deleted file mode 100644
@@ -1,46 +0,0 @@
-From 6d0ee56813d69eee72108e1dc859743e02f70077 Mon Sep 17 00:00:00 2001
-From: Josh Holtrop <josh@wolfssl.com>
-Date: Thu, 5 Jun 2025 19:48:34 -0400
-Subject: [PATCH] Reseed DRBG in RAND_poll()
-
-CVE: CVE-2025-7394
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0c12337194ee6dd082f082f0ccaed27fc4ee44f5]
-(cherry picked from commit 0c12337194ee6dd082f082f0ccaed27fc4ee44f5)
-Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
----
- src/ssl.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
-
-diff --git a/src/ssl.c b/src/ssl.c
-index 9ba891d62..a1421d523 100644
---- a/src/ssl.c
-+++ b/src/ssl.c
-@@ -24159,11 +24159,25 @@ int wolfSSL_RAND_poll(void)
- return WOLFSSL_FAILURE;
- }
- ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz);
-- if (ret != 0){
-+ if (ret != 0) {
- WOLFSSL_MSG("Bad wc_RNG_GenerateBlock");
- ret = WOLFSSL_FAILURE;
-- }else
-- ret = WOLFSSL_SUCCESS;
-+ }
-+ else {
-+#ifdef HAVE_HASHDRBG
-+ ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
-+ if (ret != 0) {
-+ WOLFSSL_MSG("Error reseeding DRBG");
-+ ret = WOLFSSL_FAILURE;
-+ }
-+ else {
-+ ret = WOLFSSL_SUCCESS;
-+ }
-+#else
-+ WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
-+ ret = WOLFSSL_FAILURE;
-+#endif
-+ }
-
- return ret;
- }
deleted file mode 100644
@@ -1,275 +0,0 @@
-From b506ed4aeb2c86788422427624a03eb9bda52efc Mon Sep 17 00:00:00 2001
-From: JacobBarthelmeh <jacob@wolfssl.com>
-Date: Tue, 10 Jun 2025 12:49:08 -0600
-Subject: [PATCH] add sanity checks on pid with RNG
-
-CVE: CVE-2025-7394
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/31490ab813a5aac096f50800c26c690d8ae586d2]
-Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
----
- CMakeLists.txt | 1 +
- configure.ac | 4 +-
- src/ssl.c | 40 +++++++++++-
- wolfcrypt/src/random.c | 126 ++++++++++++++++++++++---------------
- wolfssl/wolfcrypt/random.h | 3 +
- 5 files changed, 118 insertions(+), 56 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 4e6f05fc6..910a36648 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -124,6 +124,7 @@ check_function_exists("memset" HAVE_MEMSET)
- check_function_exists("socket" HAVE_SOCKET)
- check_function_exists("strftime" HAVE_STRFTIME)
- check_function_exists("__atomic_fetch_add" HAVE_C___ATOMIC)
-+check_function_exists("getpid" HAVE_GETPID)
-
- include(CheckTypeSize)
-
-diff --git a/configure.ac b/configure.ac
-index c973b7e39..43ddd4767 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -125,8 +125,8 @@ AC_CHECK_HEADER(stdatomic.h, [AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_HAVE_ATOMIC_H"
- # check if functions of interest are linkable, but also check if
- # they're declared by the expected headers, and if not, supersede the
- # unusable positive from AC_CHECK_FUNCS().
--AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit])
--AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit], [], [
-+AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit getpid])
-+AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime, atexit, getpid], [], [
- if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
- then
- AC_MSG_NOTICE([ note: earlier check for $(eval 'echo ${as_decl_name}') superseded.])
