mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
c49bff1273
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394 Backport patches from the PR[1][2][3] mentioned in the changelog[4]. [1] https://github.com/wolfSSL/wolfssl/pull/8849 [2] https://github.com/wolfSSL/wolfssl/pull/8867 [3] https://github.com/wolfSSL/wolfssl/pull/8898 [4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
126 lines
4.2 KiB
Diff
126 lines
4.2 KiB
Diff
From 62a3a4f0b8b307bdacc34204db44627521de4bf9 Mon Sep 17 00:00:00 2001
|
|
From: JacobBarthelmeh <jacob@wolfssl.com>
|
|
Date: Tue, 10 Jun 2025 14:15:38 -0600
|
|
Subject: [PATCH] add mutex locking and compat layer FIPS case
|
|
|
|
CVE: CVE-2025-7394
|
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a]
|
|
(cherry picked from commit fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a)
|
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
|
---
|
|
src/ssl.c | 62 +++++++++++++++++++++++++++----------------------------
|
|
1 file changed, 31 insertions(+), 31 deletions(-)
|
|
|
|
diff --git a/src/ssl.c b/src/ssl.c
|
|
index 872aed594..f0186b253 100644
|
|
--- a/src/ssl.c
|
|
+++ b/src/ssl.c
|
|
@@ -23603,6 +23603,12 @@ static int wolfSSL_RAND_InitMutex(void)
|
|
|
|
#ifdef OPENSSL_EXTRA
|
|
|
|
+#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
+/* In older FIPS bundles add check for reseed here since it does not exist in
|
|
+ * the older random.c certified files. */
|
|
+static pid_t currentRandPid = 0;
|
|
+#endif
|
|
+
|
|
/* Checks if the global RNG has been created. If not then one is created.
|
|
*
|
|
* Returns WOLFSSL_SUCCESS when no error is encountered.
|
|
@@ -23616,8 +23622,8 @@ int wolfSSL_RAND_Init(void)
|
|
ret = wc_InitRng(&globalRNG);
|
|
if (ret == 0) {
|
|
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
|
|
- FIPS_VERSION3_LT(6,0,0)))
|
|
- currentPid = getpid();
|
|
+ FIPS_VERSION3_LT(6,0,0)
|
|
+ currentRandPid = getpid();
|
|
#endif
|
|
initGlobalRNG = 1;
|
|
ret = WOLFSSL_SUCCESS;
|
|
@@ -24049,28 +24055,6 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
|
|
return ret;
|
|
}
|
|
|
|
-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
|
|
-/* In older FIPS bundles add check for reseed here since it does not exist in
|
|
- * the older random.c certified files. */
|
|
-static pid_t currentPid = 0;
|
|
-
|
|
-/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
|
|
-static int RandCheckReSeed()
|
|
-{
|
|
- int ret = WOLFSSL_SUCCESS;
|
|
- pid_t p;
|
|
-
|
|
- p = getpid();
|
|
- if (p != currentPid) {
|
|
- currentPid = p;
|
|
- if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
|
|
- ret = WOLFSSL_FAILURE;
|
|
- }
|
|
- }
|
|
- return ret;
|
|
-}
|
|
-#endif
|
|
-
|
|
/* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
|
|
* on failure */
|
|
int wolfSSL_RAND_bytes(unsigned char* buf, int num)
|
|
@@ -24114,17 +24098,27 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
|
|
* have the lock.
|
|
*/
|
|
if (initGlobalRNG) {
|
|
- rng = &globalRNG;
|
|
-
|
|
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
|
|
- FIPS_VERSION3_LT(6,0,0)))
|
|
- if (RandCheckReSeed() != WOLFSSL_SUCCESS) {
|
|
+ FIPS_VERSION3_LT(6,0,0)
|
|
+ pid_t p;
|
|
+
|
|
+ p = getpid();
|
|
+ if (p != currentRandPid) {
|
|
wc_UnLockMutex(&globalRNGMutex);
|
|
- WOLFSSL_MSG("Issue with check pid and reseed");
|
|
- return ret;
|
|
+ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
|
|
+ WOLFSSL_MSG("Issue with check pid and reseed");
|
|
+ ret = WOLFSSL_FAILURE;
|
|
+ }
|
|
+
|
|
+ /* reclaim lock after wolfSSL_RAND_poll */
|
|
+ if (wc_LockMutex(&globalRNGMutex) != 0) {
|
|
+ WOLFSSL_MSG("Bad Lock Mutex rng");
|
|
+ return ret;
|
|
+ }
|
|
+ currentRandPid = p;
|
|
}
|
|
#endif
|
|
-
|
|
+ rng = &globalRNG;
|
|
used_global = 1;
|
|
}
|
|
else {
|
|
@@ -24201,6 +24195,11 @@ int wolfSSL_RAND_poll(void)
|
|
}
|
|
else {
|
|
#ifdef HAVE_HASHDRBG
|
|
+ if (wc_LockMutex(&globalRNGMutex) != 0) {
|
|
+ WOLFSSL_MSG("Bad Lock Mutex rng");
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
|
|
if (ret != 0) {
|
|
WOLFSSL_MSG("Error reseeding DRBG");
|
|
@@ -24209,6 +24208,7 @@ int wolfSSL_RAND_poll(void)
|
|
else {
|
|
ret = WOLFSSL_SUCCESS;
|
|
}
|
|
+ wc_UnLockMutex(&globalRNGMutex);
|
|
#else
|
|
WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
|
|
ret = WOLFSSL_FAILURE;
|