Files

86 lines
3.1 KiB
Diff

From d7a68e85ebe4705e7345b0e5012c806615cd86c7 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 10 Jun 2025 16:12:09 -0600
Subject: [PATCH] add a way to restore previous pid behavior
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/47cf634965a3aabe82fd97a8feed9efd6688e34a]
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/ssl.c | 11 ++++++-----
wolfcrypt/src/random.c | 4 ++--
wolfssl/wolfcrypt/random.h | 2 +-
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/ssl.c b/src/ssl.c
index f0186b253..e214fa504 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -23603,7 +23603,8 @@ static int wolfSSL_RAND_InitMutex(void)
#ifdef OPENSSL_EXTRA
-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
/* In older FIPS bundles add check for reseed here since it does not exist in
* the older random.c certified files. */
static pid_t currentRandPid = 0;
@@ -23621,8 +23622,8 @@ int wolfSSL_RAND_Init(void)
if (initGlobalRNG == 0) {
ret = wc_InitRng(&globalRNG);
if (ret == 0) {
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
- FIPS_VERSION3_LT(6,0,0)
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
currentRandPid = getpid();
#endif
initGlobalRNG = 1;
@@ -24098,8 +24099,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
* have the lock.
*/
if (initGlobalRNG) {
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
- FIPS_VERSION3_LT(6,0,0)
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
pid_t p;
p = getpid();
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index b440e274b..dc89db542 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -1599,7 +1599,7 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
#else
rng->heap = heap;
#endif
-#ifdef HAVE_GETPID
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
rng->pid = getpid();
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
@@ -1968,7 +1968,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
if (rng->status != DRBG_OK)
return RNG_FAILURE_E;
-#ifdef HAVE_GETPID
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
if (rng->pid != getpid()) {
rng->pid = getpid();
ret = PollAndReSeed(rng);
diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
index f472e1f40..320641548 100644
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@@ -183,7 +183,7 @@ struct WC_RNG {
#endif
byte status;
#endif
-#ifdef HAVE_GETPID
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
pid_t pid;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT