mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
c49bff1273
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394 Backport patches from the PR[1][2][3] mentioned in the changelog[4]. [1] https://github.com/wolfSSL/wolfssl/pull/8849 [2] https://github.com/wolfSSL/wolfssl/pull/8867 [3] https://github.com/wolfSSL/wolfssl/pull/8898 [4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
86 lines
3.1 KiB
Diff
86 lines
3.1 KiB
Diff
From d7a68e85ebe4705e7345b0e5012c806615cd86c7 Mon Sep 17 00:00:00 2001
|
|
From: JacobBarthelmeh <jacob@wolfssl.com>
|
|
Date: Tue, 10 Jun 2025 16:12:09 -0600
|
|
Subject: [PATCH] add a way to restore previous pid behavior
|
|
|
|
CVE: CVE-2025-7394
|
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/47cf634965a3aabe82fd97a8feed9efd6688e34a]
|
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
|
---
|
|
src/ssl.c | 11 ++++++-----
|
|
wolfcrypt/src/random.c | 4 ++--
|
|
wolfssl/wolfcrypt/random.h | 2 +-
|
|
3 files changed, 9 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/ssl.c b/src/ssl.c
|
|
index f0186b253..e214fa504 100644
|
|
--- a/src/ssl.c
|
|
+++ b/src/ssl.c
|
|
@@ -23603,7 +23603,8 @@ static int wolfSSL_RAND_InitMutex(void)
|
|
|
|
#ifdef OPENSSL_EXTRA
|
|
|
|
-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
|
|
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
/* In older FIPS bundles add check for reseed here since it does not exist in
|
|
* the older random.c certified files. */
|
|
static pid_t currentRandPid = 0;
|
|
@@ -23621,8 +23622,8 @@ int wolfSSL_RAND_Init(void)
|
|
if (initGlobalRNG == 0) {
|
|
ret = wc_InitRng(&globalRNG);
|
|
if (ret == 0) {
|
|
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
|
|
- FIPS_VERSION3_LT(6,0,0)
|
|
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
|
|
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
currentRandPid = getpid();
|
|
#endif
|
|
initGlobalRNG = 1;
|
|
@@ -24098,8 +24099,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
|
|
* have the lock.
|
|
*/
|
|
if (initGlobalRNG) {
|
|
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
|
|
- FIPS_VERSION3_LT(6,0,0)
|
|
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
|
|
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
pid_t p;
|
|
|
|
p = getpid();
|
|
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
|
|
index b440e274b..dc89db542 100644
|
|
--- a/wolfcrypt/src/random.c
|
|
+++ b/wolfcrypt/src/random.c
|
|
@@ -1599,7 +1599,7 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
|
|
#else
|
|
rng->heap = heap;
|
|
#endif
|
|
-#ifdef HAVE_GETPID
|
|
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
|
|
rng->pid = getpid();
|
|
#endif
|
|
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
|
|
@@ -1968,7 +1968,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
|
|
if (rng->status != DRBG_OK)
|
|
return RNG_FAILURE_E;
|
|
|
|
-#ifdef HAVE_GETPID
|
|
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
|
|
if (rng->pid != getpid()) {
|
|
rng->pid = getpid();
|
|
ret = PollAndReSeed(rng);
|
|
diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
|
|
index f472e1f40..320641548 100644
|
|
--- a/wolfssl/wolfcrypt/random.h
|
|
+++ b/wolfssl/wolfcrypt/random.h
|
|
@@ -183,7 +183,7 @@ struct WC_RNG {
|
|
#endif
|
|
byte status;
|
|
#endif
|
|
-#ifdef HAVE_GETPID
|
|
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
|
|
pid_t pid;
|
|
#endif
|
|
#ifdef WOLFSSL_ASYNC_CRYPT
|