Skip to content

Add error when RPK is used with DANE stub#10486

Merged
dgarske merged 4 commits into
wolfSSL:masterfrom
embhorn:zd21825
Jul 9, 2026
Merged

Add error when RPK is used with DANE stub#10486
dgarske merged 4 commits into
wolfSSL:masterfrom
embhorn:zd21825

Conversation

@embhorn

@embhorn embhorn commented May 14, 2026

Copy link
Copy Markdown
Member

Description

DANE support was stubbed for the compatibility layer. Ensure an actual connection errors if it is used.

Thanks to Peter Samarin for reporting the issue and reviewing the fix.

Fixes zd21825

Testing

Added test cases in test_tls13_rpk_handshake

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this May 14, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10486

Scan targets checked: wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts wolfSSL’s OpenSSL-compat verification reporting for TLS Raw Public Keys (RPK, RFC 7250) so that connections using RPK without an out-of-band trust mechanism do not report WOLFSSL_X509_V_OK via wolfSSL_get_verify_result().

Changes:

  • Introduces a new verification result code for “RPK not trusted” and exposes it in both wolfSSL and OpenSSL-compat headers.
  • Updates peer-certificate processing to set peerVerifyRet to the new RPK-untrusted code when appropriate.
  • Extends test_tls13_rpk_handshake to assert the expected verify-result behavior for RPK vs X.509 handshakes.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
wolfssl/ssl.h Adds a new wolfSSL verification-result enum value for untrusted RPK.
wolfssl/openssl/x509.h Exposes the corresponding OpenSSL-compat X509_V_ERR_RPK_UNTRUSTED define.
src/internal.c Sets peerVerifyRet for RPK handshakes and adds an error-string mapping for the new code.
tests/api/test_tls13.c Adds assertions that RPK handshakes produce a non-OK verify result while X.509 handshakes remain OK.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/internal.c Outdated
Comment thread wolfssl/ssl.h Outdated
@github-actions

github-actions Bot commented May 14, 2026

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m3

  • FLASH: .text +8 B (+0.0%, 122,449 B / 262,144 B, total: 47% used)

gcc-arm-cortex-m4

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +36 B (+0.0%, 200,256 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m4-openssl-compat

  • FLASH: .rodata +128 B, .text +64 B (+0.0%, 770,508 B / 1,048,576 B, total: 73% used)

gcc-arm-cortex-m4-pq

  • FLASH: .rodata +32 B (+0.0%, 279,268 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m4-rsa-only

  • FLASH: .rodata +32 B (+0.0%, 324,864 B / 1,048,576 B, total: 31% used)

gcc-arm-cortex-m4-tls13

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +36 B (+0.0%, 235,954 B / 262,144 B, total: 90% used)

gcc-arm-cortex-m7

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +36 B, .text +64 B (+0.0%, 200,256 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m7-pq

  • FLASH: .rodata +32 B (+0.0%, 279,844 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-tls13

  • FLASH: .rodata.wolfSSL_ERR_reason_error_string.str1.1 +36 B (+0.0%, 236,018 B / 262,144 B, total: 90% used)

linuxkm-standard

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Comment thread src/internal.c Outdated
Comment thread wolfssl/ssl.h
Comment thread wolfssl/ssl.h
Comment thread wolfssl/openssl/x509.h Outdated

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10486

Scan targets checked: wolfcrypt-rs-bugs, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Comment thread wolfssl/ssl.h Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (2)

src/internal.c:1

  • Correct the typo in the comment: “skip following x509 version check” should be “skip following X.509 version check” (or at least “skip following x509 version check” with proper spacing was already addressed, but please also standardize “X.509” capitalization to match surrounding terminology).
    src/internal.c:1
  • The handshake failure path uses ASN_NO_SIGNER_E (an X.509-oriented error) as the transport-level error for an untrusted RPK, while also introducing a distinct verify-result code (WOLFSSL_X509_V_ERR_RPK_UNTRUSTED) under OPENSSL_EXTRA*. This can be confusing for API consumers diagnosing failures (they may see ASN_NO_SIGNER_E rather than an RPK-specific failure unless they also inspect verify_result). Recommendation: consider propagating an RPK-specific error code at the handshake error layer as well (or otherwise ensure the mapping from ASN_NO_SIGNER_E to the new RPK_UNTRUSTED reason is discoverable), to make diagnostics consistent across builds (with/without OPENSSL_EXTRA).

Comment thread tests/api/test_tls13.c
Comment thread tests/api/test_tls13.c
Comment thread wolfssl/ssl.h Outdated
Comment thread wolfssl/ssl.h

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10486

Scan targets checked: wolfcrypt-rs-bugs, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Comment thread wolfssl/ssl.h
Comment thread doc/dox_comments/header_files/ssl.h Outdated
Comment thread doc/dox_comments/header_files/ssl.h Outdated

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10486

Scan targets checked: wolfcrypt-rs-bugs, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

@embhorn embhorn added the For This Release Release version 5.9.2 label Jun 12, 2026
@embhorn embhorn assigned wolfSSL-Bot and unassigned embhorn Jun 12, 2026

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: COMMENT
Findings: 7 total — 7 posted, 0 skipped
6 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [Medium] Nested '*/' inside doxygen \code block truncates the commentdoc/dox_comments/header_files/ssl.h:16038,16074
  • [Medium] RPK now fails closed for all HAVE_RPK builds — notable behavior changesrc/internal.c:16884-16911
  • [Low] Append-only pin table has no clear/replace APIsrc/ssl_api_cert.c:446-507
  • [Low] CTX-level pinning API NULL/arg-error path not directly testedsrc/ssl_api_cert.c:475-485
  • [Low] RPK reason-string regression check omitted for OPENSSL_EXTRA_X509_SMALL-only buildstests/api.c:28062-28075
  • [Low] DANE removal leaves useDANE field with no remaining reader/writerwolfssl/internal.h:5301-5303
  • [Low] x509.h comment may understate OpenSSL compatibility of value 95wolfssl/openssl/x509.h:213-215

Review generated by Skoll

Comment thread doc/dox_comments/header_files/ssl.h
Comment thread src/internal.c
Comment thread src/ssl_api_cert.c
Comment thread src/ssl_api_cert.c
Comment thread tests/api.c Outdated
Comment thread wolfssl/openssl/x509.h Outdated

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please review these skoll reports -> #10486 (review)

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: reviewOverall recommendation: COMMENT
Findings: 1 total — 1 posted, 0 skipped

Posted findings

  • [Low] useDANE bitfield is now dead after removing its only readersrc/internal.c:16933-16940 (field at wolfssl/internal.h:5301-5303)

Review generated by Skoll

@embhorn embhorn requested a review from dgarske June 12, 2026 21:36
@embhorn embhorn removed their assignment Jun 12, 2026
dgarske
dgarske previously approved these changes Jun 12, 2026
@embhorn

embhorn commented Jul 9, 2026

Copy link
Copy Markdown
Member Author

retest this please

@dgarske dgarske merged commit 2b62c84 into wolfSSL:master Jul 9, 2026
329 of 331 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants