Add SSL_was_key_usage_invalid.
This function reports when security-critical checks on the X.509 key
usage extension would have failed, but were skipped due to the temporary
exception in SSL_set_enforce_rsa_key_usage. This function is meant to
aid deployments as they work through enabling this.
Change-Id: Ice0359879c0a6cbe55bf0cb81a63685506883123
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55465
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 0a41ffe..b9b3f27 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -1390,11 +1390,13 @@
ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
? key_usage_encipherment
: key_usage_digital_signature;
- if (hs->config->enforce_rsa_key_usage ||
- EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
- if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
+ if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
+ if (hs->config->enforce_rsa_key_usage ||
+ EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
return ssl_hs_error;
}
+ ERR_clear_error();
+ ssl->s3->was_key_usage_invalid = true;
}
}