-diff --git a/src/ssl.c b/src/ssl.c
-index a1421d523..872aed594 100644
---- a/src/ssl.c
-+++ b/src/ssl.c
-@@ -23615,6 +23615,10 @@ int wolfSSL_RAND_Init(void)
- if (initGlobalRNG == 0) {
- ret = wc_InitRng(&globalRNG);
- if (ret == 0) {
-+ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
-+ FIPS_VERSION3_LT(6,0,0)))
-+ currentPid = getpid();
-+ #endif
- initGlobalRNG = 1;
- ret = WOLFSSL_SUCCESS;
- }
-@@ -24045,8 +24049,30 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
- return ret;
- }
-
--/* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise
-- * WOLFSSL_FAILURE */
-+#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
-+/* In older FIPS bundles add check for reseed here since it does not exist in
-+ * the older random.c certified files. */
-+static pid_t currentPid = 0;
-+
-+/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
-+static int RandCheckReSeed()
-+{
-+ int ret = WOLFSSL_SUCCESS;
-+ pid_t p;
-+
-+ p = getpid();
-+ if (p != currentPid) {
-+ currentPid = p;
-+ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
-+ ret = WOLFSSL_FAILURE;
-+ }
-+ }
-+ return ret;
-+}
-+#endif
-+
-+/* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
-+ * on failure */
- int wolfSSL_RAND_bytes(unsigned char* buf, int num)
- {
- int ret = 0;
-@@ -24089,6 +24115,16 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
- */
- if (initGlobalRNG) {
- rng = &globalRNG;
-+
-+ #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
-+ FIPS_VERSION3_LT(6,0,0)))
-+ if (RandCheckReSeed() != WOLFSSL_SUCCESS) {
-+ wc_UnLockMutex(&globalRNGMutex);
-+ WOLFSSL_MSG("Issue with check pid and reseed");
-+ return ret;
-+ }
-+ #endif
-+
- used_global = 1;
- }
- else {
-diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
-index 89c7411c9..b440e274b 100644
---- a/wolfcrypt/src/random.c
-+++ b/wolfcrypt/src/random.c
-@@ -1599,6 +1599,9 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
- #else
- rng->heap = heap;
- #endif
-+#ifdef HAVE_GETPID
-+ rng->pid = getpid();
-+#endif
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
- rng->devId = devId;
- #if defined(WOLF_CRYPTO_CB)
-@@ -1849,6 +1852,63 @@ int wc_InitRngNonce_ex(WC_RNG* rng, byte* nonce, word32 nonceSz,
- return _InitRng(rng, nonce, nonceSz, heap, devId);
- }
-
-+#ifdef HAVE_HASHDRBG
-+static int PollAndReSeed(WC_RNG* rng)
-+{
-+ int ret = DRBG_NEED_RESEED;
-+ int devId = INVALID_DEVID;
-+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
-+ devId = rng->devId;
-+#endif
-+ if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) {
-+ #ifndef WOLFSSL_SMALL_STACK
-+ byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
-+ ret = DRBG_SUCCESS;
-+ #else
-+ byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
-+ DYNAMIC_TYPE_SEED);
-+ ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS;
-+ #endif
