Fixes from review

Author: embhorn

src/internal.c

@@ -15992,6 +15992,43 @@ static int AdjustCMForParams(WOLFSSL* ssl)
 }
 #endif
 
+#if defined(HAVE_RPK)
+/* Determine whether a received Raw Public Key (RFC 7250) has been pinned as
+ * trusted out of band. The on-wire RPK is exactly the DER SubjectPublicKeyInfo,
+ * so its SHA-256 digest is compared against the application-supplied pins.
+ *
+ * @param [in] ssl     SSL/TLS object.
+ * @param [in] spki    DER SubjectPublicKeyInfo received from the peer.
+ * @param [in] spkiSz  Length of spki in bytes.
+ * @return  1 when the key matches a pin, 0 otherwise.
+ */
+static int RpkIsTrusted(WOLFSSL* ssl, const byte* spki, word32 spkiSz)
+{
+#ifndef NO_SHA256
+    RpkConfig* cfg = &ssl->options.rpkConfig;
+
+    if ((cfg->expectedRpkCnt > 0) && (spki != NULL) && (spkiSz > 0)) {
+        byte digest[WC_SHA256_DIGEST_SIZE];
+        int i;
+
+        if (wc_Sha256Hash(spki, spkiSz, digest) == 0) {
+            for (i = 0; i < (int)cfg->expectedRpkCnt; i++) {
+                if (XMEMCMP(digest, cfg->expectedRpk[i],
+                            WC_SHA256_DIGEST_SIZE) == 0) {
+                    return 1;
+                }
+            }
+        }
+    }
+#else
+    (void)ssl;
+    (void)spki;
+    (void)spkiSz;
+#endif /* !NO_SHA256 */
+    return 0;
+}
+#endif /* HAVE_RPK */
+
 int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                      word32 totalSz)
 {
@@ -16815,34 +16852,52 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         ssl->peerVerifyRet = WOLFSSL_X509_V_OK;
                 #endif
 
-                #if defined(HAVE_RPK) && (defined(OPENSSL_EXTRA) || \
-                    defined(OPENSSL_EXTRA_X509_SMALL))
+                #if defined(HAVE_RPK)
                     /* A Raw Public Key cert (RFC 7250) has no issuer and no
                      * signature, so ParseCertRelative performed no peer
-                     * authentication. Unless an out-of-band trust mechanism
-                     * (DANE, key pinning, etc.) has bound this key, report the
-                     * peer as unauthenticated through wolfSSL_get_verify_result()
-                     * rather than leaving it at WOLFSSL_X509_V_OK. The handshake
-                     * is intentionally not failed here: per RFC 7250 the
-                     * application is responsible for validating the key out of
-                     * band. Applies to both peers - client checking the
-                     * server's RPK and server checking the client's RPK.
-                     * WOLFSSL_VERIFY_NONE leaves the result untouched. */
-                    if (args->dCert->isRPK && !ssl->options.verifyNone) {
-                        int rpkTrusted = 0;
-                    #if defined(HAVE_DANE)
-                        if (ssl->options.useDANE) {
-                            /* DANE authentication should be added; set
-                             * rpkTrusted = 1 on a successful match. */
-                        }
-                    #endif /* HAVE_DANE */
+                     * authentication. The key is only authenticated if it was
+                     * pinned out of band (expected RPK). Applies to both peers
+                     * - client checking the server's RPK and server checking
+                     * the client's RPK. */
+                    if (args->dCert->isRPK) {
+                        int rpkTrusted = RpkIsTrusted(ssl,
+                                args->certs[args->certIdx].buffer,
+                                args->certs[args->certIdx].length);
+
+                    #if defined(OPENSSL_EXTRA) || \
+                        defined(OPENSSL_EXTRA_X509_SMALL)
+                        /* Report the status truthfully regardless of verify
+                         * mode, mirroring OpenSSL: get_verify_result() reflects
+                         * the actual key status even under WOLFSSL_VERIFY_NONE
+                         * rather than leaving it at WOLFSSL_X509_V_OK. */
                         if (!rpkTrusted &&
                                 ssl->peerVerifyRet == WOLFSSL_X509_V_OK) {
                             ssl->peerVerifyRet = (unsigned long)
                                 WOLFSSL_X509_V_ERR_RPK_UNTRUSTED;
                         }
+                    #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+                        /* Fail closed when the peer is being authenticated: an
+                         * untrusted RPK must abort the handshake rather than
+                         * silently complete it (cf. OpenSSL CVE-2024-12797).
+                         * The gate is !verifyNone, matching the X.509
+                         * authentication gate above (the VERIFY/NO_VERIFY
+                         * choice passed to ProcessPeerCertParse) - so a default
+                         * authenticating client (verifyPeer unset, verifyNone
+                         * unset) validating an RPK server is protected too, not
+                         * just the explicit WOLFSSL_VERIFY_PEER case. The verify
+                         * callback can still override, exactly as it can for an
+                         * X.509 chain error. WOLFSSL_VERIFY_NONE keeps the
+                         * "accept and let the application decide" behaviour per
+                         * RFC 7250. */
+                        if (!rpkTrusted && !ssl->options.verifyNone) {
+                            WOLFSSL_MSG("Untrusted RPK and peer verification "
+                                        "is on; failing handshake");
+                            ret = ASN_NO_SIGNER_E;
+                            WOLFSSL_ERROR_VERBOSE(ret);
+                        }
                     }
-                #endif /* HAVE_RPK && (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) */
+                #endif /* HAVE_RPK */
 
