RFC7250 (RPK) support

Add support for the RFC7250 certificate-type extensions.
Alows the use of only private keys for connection (i.e. certs not needed).

Add APIs
Add unit tests
Add documentation
Add s_client/s_server support

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18185)

4 files changed, 66 insertions, 19 deletions

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index a50378f27d..5cf6b319dc 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1,7 +1,7 @@
 /*
  * {- join("\n * ", @autowarntext) -}
  *
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -258,29 +258,31 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
 
 /* Extension context codes */
 /* This extension is only allowed in TLS */
-#define SSL_EXT_TLS_ONLY                        0x0001
+#define SSL_EXT_TLS_ONLY                        0x00001
 /* This extension is only allowed in DTLS */
-#define SSL_EXT_DTLS_ONLY                       0x0002
+#define SSL_EXT_DTLS_ONLY                       0x00002
 /* Some extensions may be allowed in DTLS but we don't implement them for it */
-#define SSL_EXT_TLS_IMPLEMENTATION_ONLY         0x0004
+#define SSL_EXT_TLS_IMPLEMENTATION_ONLY         0x00004
 /* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
-#define SSL_EXT_SSL3_ALLOWED                    0x0008
+#define SSL_EXT_SSL3_ALLOWED                    0x00008
 /* Extension is only defined for TLS1.2 and below */
-#define SSL_EXT_TLS1_2_AND_BELOW_ONLY           0x0010
+#define SSL_EXT_TLS1_2_AND_BELOW_ONLY           0x00010
 /* Extension is only defined for TLS1.3 and above */
-#define SSL_EXT_TLS1_3_ONLY                     0x0020
+#define SSL_EXT_TLS1_3_ONLY                     0x00020
 /* Ignore this extension during parsing if we are resuming */
-#define SSL_EXT_IGNORE_ON_RESUMPTION            0x0040
-#define SSL_EXT_CLIENT_HELLO                    0x0080
+#define SSL_EXT_IGNORE_ON_RESUMPTION            0x00040
+#define SSL_EXT_CLIENT_HELLO                    0x00080
 /* Really means TLS1.2 or below */
-#define SSL_EXT_TLS1_2_SERVER_HELLO             0x0100
-#define SSL_EXT_TLS1_3_SERVER_HELLO             0x0200
-#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS     0x0400
-#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST      0x0800
-#define SSL_EXT_TLS1_3_CERTIFICATE              0x1000
-#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET       0x2000
-#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST      0x4000
-#define SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION  0x8000
+#define SSL_EXT_TLS1_2_SERVER_HELLO             0x00100
+#define SSL_EXT_TLS1_3_SERVER_HELLO             0x00200
+#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS     0x00400
+#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST      0x00800
+#define SSL_EXT_TLS1_3_CERTIFICATE              0x01000
+#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET       0x02000
+#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST      0x04000
+#define SSL_EXT_TLS1_3_CERTIFICATE_COMPRESSION  0x08000
+/* When sending a raw public key in a certificate message */
+#define SSL_EXT_TLS1_3_RAW_PUBLIC_KEY           0x10000
 
 /* Typedefs for handling custom extensions */
 
@@ -566,6 +568,8 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
 # define CERT_PKEY_CERT_TYPE     0x400
 /* Cert chain suitable to Suite B */
 # define CERT_PKEY_SUITEB        0x800
+/* Cert pkey valid for raw public key use */
+# define CERT_PKEY_RPK           0x1000
 
 # define SSL_CONF_FLAG_CMDLINE           0x1
 # define SSL_CONF_FLAG_FILE              0x2
@@ -1734,6 +1738,9 @@ __owur int SSL_has_matching_session_id(const SSL *s,
                                        unsigned int id_len);
 SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
                              long length);
+SSL_SESSION *d2i_SSL_SESSION_ex(SSL_SESSION **a, const unsigned char **pp,
+                                long length, OSSL_LIB_CTX *libctx,
+                                const char *propq);
 
 # ifdef OPENSSL_X509_H
 __owur X509 *SSL_get0_peer_certificate(const SSL *s);
@@ -2592,6 +2599,20 @@ int SSL_set1_compressed_cert(SSL *ssl, int algorithm, unsigned char *comp_data,
 size_t SSL_CTX_get1_compressed_cert(SSL_CTX *ctx, int alg, unsigned char **data, size_t *orig_len);
 size_t SSL_get1_compressed_cert(SSL *ssl, int alg, unsigned char **data, size_t *orig_len);
 
+__owur int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk);
+__owur EVP_PKEY *SSL_get0_peer_rpk(const SSL *s);
+__owur EVP_PKEY *SSL_SESSION_get0_peer_rpk(SSL_SESSION *s);
+__owur int SSL_get_negotiated_client_cert_type(const SSL *s);
+__owur int SSL_get_negotiated_server_cert_type(const SSL *s);
+
+__owur int SSL_set1_client_cert_type(SSL *s, const unsigned char *val, size_t len);
+__owur int SSL_set1_server_cert_type(SSL *s, const unsigned char *val, size_t len);
+__owur int SSL_CTX_set1_client_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len);
+__owur int SSL_CTX_set1_server_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len);
+__owur int SSL_get0_client_cert_type(const SSL *s, unsigned char **t, size_t *len);
+__owur int SSL_get0_server_cert_type(const SSL *s, unsigned char **t, size_t *len);
+__owur int SSL_CTX_get0_client_cert_type(const SSL_CTX *ctx, unsigned char **t, size_t *len);
+__owur int SSL_CTX_get0_server_cert_type(const SSL_CTX *s, unsigned char **t, size_t *len);
 
 # ifdef  __cplusplus
 }
diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 43aa1c3742..94cb60f8be 100644
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -25,6 +25,7 @@
 # define SSL_R_APP_DATA_IN_HANDSHAKE                      100
 # define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
 # define SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE     158
+# define SSL_R_BAD_CERTIFICATE                            348
 # define SSL_R_BAD_CHANGE_CIPHER_SPEC                     103
 # define SSL_R_BAD_CIPHER                                 186
 # define SSL_R_BAD_COMPRESSION_ALGORITHM                  326
@@ -111,6 +112,7 @@
 # define SSL_R_ECC_CERT_NOT_FOR_SIGNING                   318
 # define SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE              374
 # define SSL_R_EE_KEY_TOO_SMALL                           399
+# define SSL_R_EMPTY_RAW_PUBLIC_KEY                       349
 # define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST         354
 # define SSL_R_ENCRYPTED_LENGTH_TOO_LONG                  150
 # define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              151
@@ -146,6 +148,7 @@
 # define SSL_R_INVALID_KEY_UPDATE_TYPE                    120
 # define SSL_R_INVALID_MAX_EARLY_DATA                     174
 # define SSL_R_INVALID_NULL_CMD_NAME                      385
+# define SSL_R_INVALID_RAW_PUBLIC_KEY                     350
 # define SSL_R_INVALID_RECORD                             317
 # define SSL_R_INVALID_SEQUENCE_NUMBER                    402
 # define SSL_R_INVALID_SERVERINFO_DATA                    388
@@ -342,6 +345,7 @@
 # define SSL_R_WRONG_CERTIFICATE_TYPE                     383
 # define SSL_R_WRONG_CIPHER_RETURNED                      261
 # define SSL_R_WRONG_CURVE                                378
+# define SSL_R_WRONG_RPK_TYPE                             351
 # define SSL_R_WRONG_SIGNATURE_LENGTH                     264
 # define SSL_R_WRONG_SIGNATURE_SIZE                       265
 # define SSL_R_WRONG_SIGNATURE_TYPE                       370
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index bb9314a9ba..7e3d1a725b 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -123,6 +123,14 @@ extern "C" {
 # define TLSEXT_TYPE_signed_certificate_timestamp    18
 
 /*
+ * Extension type for Raw Public Keys
+ * https://tools.ietf.org/html/rfc7250
+ * https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
+ */
+# define TLSEXT_TYPE_client_cert_type   19
+# define TLSEXT_TYPE_server_cert_type   20
+
+/*
  * ExtensionType value for TLS padding extension.
  * http://tools.ietf.org/html/draft-agl-tls-padding
  */
@@ -224,6 +232,15 @@ extern "C" {
 # define TLSEXT_max_fragment_length_2048        3
 # define TLSEXT_max_fragment_length_4096        4
 
+/*
+ * TLS Certificate Type (for RFC7250)
+ * https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-3
+ */
+# define TLSEXT_cert_type_x509         0
+# define TLSEXT_cert_type_pgp          1 /* recognized, but not supported */
+# define TLSEXT_cert_type_rpk          2
+# define TLSEXT_cert_type_1609dot2     3 /* recognized, but not supported */
+
 int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode);
 int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode);
 
diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index d7020f3b3a..ac24145a03 100644
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -1,7 +1,7 @@
 /*
  * {- join("\n * ", @autowarntext) -}
  *
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -314,6 +314,7 @@ X509_LOOKUP_ctrl_ex((x), X509_L_ADD_STORE, (name), 0, NULL,           \
 # define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE            92
 # define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3         93
 # define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS               94
+# define X509_V_ERR_RPK_UNTRUSTED                        95
 
 /* Certificate verify flags */
 # ifndef OPENSSL_NO_DEPRECATED_1_1_0
@@ -468,11 +469,14 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
                         X509 *target, STACK_OF(X509) *untrusted);
+int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *trust_store,
+                            EVP_PKEY* rpk);
 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
 
 X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx);
 X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
+EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx);
 STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
@@ -665,6 +669,7 @@ X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target);
+void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target);
 void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *c, STACK_OF(X509) *sk);
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
 int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);