-+ if (ret == DRBG_SUCCESS) {
-+ #ifdef WC_RNG_SEED_CB
-+ if (seedCb == NULL) {
-+ ret = DRBG_NO_SEED_CB;
-+ }
-+ else {
-+ ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ);
-+ if (ret != 0) {
-+ ret = DRBG_FAILURE;
-+ }
-+ }
-+ #else
-+ ret = wc_GenerateSeed(&rng->seed, newSeed,
-+ SEED_SZ + SEED_BLOCK_SZ);
-+ #endif
-+ if (ret != 0)
-+ ret = DRBG_FAILURE;
-+ }
-+ if (ret == DRBG_SUCCESS)
-+ ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
-+
-+ if (ret == DRBG_SUCCESS)
-+ ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
-+ newSeed + SEED_BLOCK_SZ, SEED_SZ);
-+ #ifdef WOLFSSL_SMALL_STACK
-+ if (newSeed != NULL) {
-+ ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ);
-+ }
-+ XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED);
-+ #else
-+ ForceZero(newSeed, sizeof(newSeed));
-+ #endif
-+ }
-+ else {
-+ ret = DRBG_CONT_FAILURE;
-+ }
-+
-+ return ret;
-+}
-+#endif
-
- /* place a generated block in output */
- WOLFSSL_ABI
-@@ -1908,60 +1968,22 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
- if (rng->status != DRBG_OK)
- return RNG_FAILURE_E;
-
-+#ifdef HAVE_GETPID
-+ if (rng->pid != getpid()) {
-+ rng->pid = getpid();
-+ ret = PollAndReSeed(rng);
-+ if (ret != DRBG_SUCCESS) {
-+ rng->status = DRBG_FAILED;
-+ return RNG_FAILURE_E;
-+ }
-+ }
-+#endif
-+
- ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
- if (ret == DRBG_NEED_RESEED) {
-- int devId = INVALID_DEVID;
-- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
-- devId = rng->devId;
-- #endif
-- if (wc_RNG_HealthTestLocal(1, rng->heap, devId) == 0) {
-- #ifndef WOLFSSL_SMALL_STACK
-- byte newSeed[SEED_SZ + SEED_BLOCK_SZ];
-- ret = DRBG_SUCCESS;
-- #else
-- byte* newSeed = (byte*)XMALLOC(SEED_SZ + SEED_BLOCK_SZ, rng->heap,
-- DYNAMIC_TYPE_SEED);
-- ret = (newSeed == NULL) ? MEMORY_E : DRBG_SUCCESS;
-- #endif
-- if (ret == DRBG_SUCCESS) {
-- #ifdef WC_RNG_SEED_CB
-- if (seedCb == NULL) {
-- ret = DRBG_NO_SEED_CB;
-- }
-- else {
-- ret = seedCb(&rng->seed, newSeed, SEED_SZ + SEED_BLOCK_SZ);
-- if (ret != 0) {
-- ret = DRBG_FAILURE;
-- }
-- }
-- #else
-- ret = wc_GenerateSeed(&rng->seed, newSeed,
-- SEED_SZ + SEED_BLOCK_SZ);
-- #endif
-- if (ret != 0)
-- ret = DRBG_FAILURE;
-- }
-- if (ret == DRBG_SUCCESS)
-- ret = wc_RNG_TestSeed(newSeed, SEED_SZ + SEED_BLOCK_SZ);
--
-- if (ret == DRBG_SUCCESS)
-- ret = Hash_DRBG_Reseed((DRBG_internal *)rng->drbg,
-- newSeed + SEED_BLOCK_SZ, SEED_SZ);
-- if (ret == DRBG_SUCCESS)
-- ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
--
-- #ifdef WOLFSSL_SMALL_STACK
-- if (newSeed != NULL) {
-- ForceZero(newSeed, SEED_SZ + SEED_BLOCK_SZ);
-- }
-- XFREE(newSeed, rng->heap, DYNAMIC_TYPE_SEED);
-- #else
-- ForceZero(newSeed, sizeof(newSeed));
-- #endif
-- }
-- else {
-- ret = DRBG_CONT_FAILURE;
-- }
-+ ret = PollAndReSeed(rng);
-+ if (ret == DRBG_SUCCESS)
