helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

wolfssl: patch CVE-2025-7394

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7394

Backport patches from the PR[1][2][3] mentioned in the changelog[4].

[1] https://github.com/wolfSSL/wolfssl/pull/8849
[2] https://github.com/wolfSSL/wolfssl/pull/8867
[3] https://github.com/wolfSSL/wolfssl/pull/8898
[4] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025

Dropped changes to github workflow and tests during backport.

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Ankur Tyagi 2026-02-25 07:54:12 +13:00 committed by Anuj Mittal
parent 4243e66245
commit ed8e7c6fb5
No known key found for this signature in database
GPG Key ID: 4340AEFE69F5085C
7 changed files with 632 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-1.patch Normal file
View File

@ -0,0 +1,46 @@
From 95f350e136ed89eadb1de68d82b7357b9078d167 Mon Sep 17 00:00:00 2001
From: Josh Holtrop <josh@wolfssl.com>
Date: Thu, 5 Jun 2025 19:48:34 -0400
Subject: [PATCH] Reseed DRBG in RAND_poll()
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0c12337194ee6dd082f082f0ccaed27fc4ee44f5]
(cherry picked from commit 0c12337194ee6dd082f082f0ccaed27fc4ee44f5)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/ssl.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/ssl.c b/src/ssl.c
index 0b74065fa..95739f098 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -26017,11 +26017,25 @@ int wolfSSL_RAND_poll(void)
return WOLFSSL_FAILURE;
}
ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz);
- if (ret != 0){
+ if (ret != 0) {
WOLFSSL_MSG("Bad wc_RNG_GenerateBlock");
ret = WOLFSSL_FAILURE;
- }else
- ret = WOLFSSL_SUCCESS;
+ }
+ else {
+#ifdef HAVE_HASHDRBG
+ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
+ if (ret != 0) {
+ WOLFSSL_MSG("Error reseeding DRBG");
+ ret = WOLFSSL_FAILURE;
+ }
+ else {
+ ret = WOLFSSL_SUCCESS;
+ }
+#else
+ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
+ ret = WOLFSSL_FAILURE;
+#endif
+ }
return ret;
}

276
meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-2.patch Normal file
View File

@ -0,0 +1,276 @@
From baa7c51d9c4b788213c8b7ae51ea351222f0d06a Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 10 Jun 2025 12:49:08 -0600
Subject: [PATCH] add sanity checks on pid with RNG
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/31490ab813a5aac096f50800c26c690d8ae586d2]
(cherry picked from commit 31490ab813a5aac096f50800c26c690d8ae586d2)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
CMakeLists.txt | 1 +
configure.ac | 4 +-
src/ssl.c | 40 +++++++++++-
wolfcrypt/src/random.c | 126 ++++++++++++++++++++++---------------
wolfssl/wolfcrypt/random.h | 3 +
5 files changed, 118 insertions(+), 56 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4abba9b8a..a2cd40b56 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -124,6 +124,7 @@ check_function_exists("memset" HAVE_MEMSET)
check_function_exists("socket" HAVE_SOCKET)
check_function_exists("strftime" HAVE_STRFTIME)
check_function_exists("__atomic_fetch_add" HAVE_C___ATOMIC)
+check_function_exists("getpid" HAVE_GETPID)
include(CheckSymbolExists)
check_symbol_exists(isascii "ctype.h" HAVE_ISASCII)
diff --git a/configure.ac b/configure.ac
index 5d1357058..2b0ab1716 100644
--- a/configure.ac
+++ b/configure.ac
@@ -129,8 +129,8 @@ AC_CHECK_HEADER(assert.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ASSERT_H"],[
# check if functions of interest are linkable, but also check if
# they're declared by the expected headers, and if not, supersede the
# unusable positive from AC_CHECK_FUNCS().
-AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii])
-AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, isascii], [], [
+AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit isascii getpid])
+AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, isascii, getpid], [], [
if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
then
AC_MSG_NOTICE([ note: earlier check for $(eval 'echo ${as_decl_name}') superseded.])
diff --git a/src/ssl.c b/src/ssl.c
index 95739f098..7e989685b 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -25470,6 +25470,10 @@ int wolfSSL_RAND_Init(void)
if (initGlobalRNG == 0) {
ret = wc_InitRng(&globalRNG);
if (ret == 0) {
+ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
+ FIPS_VERSION3_LT(6,0,0)))
+ currentPid = getpid();
+ #endif
initGlobalRNG = 1;
ret = WOLFSSL_SUCCESS;
}
@@ -25904,8 +25908,30 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
return ret;
}
-/* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise
- * WOLFSSL_FAILURE */
+#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
+/* In older FIPS bundles add check for reseed here since it does not exist in
+ * the older random.c certified files. */
+static pid_t currentPid = 0;
+
+/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
+static int RandCheckReSeed()
+{
+ int ret = WOLFSSL_SUCCESS;
+ pid_t p;
+
+ p = getpid();
+ if (p != currentPid) {
+ currentPid = p;
+ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
+ ret = WOLFSSL_FAILURE;
+ }
+ }
+ return ret;
+}
+#endif
+
+/* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
+ * on failure */
int wolfSSL_RAND_bytes(unsigned char* buf, int num)
{
int ret = 0;
@@ -25948,6 +25974,16 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
*/
if (initGlobalRNG) {
rng = &globalRNG;
+
+ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
+ FIPS_VERSION3_LT(6,0,0)))
+ if (RandCheckReSeed() != WOLFSSL_SUCCESS) {
+ wc_UnLockMutex(&globalRNGMutex);
+ WOLFSSL_MSG("Issue with check pid and reseed");
+ return ret;
+ }
+ #endif
+
used_global = 1;
}
else {
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index 746a06b90..4978db95e 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -1640,6 +1640,9 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
#else
rng->heap = heap;
#endif
+#ifdef HAVE_GETPID
+ rng->pid = getpid();
+#endif
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
