SECOidTag* evOidPolicy = nullptr ,
       /*optional out*/ CERTVerifyLog* verifyLog = nullptr);
@@ -52,6 +55,13 @@ public:
     mozillapkix = 2
   };
 
+  enum pinning_enforcement_config {
+    pinningDisabled = 0,
+    pinningAllowUserCAMITM = 1,
+    pinningStrict = 2,
+    pinningEnforceTestMode = 3
+  };
+
   enum missing_cert_download_config { missing_cert_download_off = 0, missing_cert_download_on };
   enum crl_download_config { crl_local_only = 0, crl_download_allowed };
   enum ocsp_download_config { ocsp_off = 0, ocsp_on };
@@ -65,7 +75,8 @@ public:
                missing_cert_download_config ac, crl_download_config cdc,
 #endif
                ocsp_download_config odc, ocsp_strict_config osc,
-               ocsp_get_config ogc);
+               ocsp_get_config ogc,
+               pinning_enforcement_config pinningEnforcementLevel);
   ~CertVerifier();
 
   void ClearOCSPCache() { mOCSPCache.Clear(); }
@@ -78,6 +89,7 @@ public:
   const bool mOCSPDownloadEnabled;
   const bool mOCSPStrict;
   const bool mOCSPGETEnabled;
+  const pinning_enforcement_config mPinningEnforcementLevel;
 
 private:
   SECStatus MozillaPKIXVerifyCert(CERTCertificate* cert,
@@ -85,6 +97,7 @@ private:
       const PRTime time,
       void* pinArg,
       const Flags flags,
+      ChainValidationCallbackState* callbackState,
       /*optional*/ const SECItem* stapledOCSPResponse,
       /*optional out*/ mozilla::pkix::ScopedCERTCertList* validationChain,
       /*optional out*/ SECOidTag* evOidPolicy);