-+ ret = Hash_DRBG_Generate((DRBG_internal *)rng->drbg, output, sz);
- }
-
- if (ret == DRBG_SUCCESS) {
-diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
-index 9dd616328..f472e1f40 100644
---- a/wolfssl/wolfcrypt/random.h
-+++ b/wolfssl/wolfcrypt/random.h
-@@ -183,6 +183,9 @@ struct WC_RNG {
- #endif
- byte status;
- #endif
-+#ifdef HAVE_GETPID
-+ pid_t pid;
-+#endif
- #ifdef WOLFSSL_ASYNC_CRYPT
- WC_ASYNC_DEV asyncDev;
- #endif
deleted file mode 100644
@@ -1,125 +0,0 @@
-From 62a3a4f0b8b307bdacc34204db44627521de4bf9 Mon Sep 17 00:00:00 2001
-From: JacobBarthelmeh <jacob@wolfssl.com>
-Date: Tue, 10 Jun 2025 14:15:38 -0600
-Subject: [PATCH] add mutex locking and compat layer FIPS case
-
-CVE: CVE-2025-7394
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a]
-(cherry picked from commit fbbb6b7707f7f8ae1c38ab68daec0af02ee0208a)
-Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
----
- src/ssl.c | 62 +++++++++++++++++++++++++++----------------------------
- 1 file changed, 31 insertions(+), 31 deletions(-)
-
-diff --git a/src/ssl.c b/src/ssl.c
-index 872aed594..f0186b253 100644
---- a/src/ssl.c
-+++ b/src/ssl.c
-@@ -23603,6 +23603,12 @@ static int wolfSSL_RAND_InitMutex(void)
-
- #ifdef OPENSSL_EXTRA
-
-+#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
-+/* In older FIPS bundles add check for reseed here since it does not exist in
-+ * the older random.c certified files. */
-+static pid_t currentRandPid = 0;
-+#endif
-+
- /* Checks if the global RNG has been created. If not then one is created.
- *
- * Returns WOLFSSL_SUCCESS when no error is encountered.
-@@ -23616,8 +23622,8 @@ int wolfSSL_RAND_Init(void)
- ret = wc_InitRng(&globalRNG);
- if (ret == 0) {
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
-- FIPS_VERSION3_LT(6,0,0)))
-- currentPid = getpid();
-+ FIPS_VERSION3_LT(6,0,0)
-+ currentRandPid = getpid();
- #endif
- initGlobalRNG = 1;
- ret = WOLFSSL_SUCCESS;
-@@ -24049,28 +24055,6 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num)
- return ret;
- }
-
--#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)))
--/* In older FIPS bundles add check for reseed here since it does not exist in
-- * the older random.c certified files. */
--static pid_t currentPid = 0;
--
--/* returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */
--static int RandCheckReSeed()
--{
-- int ret = WOLFSSL_SUCCESS;
-- pid_t p;
--
-- p = getpid();
-- if (p != currentPid) {
-- currentPid = p;
-- if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
-- ret = WOLFSSL_FAILURE;
-- }
-- }
-- return ret;
--}
--#endif
--
- /* returns WOLFSSL_SUCCESS (1) if the bytes generated are valid otherwise 0
- * on failure */
- int wolfSSL_RAND_bytes(unsigned char* buf, int num)
-@@ -24114,17 +24098,27 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
- * have the lock.