rng->devId = devId;
#if defined(WOLF_CRYPTO_CB)
@@ -1895,6 +1898,63 @@ int wc_InitRngNonce_ex(WC_RNG* rng, byte* nonce, word32 nonceSz,
return _InitRng(rng, nonce, nonceSz, heap, devId);
}
+#ifdef HAVE_HASHDRBG
+static int PollAndReSeed(WC_RNG* rng)
+{
+ int ret = DRBG_NEED_RESEED;
+ int devId = INVALID_DEVID;
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
+ devId = rng->devId;
+#endif
+ if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) {
+ #ifndef WOLFSSL_SMALL_STACK
+ byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
+ ret = DRBG_SUCCESS;
+ #else
+ byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
+ DYNAMIC_TYPE_SEED);
+ ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS;
+ #endif
+ if (ret == DRBG_SUCCESS) {
+ #ifdef WC_RNG_SEED_CB
+ if (seedCb == NULL) {
+ ret = DRBG_NO_SEED_CB;
+ }
+ else {
+ ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ);
+ if (ret != 0) {
+ ret = DRBG_FAILURE;
+ }
+ }
+ #else
+ ret = wc_GenerateSeed(&rng->seed, newSeed,
+ SEED_SZ + SEED_BLOCK_SZ);
+ #endif
+ if (ret != 0)
+ ret = DRBG_FAILURE;
+ }
+ if (ret == DRBG_SUCCESS)
+ ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
+
+ if (ret == DRBG_SUCCESS)
+ ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
+ newSeed + SEED_BLOCK_SZ, SEED_SZ);
+ #ifdef WOLFSSL_SMALL_STACK
+ if (newSeed != NULL) {
+ ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ);
+ }
+ XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED);
+ #else
+ ForceZero(newSeed, sizeof(newSeed));
+ #endif
+ }
+ else {
+ ret = DRBG_CONT_FAILURE;
+ }
+
+ return ret;
+}
+#endif
/* place a generated block in output */
WOLFSSL_ABI
@@ -1954,60 +2014,22 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
if (rng->status != DRBG_OK)
return RNG_FAILURE_E;
+#ifdef HAVE_GETPID
+ if (rng->pid != getpid()) {
+ rng->pid = getpid();
+ ret = PollAndReSeed(rng);
+ if (ret != DRBG_SUCCESS) {
+ rng->status = DRBG_FAILED;
+ return RNG_FAILURE_E;
+ }
+ }
+#endif
+
ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
if (ret == DRBG_NEED_RESEED) {
- int devId = INVALID_DEVID;
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
- devId = rng->devId;
- #endif
- if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) {
- #ifndef WOLFSSL_SMALL_STACK
- byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
- ret = DRBG_SUCCESS;
- #else
- byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
- DYNAMIC_TYPE_SEED);
- ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS;
- #endif
- if (ret == DRBG_SUCCESS) {
- #ifdef WC_RNG_SEED_CB
- if (seedCb == NULL) {
- ret = DRBG_NO_SEED_CB;
- }
- else {
- ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ);
- if (ret != 0) {
- ret = DRBG_FAILURE;
- }
- }
- #else
- ret = wc_GenerateSeed(&rng->seed, newSeed,
- SEED_SZ + SEED_BLOCK_SZ);
- #endif
- if (ret != 0)
- ret = DRBG_FAILURE;
- }
- if (ret == DRBG_SUCCESS)
- ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
-
- if (ret == DRBG_SUCCESS)
- ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
- newSeed + SEED_BLOCK_SZ, SEED_SZ);
- if (ret == DRBG_SUCCESS)
- ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
-
- #ifdef WOLFSSL_SMALL_STACK
- if (newSeed != NULL) {
- ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ);
- }
- XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED);
- #else
- ForceZero(newSeed, sizeof(newSeed));
- #endif
- }
- else {
- ret = DRBG_CONT_FAILURE;
- }
+ ret = PollAndReSeed(rng);
+ if (ret == DRBG_SUCCESS)
+ ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
}
if (ret == DRBG_SUCCESS) {
diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
index 3b4533e0d..ff5f89c3f 100644
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@@ -183,6 +183,9 @@ struct WC_RNG {
#endif
byte status;
#endif
+#ifdef HAVE_GETPID
+ pid_t pid;
+#endif
#ifdef WOLFSSL_ASYNC_CRYPT
WC_ASYNC_DEV asyncDev;
#endif

