From 18ab5dba010c60e666c9d0e13c08f6678145b9f9 Mon Sep 17 00:00:00 2001
From: Dana Keeler <dkeeler@mozilla.com>
Date: Thu, 31 Oct 2019 00:36:53 +0000
Subject: [PATCH] bug 1591691 - avoid network I/O when importing enterprise
 roots on Windows r=mhowell

Differential Revision: https://phabricator.services.mozilla.com/D51007

--HG--
extra : moz-landing-system : lando
---
 security/manager/ssl/EnterpriseRoots.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/security/manager/ssl/EnterpriseRoots.cpp b/security/manager/ssl/EnterpriseRoots.cpp
index a1d0a22cc6e4..fe164b2184d8 100644
--- a/security/manager/ssl/EnterpriseRoots.cpp
+++ b/security/manager/ssl/EnterpriseRoots.cpp
@@ -92,9 +92,18 @@ static void CertIsTrustAnchorForTLSServerAuth(PCCERT_CONTEXT certificate,
   memset(&chainPara, 0, sizeof(CERT_CHAIN_PARA));
   chainPara.cbSize = sizeof(CERT_CHAIN_PARA);
   chainPara.RequestedUsage = certUsage;
-
+  // Disable anything that could result in network I/O.
+  DWORD flags = CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY |
+                CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL |
+                CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE |
+// mingw's version of wincrypt.h doesn't define this flag (bug 1592792).
+#  if defined(CERT_CHAIN_DISABLE_AIA)
+                CERT_CHAIN_DISABLE_AIA;
+#  else
+                0x00002000;
+#  endif
   if (!CertGetCertificateChain(nullptr, certificate, nullptr, nullptr,
-                               &chainPara, 0, nullptr, &pChainContext)) {
+                               &chainPara, flags, nullptr, &pChainContext)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("CertGetCertificateChain failed"));
     return;
   }