Add SSL_was_key_usage_invalid. This function reports when security-critical checks on the X.509 key usage extension would have failed, but were skipped due to the temporary exception in SSL_set_enforce_rsa_key_usage. This function is meant to aid deployments as they work through enabling this. Change-Id: Ice0359879c0a6cbe55bf0cb81a63685506883123 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55465 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>

commit: a614d46d40509ea2f0c10d005972a08909c32b8c [log] [tgz]
author: David Benjamin <davidben@google.com> Fri Dec 02 15:30:15 2022 -0500
committer: Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Dec 08 18:03:19 2022 +0000
tree: 3505d1f44a25fee441d71f3b7e641bb0670455fa
parent: 4acc7ddf0261699ea729584ae5803a9be6551468 [diff] [blame]
diff --git a/ssl/internal.h b/ssl/internal.h
index 4d9ab49..456fa7a 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -2763,6 +2763,11 @@
   // HelloRetryRequest message.
   bool used_hello_retry_request : 1;
 
+  // was_key_usage_invalid is whether the handshake succeeded despite using a
+  // TLS mode which was incompatible with the leaf certificate's keyUsage
+  // extension.
+  bool was_key_usage_invalid : 1;
+
   // hs_buf is the buffer of handshake data to process.
   UniquePtr<BUF_MEM> hs_buf;
commit	a614d46d40509ea2f0c10d005972a08909c32b8c	[log] [tgz]
author	David Benjamin <davidben@google.com>	Fri Dec 02 15:30:15 2022 -0500
committer	Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>	Thu Dec 08 18:03:19 2022 +0000
tree	3505d1f44a25fee441d71f3b7e641bb0670455fa
parent	4acc7ddf0261699ea729584ae5803a9be6551468 [diff] [blame]