125
meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-3.patch Normal file
View File

@ -0,0 +1,125 @@
From ec8edec282bfcc18e6b2681e240fae816d694161 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 10 Jun 2025 14:15:38 -0600
Subject: [PATCH] add mutex locking and compat layer FIPS case
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a]
(cherry picked from commit fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/ssl.c | 62 +++++++++++++++++++++++++++----------------------------
1 file changed, 31 insertions(+), 31 deletions(-)
diff --git a/src/ssl.c b/src/ssl.c
index 7e989685b..ae432eb59 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -25458,6 +25458,12 @@ static int wolfSSL_RAND_InitMutex(void)
#ifdef OPENSSL_EXTRA
+#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+/* In older FIPS bundles add check for reseed here since it does not exist in
+ * the older random.c certified files. */
+static pid_t currentRandPid = 0;
+#endif
+
/* Checks if the global RNG has been created. If not then one is created.
*
* Returns WOLFSSL_SUCCESS when no error is encountered.
@@ -25471,8 +25477,8 @@ int wolfSSL_RAND_Init(void)
ret = wc_InitRng(&globalRNG);
if (ret == 0) {
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
- FIPS_VERSION3_LT(6,0,0)))
- currentPid = getpid();
+ FIPS_VERSION3_LT(6,0,0)
+ currentRandPid = getpid();
#endif
initGlobalRNG = 1;
ret = WOLFSSL_SUCCESS;
@@ -25908,28 +25914,6 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
return ret;
}
-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
-/* In older FIPS bundles add check for reseed here since it does not exist in
- * the older random.c certified files. */
-static pid_t currentPid = 0;
-
-/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
-static int RandCheckReSeed()
-{
- int ret = WOLFSSL_SUCCESS;
- pid_t p;
-
- p = getpid();
- if (p != currentPid) {
- currentPid = p;
- if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
- ret = WOLFSSL_FAILURE;
- }
- }
- return ret;
-}
-#endif
-
/* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
* on failure */
int wolfSSL_RAND_bytes(unsigned char* buf, int num)
@@ -25973,17 +25957,27 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
* have the lock.
*/
if (initGlobalRNG) {
- rng = &globalRNG;
-
#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
- FIPS_VERSION3_LT(6,0,0)))
- if (RandCheckReSeed() != WOLFSSL_SUCCESS) {
+ FIPS_VERSION3_LT(6,0,0)
+ pid_t p;
+
+ p = getpid();
+ if (p != currentRandPid) {
wc_UnLockMutex(&globalRNGMutex);
- WOLFSSL_MSG("Issue with check pid and reseed");
- return ret;
+ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
+ WOLFSSL_MSG("Issue with check pid and reseed");
+ ret = WOLFSSL_FAILURE;
+ }
+
+ /* reclaim lock after wolfSSL_RAND_poll */
+ if (wc_LockMutex(&globalRNGMutex) != 0) {
+ WOLFSSL_MSG("Bad Lock Mutex rng");
+ return ret;
+ }
+ currentRandPid = p;
}
#endif
-
+ rng = &globalRNG;
used_global = 1;
}
else {
@@ -26059,6 +26053,11 @@ int wolfSSL_RAND_poll(void)
}
else {
#ifdef HAVE_HASHDRBG
+ if (wc_LockMutex(&globalRNGMutex) != 0) {
+ WOLFSSL_MSG("Bad Lock Mutex rng");
+ return ret;
+ }
+
ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
if (ret != 0) {
WOLFSSL_MSG("Error reseeding DRBG");
@@ -26067,6 +26066,7 @@ int wolfSSL_RAND_poll(void)
else {
ret = WOLFSSL_SUCCESS;
}
+ wc_UnLockMutex(&globalRNGMutex);
#else
WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
ret = WOLFSSL_FAILURE;

88
meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-4.patch Normal file
View File

@ -0,0 +1,88 @@
From 7f1ab20a83f953233cac113108ceefb1d5f4fe97 Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Tue, 10 Jun 2025 16:12:09 -0600
Subject: [PATCH] add a way to restore previous pid behavior
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/47cf634965a3aabe82fd97a8feed9efd6688e34a]
Dropped changes to github workflow and test from original commit.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/ssl.c | 11 ++++++-----
wolfcrypt/src/random.c | 4 ++--
wolfssl/wolfcrypt/random.h | 2 +-
3 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/ssl.c b/src/ssl.c
index ae432eb59..e69fa19ac 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -25458,7 +25458,8 @@ static int wolfSSL_RAND_InitMutex(void)
#ifdef OPENSSL_EXTRA
-#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
/* In older FIPS bundles add check for reseed here since it does not exist in
* the older random.c certified files. */
static pid_t currentRandPid = 0;
@@ -25476,8 +25477,8 @@ int wolfSSL_RAND_Init(void)
if (initGlobalRNG == 0) {
ret = wc_InitRng(&globalRNG);
if (ret == 0) {
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
- FIPS_VERSION3_LT(6,0,0)
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
currentRandPid = getpid();
#endif
initGlobalRNG = 1;
@@ -25957,8 +25958,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
* have the lock.
*/
if (initGlobalRNG) {
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
- FIPS_VERSION3_LT(6,0,0)
+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
pid_t p;
p = getpid();
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index 4978db95e..32ebb8bae 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -1640,7 +1640,7 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
#else
rng->heap = heap;
#endif
-#ifdef HAVE_GETPID
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
rng->pid = getpid();
#endif
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
@@ -2014,7 +2014,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
if (rng->status != DRBG_OK)
return RNG_FAILURE_E;
-#ifdef HAVE_GETPID
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
if (rng->pid != getpid()) {
rng->pid = getpid();
ret = PollAndReSeed(rng);
diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
index ff5f89c3f..faa999473 100644
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@@ -183,7 +183,7 @@ struct WC_RNG {
#endif
byte status;
#endif
-#ifdef HAVE_GETPID
+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
pid_t pid;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT

42
meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-5.patch Normal file
View File

@ -0,0 +1,42 @@
From ec46c4146d16c38abddb427efcb9ca177d74cd03 Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Wed, 18 Jun 2025 16:08:34 -0600
Subject: [PATCH] Add HAVE_GETPID to options.h if getpid detected, needed for
apps to correctly detect size of WC_RNG struct
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9c35c0de65e135e621400958f22829c0d2555ed4]
(cherry picked from commit 9c35c0de65e135e621400958f22829c0d2555ed4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
configure.ac | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/configure.ac b/configure.ac
index 2b0ab1716..ecb2d694f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -160,6 +160,9 @@ fi
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
#endif
+#ifdef HAVE_UNISTD_H
+ #include <unistd.h>
+#endif
#ifdef HAVE_CTYPE_H
#include <ctype.h>
#endif
@@ -10361,6 +10364,12 @@ then
AM_CFLAGS="$AM_CFLAGS -DHAVE___UINT128_T=1"
fi
+# Add HAVE_GETPID to AM_CFLAGS for inclusion in options.h
+if test "$ac_cv_func_getpid" = "yes"
+then
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_GETPID=1"
+fi
+
LIB_SOCKET_NSL
AX_HARDEN_CC_COMPILER_FLAGS

49
meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-6.patch Normal file
View File

@ -0,0 +1,49 @@
From e282569d0437abd39604ded73d9078e994a54db2 Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Wed, 18 Jun 2025 16:57:02 -0600
Subject: [PATCH] Add check for reseed in ssl.c for HAVE_SELFTEST, similar to
old FIPS bundles that do not have older random.c files
CVE: CVE-2025-7394
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/cdd02f9665ef43126503307972e4389070a00a73
(cherry picked from commit cdd02f9665ef43126503307972e4389070a00a73)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
src/ssl.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/ssl.c b/src/ssl.c
index e69fa19ac..8f1c79890 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -25459,7 +25459,7 @@ static int wolfSSL_RAND_InitMutex(void)
#ifdef OPENSSL_EXTRA
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || defined(HAVE_SELFTEST))
/* In older FIPS bundles add check for reseed here since it does not exist in
* the older random.c certified files. */
static pid_t currentRandPid = 0;
@@ -25478,7 +25478,9 @@ int wolfSSL_RAND_Init(void)
ret = wc_InitRng(&globalRNG);
if (ret == 0) {
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
+ defined(HAVE_SELFTEST))
+
currentRandPid = getpid();
#endif
initGlobalRNG = 1;
@@ -25959,7 +25961,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
*/
if (initGlobalRNG) {
#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
+ defined(HAVE_SELFTEST))
pid_t p;
p = getpid();

6
meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
View File

@ -21,6 +21,12 @@ SRC_URI = " \
file://CVE-2025-7395-2.patch \
file://CVE-2025-7395-3.patch \
file://CVE-2025-7395-4.patch \
file://CVE-2025-7394-1.patch \
file://CVE-2025-7394-2.patch \
file://CVE-2025-7394-3.patch \
file://CVE-2025-7394-4.patch \
file://CVE-2025-7394-5.patch \
file://CVE-2025-7394-6.patch \
"
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"