Revert "Default SSL_set_enforce_rsa_key_usage to enabled."

This reverts commit 64393b57e8. We'll reland this change in January. Projects that rely on this revert should use SSL_set_enforce_rsa_key_usage, available since 2019, to control the security check without being reliant on the defaults. Bug: 519 Change-Id: Icf53eae8c29f316c7df4ec1a7c16626ac3af8560 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55005 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
2 years ago · 4b35543cf2
parent 3592aa3009
commit 4b35543cf2
4 changed files with 19 additions and 11 deletions
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@ -687,7 +687,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)
      signed_cert_timestamps_enabled(false),
      ocsp_stapling_enabled(false),
      channel_id_enabled(false),
-      enforce_rsa_key_usage(true),
+      enforce_rsa_key_usage(false),
      retain_only_sha256_of_client_certs(false),
      handoff(false),
      shed_handshake_config(false),
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -15613,6 +15613,9 @@ func addRSAKeyUsageTests() {
 			},
 			shouldFail:    true,
 			expectedError: ":KEY_USAGE_BIT_INCORRECT:",
+			flags: []string{
+				"-enforce-rsa-key-usage",
+			},
 		})

 		testCases = append(testCases, testCase{
@ -15624,6 +15627,9 @@ func addRSAKeyUsageTests() {
 				Certificates: []Certificate{dsCert},
 				CipherSuites: dsSuites,
 			},
+			flags: []string{
+				"-enforce-rsa-key-usage",
+			},
 		})

 		// TLS 1.3 removes the encipherment suites.
@ -15637,6 +15643,9 @@ func addRSAKeyUsageTests() {
 					Certificates: []Certificate{encCert},
 					CipherSuites: encSuites,
 				},
+				flags: []string{
+					"-enforce-rsa-key-usage",
+				},
 			})

 			testCases = append(testCases, testCase{
@ -15650,6 +15659,9 @@ func addRSAKeyUsageTests() {
 				},
 				shouldFail:    true,
 				expectedError: ":KEY_USAGE_BIT_INCORRECT:",
+				flags: []string{
+					"-enforce-rsa-key-usage",
+				},
 			})

 			// In 1.2 and below, we should not enforce without the enforce-rsa-key-usage flag.
@ -15662,7 +15674,6 @@ func addRSAKeyUsageTests() {
 					Certificates: []Certificate{dsCert},
 					CipherSuites: encSuites,
 				},
-				flags: []string{"-no-enforce-rsa-key-usage"},
 			})

 			testCases = append(testCases, testCase{
@ -15674,22 +15685,20 @@ func addRSAKeyUsageTests() {
 					Certificates: []Certificate{encCert},
 					CipherSuites: dsSuites,
 				},
-				flags: []string{"-no-enforce-rsa-key-usage"},
 			})
 		}

 		if ver.version >= VersionTLS13 {
-			// In 1.3 and above, we enforce keyUsage even when disabled.
+			// In 1.3 and above, we enforce keyUsage even without the flag.
 			testCases = append(testCases, testCase{
 				testType: clientTest,
-				name:     "RSAKeyUsage-Client-WantSignature-GotEncipherment-AlwaysEnforced" + ver.name,
+				name:     "RSAKeyUsage-Client-WantSignature-GotEncipherment-Enforced" + ver.name,
 				config: Config{
 					MinVersion:   ver.version,
 					MaxVersion:   ver.version,
 					Certificates: []Certificate{encCert},
 					CipherSuites: dsSuites,
 				},
-				flags:         []string{"-no-enforce-rsa-key-usage"},
 				shouldFail:    true,
 				expectedError: ":KEY_USAGE_BIT_INCORRECT:",
 			})
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@ -364,8 +364,7 @@ std::vector<Flag> SortedFlags() {
      IntFlag("-install-one-cert-compression-alg",
              &TestConfig::install_one_cert_compression_alg),
      BoolFlag("-reverify-on-resume", &TestConfig::reverify_on_resume),
-      BoolFlag("-no-enforce-rsa-key-usage",
-               &TestConfig::no_enforce_rsa_key_usage),
+      BoolFlag("-enforce-rsa-key-usage", &TestConfig::enforce_rsa_key_usage),
      BoolFlag("-is-handshaker-supported",
               &TestConfig::is_handshaker_supported),
      BoolFlag("-handshaker-resume", &TestConfig::handshaker_resume),
@ -1743,8 +1742,8 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL(
  if (reverify_on_resume) {
    SSL_CTX_set_reverify_on_resume(ssl_ctx, 1);
  }
-  if (no_enforce_rsa_key_usage) {
-    SSL_set_enforce_rsa_key_usage(ssl.get(), 0);
+  if (enforce_rsa_key_usage) {
+    SSL_set_enforce_rsa_key_usage(ssl.get(), 1);
  }
  if (no_tls13) {
    SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_3);
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@ -177,7 +177,7 @@ struct TestConfig {
  bool install_cert_compression_algs = false;
  int install_one_cert_compression_alg = 0;
  bool reverify_on_resume = false;
-  bool no_enforce_rsa_key_usage = false;
+  bool enforce_rsa_key_usage = false;
  bool is_handshaker_supported = false;
  bool handshaker_resume = false;
  std::string handshaker_path;