From 77228f2d1ac207d2f894e5a168fbb47e5378e42f Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 30 Mar 2026 17:31:07 +0200
Subject: lib/auth/rsa: check that ciphertext matches the modulus size

A client sending extremely short premaster secret as part of an
RSA key exchange could've theoretically triggered a short heap overread
to nowhere when the RSA key was backed with a PKCS#11 token.
With this fix, the internal decryption function will not be called
with an mismatching plaintext length specified, avoiding the overread.

Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Fixes: #1814
Fixes: CVE-2026-5260
Fixes: GNUTLS-SA-2026-04-29-10
CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
 lib/auth/rsa.c     | 5 +++++
 lib/auth/rsa_psk.c | 5 +++++
 2 files changed, 10 insertions(+)

From cf6bdc5e4df49e5583d3fb4d2296779785f10683 Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Mon, 30 Mar 2026 17:46:40 +0200
Subject: [PATCH] lib/pkcs11_privkey: guard against overreading on short
 ciphertexts

This is an alternative fix for the callee side.

Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Fixes: #1814
Fixes: CVE-2026-5260
Fixes: GNUTLS-SA-2026-04-29-10
CVSS: 5.9 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
---
 lib/pkcs11_privkey.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: gnutls-3.8.10/lib/auth/rsa.c
===================================================================
--- gnutls-3.8.10.orig/lib/auth/rsa.c
+++ gnutls-3.8.10/lib/auth/rsa.c
@@ -158,6 +158,7 @@ static int proc_rsa_client_kx(gnutls_ses
 	int ret, dsize;
 	ssize_t data_size = _data_size;
 	volatile uint8_t ver_maj, ver_min;
+	unsigned int key_bits;
 
 #ifdef ENABLE_SSL3
 	if (get_num_version(session) == GNUTLS_SSL3) {
@@ -180,6 +181,10 @@ static int proc_rsa_client_kx(gnutls_ses
 		}
 		ciphertext.size = dsize;
 	}
+	gnutls_privkey_get_pk_algorithm(session->internals.selected_key,
+					&key_bits);
+	if (ciphertext.size != (key_bits + 7) / 8)
+		return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
 
 	ver_maj = _gnutls_get_adv_version_major(session);
 	ver_min = _gnutls_get_adv_version_minor(session);
Index: gnutls-3.8.10/lib/auth/rsa_psk.c
===================================================================
--- gnutls-3.8.10.orig/lib/auth/rsa_psk.c
+++ gnutls-3.8.10/lib/auth/rsa_psk.c
@@ -257,6 +257,7 @@ static int _gnutls_proc_rsa_psk_client_k
 	ssize_t data_size = _data_size;
 	gnutls_psk_server_credentials_t cred;
 	volatile uint8_t ver_maj, ver_min;
+	unsigned int rsa_key_bits;
 
 	cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(
 		session, GNUTLS_CRD_PSK);
@@ -313,6 +314,10 @@ static int _gnutls_proc_rsa_psk_client_k
 		return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
 	}
 	ciphertext.size = dsize;
+	gnutls_privkey_get_pk_algorithm(session->internals.selected_key,
+					&rsa_key_bits);
+	if (ciphertext.size != (rsa_key_bits + 7) / 8)
+		return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
 
 	ver_maj = _gnutls_get_adv_version_major(session);
 	ver_min = _gnutls_get_adv_version_minor(session);
Index: gnutls-3.8.10/lib/pkcs11_privkey.c
===================================================================
--- gnutls-3.8.10.orig/lib/pkcs11_privkey.c
+++ gnutls-3.8.10/lib/pkcs11_privkey.c
@@ -826,7 +826,7 @@ int _gnutls_pkcs11_privkey_decrypt_data2
 	if (ret != 0)
 		return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
 
-	buffer = gnutls_malloc(siglen);
+	buffer = gnutls_malloc(MAX((size_t)siglen, plaintext_size));
 	if (!buffer) {
 		gnutls_assert();
 		return GNUTLS_E_MEMORY_ERROR;