CVS commit: pkgsrc/security/gnutls

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Apr 30 05:33:43 UTC 2026

Modified Files:
        pkgsrc/security/gnutls: Makefile PLIST distinfo options.mk

Log Message:
gnutls: update to 3.8.13.

* Version 3.8.13 (released 2026-04-29)

** libgnutls: Add more checks to DTLS reassembly
   Previously, gnutls didn't check that DTLS fragments claimed
   a consistent message_length value.
   Additionally, a crucial array size check was missing,
   enabling an attacker to cause a heap overwrite.
   Reject fragments with mismatching length and add a missing boundary check.
   Independently reported by
   Haruto Kimura (Stella), Oscar Reparaz and Zou Dikai.
   [GNUTLS-SA-2026-04-29-1, CVSS: high] [CVE-2026-33846]

** libgnutls: Fix qsort comparator in DTLS reassembly
   The comparator function used for ordering DTLS packets
   by sequence numbers did not follow qsort comparator contracts
   in case of packets with duplicate sequence numbers,
   which could lead to unstable ordering or undefined behaviour.
   Return 0 in such cases makes the sorting stable.
   Additionally, discard packets with same sequence numbers
   and differing handshake type,
   so that they don't end up being sorted in the first place.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-2, CVSS: high] [CVE-2026-42009]

** libgnutls: Fix crashing on an underflow with a DTLS datagram
   A remotely triggerable underflow in the DTLS reassembly code led to
   a heap overrun.
   Prevent the underflow from happening.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-3, CVSS: high] [CVE-2026-33845]

** libgnutls: Fix RSA-PSK identity truncation
   Servers configured with RSA-PSK have wrongfully matched usernames with NUL
   character in them to ones truncated to NUL character,
   which could lead to an authentication bypass.
   Fix the check to perform comparison up to the full username length.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-4, CVSS: high] [CVE-2026-42010]

** libgnutls: Fix case-sensitivity of domain name comparison in name constraints
   Domain name comparison during name constraints processing
   was case-sensitive, violating RFC 5280 section 7.2.
   For excluded name constraints, this could lead to
   incorrectly accepting domain names that should've been rejected.
   DNS name comparison and the domain part of email names
   now perform case-insensitive comparison.
   Independently reported by Oleh Konko (1seal) and
   Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-5, CVSS: high] [CVE-2026-3833]

** libgnutls: Fix intersecting empty constraints
   Permitted name constraints were wrongfully ignored
   when prior CAs only had excluded name constraints,
   resulting in a name constraint bypass.
   Reported by Haruto Kimura (Stella).
   [GNUTLS-SA-2026-04-29-6, CVSS: medium] [CVE-2026-42011]

** libgnutls: Suppress CN fallback in presence of URI and SRV SAN
   Certificates containing URI or SRV Subject Alternative Names
   no longer fall back to checking DNS hostnames against Common Name
   to avoid potential misuse of such certificates
   beyond their original purpose.
   Reported by Oleh Konko (1seal).
   [GNUTLS-SA-2026-04-27-7, CVSS: medium] [CVE-2026-42012]

** libgnutls: Suppress CN fallback for oversized SAN
   Validation of certificates with oversized Subject Alternative Names
   no longer falls back to checking DNS hostnames against Common Name.
   Independently reported by Haruto Kimura (Stella) and
   Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-27-8, CVSS: medium] [CVE-2026-42013]

** libgnutls: Fix use-after-free in gnutls_pkcs11_token_set_pin
   Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin()
   with oldpin == NULL for a token lacking a protected authentication path
   led to a use-after-free.
   Reported by Luigino Camastra and Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-9, CVSS: medium] [CVE-2026-42014]

** libgnutls: Fix overread in RSA key exchange with PKCS#11 keys
   For a server using an RSA key backed by a PKCS#11 token,
   a client sending an extremely short premaster secret
   during an RSA key exchange could trigger a short heap overread.
   Reported by Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-10, CVSS: medium] [CVE-2026-5260]

** libgnutls: Fix off-by-one in PKCS#12 bag element bounds check
   Appending to a PKCS#12 bag that already contained 32 elements
   could write past the bag's internal array.
   Reported by Zou Dikai.
   [GNUTLS-SA-2026-04-29-11, CVSS: low] [CVE-2026-42015]

