]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
projects / thirdparty / gnutls.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ccbdcce)
x509/name_constraints: fix intersecting empty constraints
authorAlexander Sosedkin <asosedkin@redhat.com>
Tue, 14 Apr 2026 15:41:30 +0000 (17:41 +0200)
committerAlexander Sosedkin <asosedkin@redhat.com>
Wed, 29 Apr 2026 13:35:03 +0000 (15:35 +0200)
Permitted name constraints were wrongfully ignored
when prior CAs only had excluded name constraints,
resulting in a name constraint bypass.

With this change, they are taken into account and propagate.

Reported-by: Haruto Kimura (Stella)
Fixes: #1824
Fixes: CVE-2026-42011
Fixes: GNUTLS-SA-2026-04-29-6
CVSS: 4.8 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/x509/name_constraints.c patch | blob | blame | history

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 410022239d8d46b1a93e0186a7cf039781038fc6..16cee68d783b2579692dddb66393003b63b5ca7f 100644 (file)
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -800,10 +800,6 @@ static int name_constraints_node_list_intersect(
        san_flags_t types_in_p1 = 0, types_in_p2 = 0;
        static const unsigned char universal_ip[32] = { 0 };
 
-       if (gl_list_size(permitted1->items) == 0 ||
-           gl_list_size(permitted2->items) == 0)
-               return GNUTLS_E_SUCCESS;
-
        /* First partition PERMITTED1 into supported and unsupported lists */
        ret = name_constraints_node_list_init(&supported1);
        if (ret < 0) {
Mirror of https://gitlab.com/gnutls/gnutls.git