Do not perform online revocation checking when the user has explicitly disabled it, except for when…

net/base/x509_util_mac.h

Index: net/base/x509_util_mac.h
diff --git a/net/base/x509_util_mac.h b/net/base/x509_util_mac.h
index 9b629cc45f38767f33ce5bf0938c740c26aa996f..9272bc774f7a391eccb68b3790bfa930280d2e40 100644
--- a/net/base/x509_util_mac.h
+++ b/net/base/x509_util_mac.h
@@ -41,12 +41,20 @@ OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname,
 OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy);
 
 // Creates security policies to control revocation checking (OCSP and CRL).
-// If |enable_revocation_checking| is false, the policies returned will be
-// explicitly disabled from accessing the network or the cache. This may be
-// used to override system settings regarding revocation checking.
+// If |enable_revocation_checking| is true, revocation checking will be
+// explicitly enabled.
+// If |enable_revocation_checking| is false, but |enable_ev_checking| is
+// true, then the system policies for EV checking (which include checking
+// for an online OCSP response) will be permitted. However, if the OS
+// does not believe the certificate is EV, no revocation checking will be
+// performed.
+// If both are false, then the policies returned will be explicitly
+// prohibited from accessing the network or the local cache, regardless of
+// system settings.
 // If the policies are successfully created, they will be appended to
 // |policies|.
 OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking,
+                                             bool enable_ev_checking,
                                              CFMutableArrayRef policies);
 
 // Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field