** libgnutls: Fix multi-entry OCSP response revocation bypass
   When validating a certificate against a multi-entry OCSP response,
   the revocation status was always checked for the first entry
   instead of the entry matching the certificate,
   which could lead to accepting revoked certificates.
   Independently reported by Oleh Konko (1seal) and
   Joshua Rogers of AISLE Research Team.
   [GNUTLS-SA-2026-04-29-12, CVSS: low] [CVE-2026-3832]

** libgnutls: Fix timing side-channel in PKCS#7 padding removal
   The PKCS#7 padding check performed during decryption was not constant-time,
   potentially leaking information about the padding bytes
   through timing differences.
   Rewritten to remove padding in a branch-free manner.
   Reported by Doria Tang of Stony Brook University.
   [GNUTLS-SA-2026-04-29-13, CVSS: low] [CVE-2026-5419]

** libgnutls: Fix PSK username comparison during rehandshake
   Rehandshaking to a username with embedded NUL character could theoretically
   allow bypassing the GNUTLS_ALLOW_ID_CHANGE protection (#1808).
   Reported and fixed by Joshua Rogers of AISLE Research Team.

** libgnutls: Fix OID length check for OCSP delegated signer EKU
   The OCSP signing EKU OID was compared without verifying its length,
   allowing a shorter OID that shares the same prefix to match.
   The check now verifies the length as well (#1810).
   Reported by Joshua Rogers of AISLE Research Team.

** libgnutls: Fix AES keys persisting with pkcs11-provider
   When using the pkcs11-provider, AES keys used for cipher operations
   were created as persistent objects and accumulating.
   They are now ephemeral (#1813).

** libgnutls: Fix missing RSA key coprimality check in verify_params
   gnutls_privkey_verify_params overlooked the scenario of p and q
   not being co-prime.
   It now returns GNUTLS_E_PK_INVALID_PRIVKEY in this case (#1818).
   Reported by Kamil Frankowicz.

** libgnutls: Fix overread when parsing OpenSSL PEM private keys
   Insufficient bounds checking on the PEM header length could lead
   to short heap overreads on specially crafted inputs (#1854).
   Independently reported by Kamil Frankowicz and
   Joshua Rogers of AISLE Research Team.

** libgnutls: Fix a theoretical double-free during certificate import
   If gnutls_x509_crt_list_import_pkcs11 failed partway through,
   the trust list cleanup code would try to free already-deinitialized
   certificate entries, leading to a double-free (#1819).
   Reported by Joshua Rogers of AISLE Research Team.

** libgnutls: Fix heap overread in SCT extension parser
   The list-length validation didn't account for the 2-byte length field,
   allowing a specially crafted SCT extension to cause
   a 2-byte overread past the buffer (#1822).
   Reported by Joshua Rogers of AISLE Research Team.

** libgnutls: Zeroize shared secret derived during hybrid key exchange
   The derived shared secret was not zeroized before being freed (#1841).
   Reported by liyue.

** build: Support building with Nettle 4.0
   Nettle 4.0 was released in Feburary 2026, with API incompatibile
   changes from 3.10. The library can now compile with it, while
   Nettle 3.10 is still supported (#1791).

** libgnutls: Support deriving ML-DSA public key from an expanded private key
   RFC 9881 defines 3 private key formats for ML-DSA: "seed",
   "expandedKey" and both. It is now possible to derive a public key
   from a private key in the "expandedKey" format (#1723).

** libgnutls: Fix loading BIT STRING encoded EdDSA key from PKCS#11
   For compatibility reasons, the library supports two formats for
   EdDSA private keys: either ASN.1 BIT STRING (raw) or OCTET STRING
   (DER). Previously, loading a private key in the former format
   resulted in a failure, which is now fixed (#1749).

** libgnutls: HPKE (RFC 9180) is now supported as a technology preview
   The Hybrid Public Key Encryption (HPKE) is a flexible cryptographic
   protocol which enables to encrypt arbitrary data to a recipient, by
   combining key encapsulation mechanism (KEM) and authenticated
   encryption with additional data (AEAD). GnuTLS now includes the
   implementation contributed by David Dudas. Given this is a
   technology preview, the implementation and the API might suffer
   modification in the following period. Use --enable-hpke to turn on
   this feature (#1506).

** libgnutls: Fix TLS 1.3 client certificate selection
   For servers that send a signature_algorithms extension in CertificateRequest
   with new rsa_pss_rsae_* algorithms and without the legacy rsa_pkcs1_* ones,
   the client now properly considers RSA when selecting a certificate to send.
   This fixes TLS 1.3 interoperability with newer Java servers
   when using client certificates.
   Contributed by Romain Tartière (#1842).

** libgnutls: Fix kTLS ChaCha20-Poly1305 IV for TLS 1.2
   When using kTLS with ChaCha20-Poly1305 under TLS 1.2,
   an incorrect value was passed as the IV to the kernel,
   causing connections to fail early.

** libgnutls: Allow fetching object type metadata for PKCS#11 keys
   A new library function, gnutls_pkcs11_obj_get_pk_algorithm,
   has been added to check the public key algorithms of PKCS#11 key objects.
   Object types other than CKO_PRIVATE_KEY are currently not supported.
   Contributed by Ghadi Elie Rahme (!2074).

** API and ABI modifications:
gnutls_hpke_kem_t: New enum
gnutls_hpke_kdf_t: New enum
gnutls_hpke_aead_t: New enum
gnutls_hpke_mode_t: New enum
gnutls_hpke_role_t: New enum
gnutls_hpke_context_st: New context structure
gnutls_hpke_init: New function
gnutls_hpke_deinit: New function
gnutls_hpke_encap: New function
gnutls_hpke_seal: New function
gnutls_hpke_decap: New function
gnutls_hpke_open: New function
gnutls_hpke_derive_keypair: New function
gnutls_hpke_export: New function
gnutls_pkcs11_obj_get_pk_algorithm: New function


To generate a diff of this commit:
cvs rdiff -u -r1.274 -r1.275 pkgsrc/security/gnutls/Makefile
cvs rdiff -u -r1.84 -r1.85 pkgsrc/security/gnutls/PLIST
cvs rdiff -u -r1.172 -r1.173 pkgsrc/security/gnutls/distinfo
cvs rdiff -u -r1.8 -r1.9 pkgsrc/security/gnutls/options.mk

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/gnutls/Makefile
diff -u pkgsrc/security/gnutls/Makefile:1.274 pkgsrc/security/gnutls/Makefile:1.275
--- pkgsrc/security/gnutls/Makefile:1.274       Mon Feb  9 19:35:36 2026
+++ pkgsrc/security/gnutls/Makefile     Thu Apr 30 05:33:42 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.274 2026/02/09 19:35:36 adam Exp $
+# $NetBSD: Makefile,v 1.275 2026/04/30 05:33:42 wiz Exp $
 
-DISTNAME=      gnutls-3.8.12
+DISTNAME=      gnutls-3.8.13
 CATEGORIES=    security devel
 MASTER_SITES=  ${MASTER_SITE_GNUPG:=gnutls/v${PKGVERSION_NOREV:R}/}
 EXTRACT_SUFX=  .tar.xz
@@ -36,8 +36,8 @@ CONFIGURE_ARGS.FreeBSD+=      ac_cv_type_max_
 
 .include "options.mk"
 
-# Failures on NetBSD 11 as of 3.8.11:
-# test-parse-datetime, test-realloc-posix
+# Failures on NetBSD 11 as of 3.8.13:
+# test-parse-datetime
 TEST_TARGET=           check
 
