From ceed310feca1d6aa892580c0f2b262fb2bef5b3d Mon Sep 17 00:00:00 2001 From: Nick Banks Date: Tue, 3 Dec 2024 11:17:18 -0500 Subject: [PATCH] Pass Through Disable AIA Flag --- docs/api/QUIC_CREDENTIAL_CONFIG.md | 4 ++++ src/inc/msquic.h | 1 + src/platform/certificates_capi.c | 3 +++ src/platform/tls_openssl.c | 6 ++++-- src/platform/tls_schannel.c | 6 ++++++ src/platform/unittest/TlsTest.cpp | 1 + 6 files changed, 19 insertions(+), 2 deletions(-) diff --git a/docs/api/QUIC_CREDENTIAL_CONFIG.md b/docs/api/QUIC_CREDENTIAL_CONFIG.md index b92dfceeba..0a8ed546fc 100644 --- a/docs/api/QUIC_CREDENTIAL_CONFIG.md +++ b/docs/api/QUIC_CREDENTIAL_CONFIG.md @@ -161,6 +161,10 @@ Obtain the peer certificate using a faster in-process API call. Only available o Enable CA certificate file provided in the `CaCertificateFile` member. +`QUIC_CREDENTIAL_FLAG_DISABLE_AIA` + +The following flag can be set to explicitly disable AIA retrievals. Only valid on Windows. + #### `CertificateHash` Must **only** use with `QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH` type. diff --git a/src/inc/msquic.h b/src/inc/msquic.h index f360bbb84e..825bfb8a6a 100644 --- a/src/inc/msquic.h +++ b/src/inc/msquic.h @@ -146,6 +146,7 @@ typedef enum QUIC_CREDENTIAL_FLAGS { QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY = 0x00040000, // Windows only currently QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE = 0x00080000, // Schannel only QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE = 0x00100000, // OpenSSL only currently + QUIC_CREDENTIAL_FLAG_DISABLE_AIA = 0x00200000, // Schannel only currently } QUIC_CREDENTIAL_FLAGS; DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS) diff --git a/src/platform/certificates_capi.c b/src/platform/certificates_capi.c index 9fb6fa0b43..8c9a21b151 100644 --- a/src/platform/certificates_capi.c +++ b/src/platform/certificates_capi.c @@ -90,6 +90,9 @@ CxPlatCertVerifyRawCertificate( if (CredFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) { CertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY; } + if (CredFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) { + CertFlags |= CERT_CHAIN_DISABLE_AIA; + } Result = CxPlatCertValidateChain( diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c index 429ba83cf4..38f34fadca 100644 --- a/src/platform/tls_openssl.c +++ b/src/platform/tls_openssl.c @@ -981,7 +981,8 @@ CxPlatTlsSecConfigCreate( CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK || CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE || CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL || - CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) { + CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY || + CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) { return QUIC_STATUS_INVALID_PARAMETER; } @@ -992,7 +993,8 @@ CxPlatTlsSecConfigCreate( CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK || CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE || CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL || - CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) { + CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY || + CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) { return QUIC_STATUS_INVALID_PARAMETER; } #endif diff --git a/src/platform/tls_schannel.c b/src/platform/tls_schannel.c index b7b7735013..72dced072c 100644 --- a/src/platform/tls_schannel.c +++ b/src/platform/tls_schannel.c @@ -754,6 +754,9 @@ CxPlatTlsSetClientCertPolicy( if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) { ClientCertPolicy.dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY; } + if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) { + ClientCertPolicy.dwCertFlags |= CERT_CHAIN_DISABLE_AIA; + } SecStatus = SetCredentialsAttributesW( @@ -1110,6 +1113,9 @@ CxPlatTlsSecConfigCreate( if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) { Credentials->dwFlags |= SCH_CRED_REVOCATION_CHECK_CACHE_ONLY; } + if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) { + Credentials->dwFlags |= CERT_CHAIN_DISABLE_AIA; + } if (IsClient) { Credentials->dwFlags |= SCH_CRED_NO_DEFAULT_CREDS; Credentials->pTlsParameters->grbitDisabledProtocols = (DWORD)~SP_PROT_TLS1_3_CLIENT; diff --git a/src/platform/unittest/TlsTest.cpp b/src/platform/unittest/TlsTest.cpp index 04af42af9b..19c77b829e 100644 --- a/src/platform/unittest/TlsTest.cpp +++ b/src/platform/unittest/TlsTest.cpp @@ -2222,6 +2222,7 @@ TEST_F(TlsTest, PlatformSpecificFlagsSchannel) QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_END_CERT, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK, QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE, QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY, + QUIC_CREDENTIAL_FLAG_DISABLE_AIA, #ifndef __APPLE__ QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN, #endif