Add error when RPK is used with DANE stub

Author: embhorn

src/internal.c

@@ -16757,6 +16757,36 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     if (ssl->peerVerifyRet == 0) /* Return first cert error here */
                         ssl->peerVerifyRet = WOLFSSL_X509_V_OK;
                 #endif
+
+                #if defined(HAVE_RPK) && (defined(OPENSSL_EXTRA) || \
+                    defined(OPENSSL_EXTRA_X509_SMALL))
+                    /* A Raw Public Key cert (RFC 7250) has no issuer and no
+                     * signature, so ParseCertRelative performed no peer
+                     * authentication. Unless an out-of-band trust mechanism
+                     * (DANE, key pinning, etc.) has bound this key, report the
+                     * peer as unauthenticated through wolfSSL_get_verify_result()
+                     * rather than leaving it at WOLFSSL_X509_V_OK. The handshake
+                     * is intentionally not failed here: per RFC 7250 the
+                     * application is responsible for validating the key out of
+                     * band. Applies to both peers - client checking the
+                     * server's RPK and server checking the client's RPK.
+                     * WOLFSSL_VERIFY_NONE leaves the result untouched. */
+                    if (args->dCert->isRPK && !ssl->options.verifyNone) {
+                        int rpkTrusted = 0;
+                    #if defined(HAVE_DANE)
+                        if (ssl->options.useDANE) {
+                            /* DANE authentication should be added; set
+                             * rpkTrusted = 1 on a successful match. */
+                        }
+                    #endif /* HAVE_DANE */
+                        if (!rpkTrusted &&
+                                ssl->peerVerifyRet == WOLFSSL_X509_V_OK) {
+                            ssl->peerVerifyRet = (unsigned long)
+                                WOLFSSL_X509_V_ERR_RPK_UNTRUSTED;
+                        }
+                    }
+                #endif /* HAVE_RPK && (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) */
+
                 #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
                     /* if using alternate chain, store the cert used */
                     if (ssl->options.usingAltCertChain) {
@@ -16775,17 +16805,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     if (ssl->options.side == WOLFSSL_SERVER_END) {
                 #if defined(HAVE_RPK)
                         if (args->dCert->isRPK) {
-                            /* to verify Raw Public Key cert, DANE(RFC6698)
-                             * should be introduced. Without DANE, no
-                             * authentication is performed.
-                             */
-                        #if defined(HAVE_DANE)
-                            if (ssl->useDANE) {
-                                /* DANE authentication should be added */
-                            }
-                        #endif /* HAVE_DANE */
+                            /* RPK certs carry no X.509 version; the RPK trust
+                             * check above already handled this cert. */
                         }
-                        else /* skip followingx509 version check */
+                        else /* skip following x509 version check */
                 #endif  /* HAVE_RPK */
                         if (args->dCert->version != WOLFSSL_X509_V3) {
                             WOLFSSL_MSG("Peers certificate was not version 3!");
@@ -27474,6 +27497,9 @@ static const char* wolfSSL_ERR_reason_error_string_OpenSSL(unsigned long e)
     case WOLFSSL_X509_V_ERR_IP_ADDRESS_MISMATCH:
         return "IP address mismatch";
 
+    case WOLFSSL_X509_V_ERR_RPK_UNTRUSTED:
+        return "raw public key not trusted";
+
     default:
         return NULL;
     }

tests/api/test_tls13.c

@@ -2021,6 +2021,14 @@ int test_tls13_rpk_handshake(void)
                                                         WOLFSSL_SUCCESS);
     ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_UNKNOWN);
 
+    /* x509 handshake: peer cert was verified against a CA, so the verify
+     * result stays WOLFSSL_X509_V_OK. This is the contrast case for the
+     * RPK checks below. */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    ExpectIntEQ(wolfSSL_get_verify_result(ssl_c), WOLFSSL_X509_V_OK);
+    ExpectIntEQ(wolfSSL_get_verify_result(ssl_s), WOLFSSL_X509_V_OK);
+#endif
+
     (void)typeCnt_c;
     (void)typeCnt_s;
 
@@ -2089,6 +2097,19 @@ int test_tls13_rpk_handshake(void)
                                                         WOLFSSL_SUCCESS);
     ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
 
+    /* TLS1.3 RPK: an RPK cert (RFC 7250) has no issuer and no signature
+     * chain, so no peer authentication was performed. With WOLFSSL_VERIFY_PEER
+     * set and no out-of-band trust mechanism, wolfSSL_get_verify_result() must
+     * report the peer as unauthenticated rather than WOLFSSL_X509_V_OK. The
+     * handshake itself still completes - validating the key is the
+     * application's responsibility per RFC 7250. */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    ExpectIntEQ(wolfSSL_get_verify_result(ssl_c),
+                WOLFSSL_X509_V_ERR_RPK_UNTRUSTED);
+    ExpectIntEQ(wolfSSL_get_verify_result(ssl_s),
+                WOLFSSL_X509_V_ERR_RPK_UNTRUSTED);
+#endif
+
     wolfSSL_free(ssl_c);
     wolfSSL_CTX_free(ctx_c);
     wolfSSL_free(ssl_s);
@@ -2158,6 +2179,15 @@ int test_tls13_rpk_handshake(void)
                                                         WOLFSSL_SUCCESS);
     ExpectIntEQ(tp, WOLFSSL_CERT_TYPE_RPK);
 
+    /* TLS1.2 RPK: same as the TLS1.3 case above - no chain of trust, so the
+     * verify result must report the peer as unauthenticated. */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    ExpectIntEQ(wolfSSL_get_verify_result(ssl_c),
+                WOLFSSL_X509_V_ERR_RPK_UNTRUSTED);
+    ExpectIntEQ(wolfSSL_get_verify_result(ssl_s),
+                WOLFSSL_X509_V_ERR_RPK_UNTRUSTED);
+#endif
+
     wolfSSL_free(ssl_c);
     wolfSSL_CTX_free(ctx_c);
     wolfSSL_free(ssl_s);

wolfssl/openssl/x509.h

@@ -210,6 +210,9 @@
 #define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE           92
 #define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3        93
 #define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS              94
+/* OpenSSL numbers this 91; that slot is already taken in wolfSSL, so the
+ * RPK-untrusted code is assigned the next free wolfSSL-specific value. */
+#define X509_V_ERR_RPK_UNTRUSTED                       95
 #define X509_R_CERT_ALREADY_IN_HASH_TABLE              101
 #define X509_R_KEY_VALUES_MISMATCH                     WC_KEY_MISMATCH_E
 

wolfssl/ssl.h

@@ -2708,6 +2708,9 @@ enum {
     WOLFSSL_X509_V_ERR_IP_ADDRESS_MISMATCH               = 64,
     WOLFSSL_X509_V_ERR_INVALID_CA                        = 79,
     WC_OSSL_V509_V_ERR_MAX = 80,
+    /* Codes at or above WC_OSSL_V509_V_ERR_MAX are intentionally outside the
+     * contiguous range swept by the error-string test in tests/api.c. */
+    WOLFSSL_X509_V_ERR_RPK_UNTRUSTED                     = 95,
 
 #ifdef HAVE_OCSP
     /* OCSP Flags */