- */
- if (initGlobalRNG) {
-- rng = &globalRNG;
--
- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
-- FIPS_VERSION3_LT(6,0,0)))
-- if (RandCheckReSeed() != WOLFSSL_SUCCESS) {
-+ FIPS_VERSION3_LT(6,0,0)
-+ pid_t p;
-+
-+ p = getpid();
-+ if (p != currentRandPid) {
- wc_UnLockMutex(&globalRNGMutex);
-- WOLFSSL_MSG("Issue with check pid and reseed");
-- return ret;
-+ if (wolfSSL_RAND_poll() != WOLFSSL_SUCCESS) {
-+ WOLFSSL_MSG("Issue with check pid and reseed");
-+ ret = WOLFSSL_FAILURE;
-+ }
-+
-+ /* reclaim lock after wolfSSL_RAND_poll */
-+ if (wc_LockMutex(&globalRNGMutex) != 0) {
-+ WOLFSSL_MSG("Bad Lock Mutex rng");
-+ return ret;
-+ }
-+ currentRandPid = p;
- }
- #endif
--
-+ rng = &globalRNG;
- used_global = 1;
- }
- else {
-@@ -24201,6 +24195,11 @@ int wolfSSL_RAND_poll(void)
- }
- else {
- #ifdef HAVE_HASHDRBG
-+ if (wc_LockMutex(&globalRNGMutex) != 0) {
-+ WOLFSSL_MSG("Bad Lock Mutex rng");
-+ return ret;
-+ }
-+
- ret = wc_RNG_DRBG_Reseed(&globalRNG, entropy, entropy_sz);
- if (ret != 0) {
- WOLFSSL_MSG("Error reseeding DRBG");
-@@ -24209,6 +24208,7 @@ int wolfSSL_RAND_poll(void)
- else {
- ret = WOLFSSL_SUCCESS;
- }
-+ wc_UnLockMutex(&globalRNGMutex);
- #else
- WOLFSSL_MSG("RAND_poll called with HAVE_HASHDRBG not set");
- ret = WOLFSSL_FAILURE;
deleted file mode 100644
@@ -1,85 +0,0 @@
-From d7a68e85ebe4705e7345b0e5012c806615cd86c7 Mon Sep 17 00:00:00 2001
-From: JacobBarthelmeh <jacob@wolfssl.com>
-Date: Tue, 10 Jun 2025 16:12:09 -0600
-Subject: [PATCH] add a way to restore previous pid behavior
-
-CVE: CVE-2025-7394
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/47cf634965a3aabe82fd97a8feed9efd6688e34a]
-Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
----
- src/ssl.c | 11 ++++++-----
- wolfcrypt/src/random.c | 4 ++--
- wolfssl/wolfcrypt/random.h | 2 +-
- 3 files changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/src/ssl.c b/src/ssl.c
-index f0186b253..e214fa504 100644
---- a/src/ssl.c
-+++ b/src/ssl.c
-@@ -23603,7 +23603,8 @@ static int wolfSSL_RAND_InitMutex(void)
-
- #ifdef OPENSSL_EXTRA
-
--#if defined(HAVE_GETPID) && defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
-+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
-+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
- /* In older FIPS bundles add check for reseed here since it does not exist in
- * the older random.c certified files. */
- static pid_t currentRandPid = 0;
-@@ -23621,8 +23622,8 @@ int wolfSSL_RAND_Init(void)
- if (initGlobalRNG == 0) {
- ret = wc_InitRng(&globalRNG);
- if (ret == 0) {
-- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
-- FIPS_VERSION3_LT(6,0,0)
-+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
-+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
- currentRandPid = getpid();
- #endif
- initGlobalRNG = 1;
-@@ -24098,8 +24099,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
- * have the lock.
- */
- if (initGlobalRNG) {
-- #if defined(HAVE_GETPID) && defined(HAVE_FIPS) && \
-- FIPS_VERSION3_LT(6,0,0)
-+ #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
-+ defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
- pid_t p;
-
- p = getpid();
-diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
-index b440e274b..dc89db542 100644
---- a/wolfcrypt/src/random.c
-+++ b/wolfcrypt/src/random.c
-@@ -1599,7 +1599,7 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
- #else
- rng->heap = heap;
- #endif
--#ifdef HAVE_GETPID
-+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
- rng->pid = getpid();
- #endif
- #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_CB)
-@@ -1968,7 +1968,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
- if (rng->status != DRBG_OK)
- return RNG_FAILURE_E;
-
--#ifdef HAVE_GETPID
-+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
- if (rng->pid != getpid()) {
- rng->pid = getpid();
