Do not perform online revocation checking when the user has explicitly disabled it, except for when…

net/base/cert_verify_proc_mac.cc

Index: net/base/cert_verify_proc_mac.cc
diff --git a/net/base/cert_verify_proc_mac.cc b/net/base/cert_verify_proc_mac.cc
index 49798b5afd00d28dedddb298d21e0bef15ab5bfc..2cbffef8a23fa554e3710fa23acb144bdde3703b 100644
--- a/net/base/cert_verify_proc_mac.cc
+++ b/net/base/cert_verify_proc_mac.cc
@@ -157,6 +157,7 @@ OSStatus CreateTrustPolicies(const std::string& hostname,
   // revocation preference.
   status = x509_util::CreateRevocationPolicies(
       (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED),
+      (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY),
       local_policies);
   if (status)
     return status;
@@ -380,6 +381,8 @@ int CertVerifyProcMac::VerifyInternal(X509Certificate* cert,
   tp_action_data.ActionFlags = CSSM_TP_ACTION_FETCH_CERT_FROM_NET |
                                CSSM_TP_ACTION_TRUST_SETTINGS;
 
+  // Note: For EV certificates, the Apple TP will handle setting these flags
+  // as part of EV evaluation.
   if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED) {
     // Require a positive result from an OCSP responder or a CRL (or both)
     // for every certificate in the chain. The Apple TP automatically
@@ -564,6 +567,8 @@ int CertVerifyProcMac::VerifyInternal(X509Certificate* cert,
           if (CFDictionaryContainsKey(ev_dict,
                                       kSecEVOrganizationName)) {
             verify_result->cert_status |= CERT_STATUS_IS_EV;
+            if (flags & X509Certificate::VERIFY_REV_CHECKING_ENABLED_EV_ONLY)
+              verify_result->cert_status |= CERT_STATUS_REV_CHECKING_ENABLED;
           }
         }
       }