From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Tue, 14 Apr 2026 15:41:30 +0000 (+0200)
Subject: x509/name_constraints: fix intersecting empty constraints
X-Git-Tag: 3.8.13^2~58
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1dead2faec6320aaba321eb56f20d442df192b83;p=thirdparty%2Fgnutls.git

x509/name_constraints: fix intersecting empty constraints

Permitted name constraints were wrongfully ignored
when prior CAs only had excluded name constraints,
resulting in a name constraint bypass.

With this change, they are taken into account and propagate.

Reported-by: Haruto Kimura (Stella)
Fixes: #1824
Fixes: CVE-2026-42011
Fixes: GNUTLS-SA-2026-04-29-6
CVSS: 4.8 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---

diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
index 410022239..16cee68d7 100644
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -800,10 +800,6 @@ static int name_constraints_node_list_intersect(
 	san_flags_t types_in_p1 = 0, types_in_p2 = 0;
 	static const unsigned char universal_ip[32] = { 0 };
 
-	if (gl_list_size(permitted1->items) == 0 ||
-	    gl_list_size(permitted2->items) == 0)
-		return GNUTLS_E_SUCCESS;
-
 	/* First partition PERMITTED1 into supported and unsupported lists */
 	ret = name_constraints_node_list_init(&supported1);
 	if (ret < 0) {