mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
c49bff1273
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394 Backport patches from the PR[1][2][3] mentioned in the changelog[4]. [1] https://github.com/wolfSSL/wolfssl/pull/8849 [2] https://github.com/wolfSSL/wolfssl/pull/8867 [3] https://github.com/wolfSSL/wolfssl/pull/8898 [4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
49 lines
2.0 KiB
Diff
49 lines
2.0 KiB
Diff
From aaad0035e4e795b8b225bd481e3942de015a362d Mon Sep 17 00:00:00 2001
|
|
From: Chris Conlon <chris@wolfssl.com>
|
|
Date: Wed, 18 Jun 2025 16:57:02 -0600
|
|
Subject: [PATCH] Add check for reseed in ssl.c for HAVE_SELFTEST, similar to
|
|
old FIPS bundles that do not have older random.c files
|
|
|
|
CVE: CVE-2025-7394
|
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/cdd02f9665ef43126503307972e4389070a00a73
|
|
(cherry picked from commit cdd02f9665ef43126503307972e4389070a00a73)
|
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
|
---
|
|
src/ssl.c | 9 ++++++---
|
|
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/ssl.c b/src/ssl.c
|
|
index e214fa504..e538233fc 100644
|
|
--- a/src/ssl.c
|
|
+++ b/src/ssl.c
|
|
@@ -23604,7 +23604,7 @@ static int wolfSSL_RAND_InitMutex(void)
|
|
#ifdef OPENSSL_EXTRA
|
|
|
|
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
|
|
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || defined(HAVE_SELFTEST))
|
|
/* In older FIPS bundles add check for reseed here since it does not exist in
|
|
* the older random.c certified files. */
|
|
static pid_t currentRandPid = 0;
|
|
@@ -23623,7 +23623,9 @@ int wolfSSL_RAND_Init(void)
|
|
ret = wc_InitRng(&globalRNG);
|
|
if (ret == 0) {
|
|
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
|
|
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
|
|
+ defined(HAVE_SELFTEST))
|
|
+
|
|
currentRandPid = getpid();
|
|
#endif
|
|
initGlobalRNG = 1;
|
|
@@ -24100,7 +24102,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
|
|
*/
|
|
if (initGlobalRNG) {
|
|
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
|
|
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
|
|
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
|
|
+ defined(HAVE_SELFTEST))
|
|
pid_t p;
|
|
|
|
p = getpid();
|