x509/hostname-verify: make URI/SRV SAN preclude CN fallback

URI/SRV SAN did not suppress CN fallback as required by RFC 6125 6.4.4:
> a client MUST NOT seek a match for a reference identifier of CN-ID
> if the presented identifiers include a DNS-ID, *SRV-ID*, *URI-ID*,
> or any application-specific identifier types supported by the client.

With this change, certificates containing URI or SRV SAN
no longer pass DNS hostname checks via CN fallback
to avoid potential misuse of such certificates
beyond their original purpose.

Reported-by: Oleh Konko <security@1seal.org>
Fixes: #1802
Fixes: CVE-2026-42012
Fixes: GNUTLS-SA-2026-04-29-7
CVSS: 6.5 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c
index e7597ad3b0934ccf72066bf1dc6f95e2098943f2..d989bb1abcb9dabe007e2dbe0811c146638a129c 100644 (file)
--- a/lib/x509/hostname-verify.c
+++ b/lib/x509/hostname-verify.c
@@ -108,8 +108,9 @@ unsigned gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert,
  * that we do not fallback to CN-ID if we encounter a supported name
  * type.
  */
-#define PRECLUDES_CN_FALLBACK(san) \
-       (san == GNUTLS_SAN_DNSNAME || san == GNUTLS_SAN_IPADDRESS)
+#define PRECLUDES_CN_FALLBACK(san)                                   \
+       (san == GNUTLS_SAN_DNSNAME || san == GNUTLS_SAN_IPADDRESS || \
+        san == GNUTLS_SAN_URI || san == GNUTLS_SAN_OTHERNAME_SRV)
 
 /**
  * gnutls_x509_crt_check_hostname2: