Files

49 lines
2.0 KiB
Diff

From aaad0035e4e795b8b225bd481e3942de015a362d Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Wed, 18 Jun 2025 16:57:02 -0600
Subject: [PATCH] Add check for reseed in ssl.c for HAVE_SELFTEST, similar to
old FIPS bundles that do not have older random.c files
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/cdd02f9665ef43126503307972e4389070a00a73
(cherry picked from commit cdd02f9665ef43126503307972e4389070a00a73)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/ssl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/ssl.c b/src/ssl.c
index e214fa504..e538233fc 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -23604,7 +23604,7 @@ static int wolfSSL_RAND_InitMutex(void)
#ifdef OPENSSL_EXTRA
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || defined(HAVE_SELFTEST))
/* In older FIPS bundles add check for reseed here since it does not exist in
* the older random.c certified files. */
static pid_t currentRandPid = 0;
@@ -23623,7 +23623,9 @@ int wolfSSL_RAND_Init(void)
ret = wc_InitRng(&globalRNG);
if (ret == 0) {
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
+ defined(HAVE_SELFTEST))
+
currentRandPid = getpid();
#endif
initGlobalRNG = 1;
@@ -24100,7 +24102,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
*/
if (initGlobalRNG) {
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
+ defined(HAVE_SELFTEST))
pid_t p;
p = getpid();