From 7e6bd9345915242e29477902d0a9ac9b4c2a7e86 Mon Sep 17 00:00:00 2001
From: Nick Banks <nibanks@microsoft.com>
Date: Tue, 3 Dec 2024 19:00:36 -0500
Subject: [PATCH] Pass Through Disable AIA Flag (#4674)

---
 docs/api/QUIC_CREDENTIAL_CONFIG.md | 4 ++++
 src/cs/lib/msquic_generated.cs     | 1 +
 src/inc/msquic.h                   | 1 +
 src/platform/certificates_capi.c   | 3 +++
 src/platform/tls_openssl.c         | 6 ++++--
 src/platform/tls_schannel.c        | 4 ++++
 src/platform/unittest/TlsTest.cpp  | 1 +
 7 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs/api/QUIC_CREDENTIAL_CONFIG.md b/docs/api/QUIC_CREDENTIAL_CONFIG.md
index b92dfceeba..0a8ed546fc 100644
--- a/docs/api/QUIC_CREDENTIAL_CONFIG.md
+++ b/docs/api/QUIC_CREDENTIAL_CONFIG.md
@@ -161,6 +161,10 @@ Obtain the peer certificate using a faster in-process API call. Only available o
 
 Enable CA certificate file provided in the `CaCertificateFile` member.
 
+`QUIC_CREDENTIAL_FLAG_DISABLE_AIA`
+
+The following flag can be set to explicitly disable AIA retrievals. Only valid on Windows.
+
 #### `CertificateHash`
 
 Must **only** use with `QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH` type.
diff --git a/src/cs/lib/msquic_generated.cs b/src/cs/lib/msquic_generated.cs
index 59c766543d..41794c9796 100644
--- a/src/cs/lib/msquic_generated.cs
+++ b/src/cs/lib/msquic_generated.cs
@@ -99,6 +99,7 @@ internal enum QUIC_CREDENTIAL_FLAGS
         REVOCATION_CHECK_CACHE_ONLY = 0x00040000,
         INPROC_PEER_CERTIFICATE = 0x00080000,
         SET_CA_CERTIFICATE_FILE = 0x00100000,
+        DISABLE_AIA = 0x00200000,
     }
 
     [System.Flags]
diff --git a/src/inc/msquic.h b/src/inc/msquic.h
index 0f7649ee82..f68311e533 100644
--- a/src/inc/msquic.h
+++ b/src/inc/msquic.h
@@ -146,6 +146,7 @@ typedef enum QUIC_CREDENTIAL_FLAGS {
     QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY            = 0x00040000, // Windows only currently
     QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE                = 0x00080000, // Schannel only
     QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE                = 0x00100000, // OpenSSL only currently
+    QUIC_CREDENTIAL_FLAG_DISABLE_AIA                            = 0x00200000, // Schannel only currently
 } QUIC_CREDENTIAL_FLAGS;
 
 DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS)
diff --git a/src/platform/certificates_capi.c b/src/platform/certificates_capi.c
index 9fb6fa0b43..8c9a21b151 100644
--- a/src/platform/certificates_capi.c
+++ b/src/platform/certificates_capi.c
@@ -90,6 +90,9 @@ CxPlatCertVerifyRawCertificate(
     if (CredFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
         CertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
     }
+    if (CredFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
+        CertFlags |= CERT_CHAIN_DISABLE_AIA;
+    }
 
     Result =
         CxPlatCertValidateChain(
diff --git a/src/platform/tls_openssl.c b/src/platform/tls_openssl.c
index 429ba83cf4..38f34fadca 100644
--- a/src/platform/tls_openssl.c
+++ b/src/platform/tls_openssl.c
@@ -981,7 +981,8 @@ CxPlatTlsSecConfigCreate(
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
-        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
         return QUIC_STATUS_INVALID_PARAMETER;
     }
 
@@ -992,7 +993,8 @@ CxPlatTlsSecConfigCreate(
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
-        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
         return QUIC_STATUS_INVALID_PARAMETER;
     }
 #endif
diff --git a/src/platform/tls_schannel.c b/src/platform/tls_schannel.c
index b7b7735013..4afaa8083f 100644
--- a/src/platform/tls_schannel.c
+++ b/src/platform/tls_schannel.c
@@ -118,6 +118,7 @@ typedef struct _SecPkgCred_ClientCertPolicy
 #define CERT_CHAIN_REVOCATION_CHECK_CHAIN              0x20000000
 #define CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT 0x40000000
 #define CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY         0x80000000
+#define CERT_CHAIN_DISABLE_AIA                         0x00002000
 
 #define SECPKG_ATTR_REMOTE_CERTIFICATES  0x5F   // returns SecPkgContext_Certificates
 
@@ -754,6 +755,9 @@ CxPlatTlsSetClientCertPolicy(
     if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
         ClientCertPolicy.dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
     }
+    if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
+        ClientCertPolicy.dwCertFlags |= CERT_CHAIN_DISABLE_AIA;
+    }
 
     SecStatus =
         SetCredentialsAttributesW(
diff --git a/src/platform/unittest/TlsTest.cpp b/src/platform/unittest/TlsTest.cpp
index 04af42af9b..19c77b829e 100644
--- a/src/platform/unittest/TlsTest.cpp
+++ b/src/platform/unittest/TlsTest.cpp
@@ -2222,6 +2222,7 @@ TEST_F(TlsTest, PlatformSpecificFlagsSchannel)
         QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_END_CERT, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
         QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK, QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE,
         QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY,
+        QUIC_CREDENTIAL_FLAG_DISABLE_AIA,
 #ifndef __APPLE__
         QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN,
 #endif