                 #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
                     /* if using alternate chain, store the cert used */

src/ssl_api_cert.c

@@ -430,6 +430,82 @@ int wolfSSL_get_negotiated_server_cert_type(WOLFSSL* ssl, int* tp)
     }
     return ret;
 }
+
+#ifndef NO_SHA256
+/* Store the SHA-256 digest of a DER SubjectPublicKeyInfo as an expected Raw
+ * Public Key (RFC 7250) for out-of-band trust.
+ *
+ * @param [in] cfg     RPK configuration to add the pin to.
+ * @param [in] spki    DER-encoded SubjectPublicKeyInfo.
+ * @param [in] spkiSz  Length of spki in bytes.
+ * @return  0 on success.
+ * @return  BAD_FUNC_ARG when cfg or spki is NULL, or spkiSz is 0.
+ * @return  BUFFER_E when no more pins can be stored.
+ * @return  negative hashing error on failure.
+ */
+static int rpk_add_expected(RpkConfig* cfg, const unsigned char* spki,
+    unsigned int spkiSz)
+{
+    int ret;
+
+    if ((cfg == NULL) || (spki == NULL) || (spkiSz == 0)) {
+        return BAD_FUNC_ARG;
+    }
+    if (cfg->expectedRpkCnt >= WOLFSSL_MAX_RPK_PINS) {
+        return BUFFER_E;
+    }
+
+    ret = wc_Sha256Hash(spki, spkiSz, cfg->expectedRpk[cfg->expectedRpkCnt]);
+    if (ret == 0) {
+        cfg->expectedRpkCnt++;
+    }
+    return ret;
+}
+
+/* Pin an expected peer Raw Public Key on the SSL/TLS CTX object.
+ *
+ * @param [in] ctx     SSL/TLS CTX object.
+ * @param [in] spki    DER-encoded SubjectPublicKeyInfo the peer will present.
+ * @param [in] spkiSz  Length of spki in bytes.
+ * @return  WOLFSSL_SUCCESS on success.
+ * @return  BAD_FUNC_ARG when ctx or spki is NULL, or spkiSz is 0.
+ * @return  BUFFER_E when the pin table is full (WOLFSSL_MAX_RPK_PINS reached).
+ * @return  Other negative error code on hashing failure.
+ */
+int wolfSSL_CTX_set_expected_rpk(WOLFSSL_CTX* ctx, const unsigned char* spki,
+    unsigned int spkiSz)
+{
+    int ret;
+
+    if (ctx == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    ret = rpk_add_expected(&ctx->rpkConfig, spki, spkiSz);
+    return (ret == 0) ? WOLFSSL_SUCCESS : ret;
+}
+
+/* Pin an expected peer Raw Public Key on the SSL/TLS object.
+ *
+ * @param [in] ssl     SSL/TLS object.
+ * @param [in] spki    DER-encoded SubjectPublicKeyInfo the peer will present.
+ * @param [in] spkiSz  Length of spki in bytes.
+ * @return  WOLFSSL_SUCCESS on success.
+ * @return  BAD_FUNC_ARG when ssl or spki is NULL, or spkiSz is 0.
+ * @return  BUFFER_E when the pin table is full (WOLFSSL_MAX_RPK_PINS reached).
+ * @return  Other negative error code on hashing failure.
+ */
+int wolfSSL_set_expected_rpk(WOLFSSL* ssl, const unsigned char* spki,
+    unsigned int spkiSz)
+{
+    int ret;
+
+    if (ssl == NULL) {
+        return BAD_FUNC_ARG;
+    }
+    ret = rpk_add_expected(&ssl->options.rpkConfig, spki, spkiSz);
+    return (ret == 0) ? WOLFSSL_SUCCESS : ret;
+}
+#endif /* !NO_SHA256 */
 #endif /* HAVE_RPK */
 
 /* Certificate verification options. */