lib/pkcs11: do not silently pass on unimplemented functionality
When the relevant PKCS#11 header macros were not defined,
several functions for FIPS PKCS#11 provider wrongfully reported success.
They have been modified to return GNUTLS_E_UNIMPLEMENTED_FEATURE instead.
Fixes: #1820 Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
session_pack: validate session_id_size on unpacking
A check for session_id_size not exceeding GNUTLS_MAX_SESSION_ID_SIZE
on loading persisted TLS session data was overlooked,
leading to a heap overflow
were the data corrupted in a malicious manner.
Reported-by: Haruto Kimura (Stella) Fixes: #1817 Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
src/cfg: fix iterating in clear_options, on the error path
Calling testing tools bundled with GnuTLS with malformed arguments
could lead to crashing them.
This change makes the error path of option parsing more robust.
Fixes: #1823 Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/x509/x509_ext: avoid a heap overread in SCT extension parser
Parsing a specially crafted SCT extension could previously lead to
a short heap overread.
The list-length validation didn't account for the 2-byte length field.
The fix now accounts for the header field length,
ensuring the parsing stays within the buffer.
Fixes: #1822 Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/x509: fix cleanup when gnutls_x509_crt_list_import_pkcs11 fails
Previously gnutls_x509_trust_list_remove_trust_file tried to free
the entire xcrt_list, even though one source of failures is
gnutls_pkcs11_obj_list_import_url2 that deinits it up to the correct
position.
With this change, both functions zero unused entries.
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1819 Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/x509/privkey_openssl: mind header size more carefully
When parsing private keys in OpenSSL PEM format, GnuTLS did not perform
sufficient bounds checking for the length of the PEM header being parsed.
For specially crafted inputs, this could lead to heap overreads.
There was no confidentiality risk and
the crash potential was limited to instrumented builds in practice.
This change instates the overlooked bounds checking.
Reported-by: Kamil Frankowicz <kamil.frankowicz@cert.pl> Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Related: #1818 Fixes: #1854 Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
nettle/pk: check RSA key coprimality in verify_params
Previously, gnutls_privkey_verify_params has overlooked
the scenario of p and q not being co-prime,
and proceeded with undefined behaviour that was extremely likely
to error out in practice anyway.
Now it returns GNUTLS_E_PK_INVALID_PRIVKEY in this case.
Reported-by: Kamil Frankowicz <kamil.frankowicz@cert.pl>
Related: #1818 Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
x509/ocsp: check OCSP delegated signer EKU OID to full length
The retrieved certificate purpose OID was compared against the expected
1.3.6.1.5.5.7.3.9 value without checking if the lengths were identical,
allowing a value that constitutes a prefix to match.
The check now compares the length as well.
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Co-authored-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
In check_ocsp_response(), the code first searched
for the SingleResponse that matches the certificate being validated.
But later, the status was retrieved from entry 0 unconditionally,
rather than from the matched resp_indx.
As a result, if entry 0 corresponded to a different certificate and was good,
while the matched entry for the peer certificate is revoked,
the revocation check could've mistakenly accept the certificate.
Reported-by: Oleh Konko (1seal) <security@1seal.org> Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1801 Fixes: #1812 Fixes: CVE-2026-3832 Fixes: GNUTLS-SA-2026-04-29-12
CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9 Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
x509/pkcs12_bag: fix off-by-one in bag element bounds check
Appending elements to a PKCS#12 bag had a bounds check that
prevented adding the 32nd element.
On the other hand, it is possible to import one that already has 32.
Subsequent appending then led to writing past the 32-element array,
smashing its length.
Tighten the check to reject any bag with 32 or more elements.
We'll treat this vulnerability as a Low due to how contrived
the requirements are: for the code to be vulnerable,
it needs to append to an imported untrusted unencrypted PKCS#12 structure.
Reported-by: Zou Dikai Fixes: #1840 Fixes: CVE-2026-42015 Fixes: GNUTLS-SA-2026-04-29-11
CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Severity: Low Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/pkcs11_privkey: guard against overreading on short ciphertexts
This is an alternative fix for the callee side.
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1814 Fixes: CVE-2026-5260 Fixes: GNUTLS-SA-2026-04-29-10
CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
lib/auth/rsa: check that ciphertext matches the modulus size
A client sending extremely short premaster secret as part of an
RSA key exchange could've theoretically triggered a short heap overread
to nowhere when the RSA key was backed with a PKCS#11 token.
With this fix, the internal decryption function will not be called
with an mismatching plaintext length specified, avoiding the overread.
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1814 Fixes: CVE-2026-5260 Fixes: GNUTLS-SA-2026-04-29-10
CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin
Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with
oldpin == NULL for a token that lacks a protected authentication path
led to a use-after-free.
Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team Fixes: #1766 Fixes: #1809 Fixes: CVE-2026-42014 Fixes: GNUTLS-SA-2026-04-29-9
CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
A comment was inaccurately referring to DN email field fallback
as CN fallback.
Rename a few things as well to match x509/hostname-verify more closely.
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
x509/hostname-verify: make URI/SRV SAN preclude CN fallback
URI/SRV SAN did not suppress CN fallback as required by RFC 6125 6.4.4:
> a client MUST NOT seek a match for a reference identifier of CN-ID
> if the presented identifiers include a DNS-ID, *SRV-ID*, *URI-ID*,
> or any application-specific identifier types supported by the client.
With this change, certificates containing URI or SRV SAN
no longer pass DNS hostname checks via CN fallback
to avoid potential misuse of such certificates
beyond their original purpose.
Reported-by: Oleh Konko <security@1seal.org> Fixes: #1802 Fixes: CVE-2026-42012 Fixes: GNUTLS-SA-2026-04-29-7
CVSS: 6.5 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
RFC 5280 7.2:
> When comparing DNS names for equality, conforming implementations
> MUST perform a case-insensitive exact match on the entire DNS name.
> When evaluating name constraints, conforming implementations MUST
> perform a case-insensitive exact match on a label-by-label basis.
Domain name comparison during name constraints processing
was case-sensitive. For excluded name constraints, this could lead to
incorrectly accepting domain names that should've been rejected.
The code for comparing domain names and domain name parts of emails
has been modified to perform case-insensitive comparison instead.
Reported-by: Oleh Konko <security@1seal.org> Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1223 Fixes: #1803 Fixes: #1852 Fixes: CVE-2026-3833 Fixes: GNUTLS-SA-2026-04-29-5
CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
A server looking up PSK username with a NUL-character in it
was wrongfully matching username truncated at a NUL-character.
Fix the check to compare up to the full username length.
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1850 Fixes: CVE-2026-42010 Fixes: GNUTLS-SA-2026-04-29-4
CVSS: 7.1 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
buffers: simplify and tighten parse_handshake_header checks
* frag_size > data_size is now rejected even when length == 0
* length == 0 && frag_size > 0 is now rejected even when start_offset == 0
* start_offset > length is now rejected even when frag_size == 0
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
buffers: switch from end_offset over to frag_length
Instead of maintaining an inclusive [start_offset, end_offset] range
when reassembling DTLS handshake,
track start_offset and a relative frag_length instead.
You'd think it'd be a no-op, but it fixes:
* 0-length fragments triggering completion if message was 1 byte long
* a remotely triggerable underflow and an ensuing heap overrun
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1811 Fixes: CVE-2026-33845 Fixes: GNUTLS-SA-2026-04-29-3
CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
buffers: fix handshake_compare when sequence numbers match
The comparator function used for ordering DTLS packets
by sequence numbers did not follow qsort comparator contracts
in case of packets with duplicate sequence numbers,
which could lead to unstable ordering or undefined behaviour.
Returning 0 in such cases makes the sorting stable.
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1848 Fixes: CVE-2026-42009 Fixes: GNUTLS-SA-2026-04-29-2
CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Signed-off-by: Joshua Rogers <joshua@joshua.hu>
lib/buffers: ensure packets have differing sequence numbers
There should normally be no packets with same sequence number and
differing handshake type, unless an adversary crafts them.
Discarding them allows to get rid of packets
with duplicate sequence ID in the buffer,
relieving us from the question of how to sort them later.
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu> Fixes: #1848 Fixes: CVE-2026-42009 Fixes: GNUTLS-SA-2026-04-29-2
CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
DTLS handshake fragment reassembly previously matched incoming fragments
by handshake type only, without checking the sequence number.
This allowed fragments from different handshake messages
to be merged into the same reassembly buffer.
Now sequence number is accounted for during reassembly,
ensuring fragments are only merged when they belong
to the same handshake message.
Reported-by: Zou Dikai Fixes: #1839 Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
Previously, gnutls didn't check that DTLS fragments claimed
a consistent message_length value.
Additionally, a crucial array size check was missing,
enabling an attacker to cause a heap overwrite.
The updated version rejects fragments with mismatching length
and adds a missing boundary check.
Reported-by: Haruto Kimura (Stella) Reported-by: Oscar Reparaz Reported-by: Zou Dikai Fixes: #1816 Fixes: #1838 Fixes: #1839 Fixes: CVE-2026-33846 Fixes: GNUTLS-SA-2026-04-29-1
CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
projects / thirdparty / gnutls.git / log