 INFO_FILES=            yes

Index: pkgsrc/security/gnutls/PLIST
diff -u pkgsrc/security/gnutls/PLIST:1.84 pkgsrc/security/gnutls/PLIST:1.85
--- pkgsrc/security/gnutls/PLIST:1.84   Thu Nov 20 20:55:29 2025
+++ pkgsrc/security/gnutls/PLIST        Thu Apr 30 05:33:42 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.84 2025/11/20 20:55:29 wiz Exp $
+@comment $NetBSD: PLIST,v 1.85 2026/04/30 05:33:42 wiz Exp $
 bin/certtool
 bin/gnutls-cli
 bin/gnutls-cli-debug
@@ -12,6 +12,7 @@ include/gnutls/crypto.h
 include/gnutls/dtls.h
 include/gnutls/gnutls.h
 include/gnutls/gnutlsxx.h
+include/gnutls/hpke.h
 include/gnutls/ocsp.h
 include/gnutls/openpgp.h
 include/gnutls/pkcs11.h
@@ -346,6 +347,14 @@ man/man3/gnutls_hmac_get_len.3
 man/man3/gnutls_hmac_init.3
 man/man3/gnutls_hmac_output.3
 man/man3/gnutls_hmac_set_nonce.3
+man/man3/gnutls_hpke_decap.3
+man/man3/gnutls_hpke_deinit.3
+man/man3/gnutls_hpke_derive_keypair.3
+man/man3/gnutls_hpke_encap.3
+man/man3/gnutls_hpke_export.3
+man/man3/gnutls_hpke_init.3
+man/man3/gnutls_hpke_open.3
+man/man3/gnutls_hpke_seal.3
 man/man3/gnutls_idna_map.3
 man/man3/gnutls_idna_reverse_map.3
 man/man3/gnutls_init.3
@@ -465,6 +474,7 @@ man/man3/gnutls_pkcs11_obj_flags_get_str
 man/man3/gnutls_pkcs11_obj_get_exts.3
 man/man3/gnutls_pkcs11_obj_get_flags.3
 man/man3/gnutls_pkcs11_obj_get_info.3
+man/man3/gnutls_pkcs11_obj_get_pk_algorithm.3
 man/man3/gnutls_pkcs11_obj_get_ptr.3
 man/man3/gnutls_pkcs11_obj_get_type.3
 man/man3/gnutls_pkcs11_obj_import_url.3

Index: pkgsrc/security/gnutls/distinfo
diff -u pkgsrc/security/gnutls/distinfo:1.172 pkgsrc/security/gnutls/distinfo:1.173
--- pkgsrc/security/gnutls/distinfo:1.172       Thu Mar 19 17:29:37 2026
+++ pkgsrc/security/gnutls/distinfo     Thu Apr 30 05:33:42 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.172 2026/03/19 17:29:37 jperkin Exp $
+$NetBSD: distinfo,v 1.173 2026/04/30 05:33:42 wiz Exp $
 
-BLAKE2s (gnutls-3.8.12.tar.xz) = 9955320f8dff9824a2a33c46533b0d889a3d8336de4b6fb02f92a49187f2b072
-SHA512 (gnutls-3.8.12.tar.xz) = 332a8e5200461517c7f08515e3aaab0bec6222747422e33e9e7d25d35613e3d0695a803fce226bd6a83f723054f551328bd99dcf0573e142be777dcf358e1a3b
-Size (gnutls-3.8.12.tar.xz) = 6949604 bytes
+BLAKE2s (gnutls-3.8.13.tar.xz) = 8b5813133f08bd3014e84efda901eaa67c2edd5b2b93809675a9c5e0cec7c634
+SHA512 (gnutls-3.8.13.tar.xz) = 71bf189a836fd18d58b9e995d4bfcecdb0aae6129dfd44247b98422b2f127dd868f9905d28fad2ca05afd919a0e6b3c8eebb6b95804067d3a8dab31ebdc72453
+Size (gnutls-3.8.13.tar.xz) = 7275324 bytes
 SHA1 (patch-configure) = 866d8a365b8338348230e47518788f494279b139
 SHA1 (patch-doc_examples_tlsproxy_tlsproxy.c) = 5062df3a73e69abca25710d016b949eef62af453
 SHA1 (patch-lib_crau_crau.h) = 751202b8eab1ef903faba6fc4281e75f1d394a66

Index: pkgsrc/security/gnutls/options.mk
diff -u pkgsrc/security/gnutls/options.mk:1.8 pkgsrc/security/gnutls/options.mk:1.9
--- pkgsrc/security/gnutls/options.mk:1.8       Mon Feb  9 19:35:36 2026
+++ pkgsrc/security/gnutls/options.mk   Thu Apr 30 05:33:43 2026
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.8 2026/02/09 19:35:36 adam Exp $
+# $NetBSD: options.mk,v 1.9 2026/04/30 05:33:43 wiz Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.gnutls
 PKG_SUPPORTED_OPTIONS= brotli dane pkcs11 zstd
@@ -18,6 +18,7 @@ PLIST_VARS+=  pkcs11
 .if !empty(PKG_OPTIONS:Mpkcs11)
 PLIST.pkcs11=  yes
 BUILDLINK_API_DEPENDS.p11-kit+=        p11-kit>=0.23.1
+PRINT_PLIST_AWK+=      { gsub(/^bin\/p11tool/, "$${PLIST.pkcs11}&"); }
 .include "../../security/p11-kit/buildlink3.mk"
 .else
 CONFIGURE_ARGS+=       --without-p11-kit