- ret = PollAndReSeed(rng);
-diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
-index f472e1f40..320641548 100644
---- a/wolfssl/wolfcrypt/random.h
-+++ b/wolfssl/wolfcrypt/random.h
-@@ -183,7 +183,7 @@ struct WC_RNG {
- #endif
- byte status;
- #endif
--#ifdef HAVE_GETPID
-+#if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID)
- pid_t pid;
- #endif
- #ifdef WOLFSSL_ASYNC_CRYPT
deleted file mode 100644
@@ -1,40 +0,0 @@
-From 670437d91ae3025b4721eb4f450e5dc31fc3d6ee Mon Sep 17 00:00:00 2001
-From: Chris Conlon <chris@wolfssl.com>
-Date: Wed, 18 Jun 2025 16:08:34 -0600
-Subject: [PATCH] Add HAVE_GETPID to options.h if getpid detected, needed for
- apps to correctly detect size of WC_RNG struct
-
-CVE: CVE-2025-7394
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9c35c0de65e135e621400958f22829c0d2555ed4]
-Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
----
- configure.ac | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 43ddd4767..636c45aef 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -156,6 +156,9 @@ fi
- #ifdef HAVE_STDLIB_H
- #include <stdlib.h>
- #endif
-+#ifdef HAVE_UNISTD_H
-+ #include <unistd.h>
-+#endif
- ]])
-
- AC_PROG_INSTALL
-@@ -9479,6 +9482,12 @@ then
- AM_CFLAGS="$AM_CFLAGS -DHAVE___UINT128_T=1"
- fi
-
-+# Add HAVE_GETPID to AM_CFLAGS for inclusion in options.h
-+if test "$ac_cv_func_getpid" = "yes"
-+then
-+ AM_CFLAGS="$AM_CFLAGS -DHAVE_GETPID=1"
-+fi
-+
- LIB_SOCKET_NSL
- AX_HARDEN_CC_COMPILER_FLAGS
-
deleted file mode 100644
@@ -1,48 +0,0 @@
-From aaad0035e4e795b8b225bd481e3942de015a362d Mon Sep 17 00:00:00 2001
-From: Chris Conlon <chris@wolfssl.com>
-Date: Wed, 18 Jun 2025 16:57:02 -0600
-Subject: [PATCH] Add check for reseed in ssl.c for HAVE_SELFTEST, similar to
- old FIPS bundles that do not have older random.c files
-
-CVE: CVE-2025-7394
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/cdd02f9665ef43126503307972e4389070a00a73
-(cherry picked from commit cdd02f9665ef43126503307972e4389070a00a73)
-Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
----
- src/ssl.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/ssl.c b/src/ssl.c
-index e214fa504..e538233fc 100644
---- a/src/ssl.c
-+++ b/src/ssl.c
-@@ -23604,7 +23604,7 @@ static int wolfSSL_RAND_InitMutex(void)
- #ifdef OPENSSL_EXTRA
-
- #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
-- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
-+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || defined(HAVE_SELFTEST))
- /* In older FIPS bundles add check for reseed here since it does not exist in
- * the older random.c certified files. */
- static pid_t currentRandPid = 0;
-@@ -23623,7 +23623,9 @@ int wolfSSL_RAND_Init(void)
- ret = wc_InitRng(&globalRNG);
- if (ret == 0) {
- #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
-- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
-+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
-+ defined(HAVE_SELFTEST))
-+
- currentRandPid = getpid();
- #endif
- initGlobalRNG = 1;
-@@ -24100,7 +24102,8 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num)
- */
- if (initGlobalRNG) {
- #if defined(HAVE_GETPID) && !defined(WOLFSSL_NO_GETPID) && \
-- defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)
-+ ((defined(HAVE_FIPS) && FIPS_VERSION3_LT(6,0,0)) || \
-+ defined(HAVE_SELFTEST))
- pid_t p;
-
- p = getpid();
deleted file mode 100644
@@ -1,84 +0,0 @@
-From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001
-From: Ruby Martin <ruby@wolfssl.com>
-Date: Mon, 2 Jun 2025 16:38:32 -0600
-Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION,
- domain name checking
-
-CVE: CVE-2025-7395
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- src/internal.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
-
-diff --git a/src/internal.c b/src/internal.c
-index 6bbd38fa8..2b090382f 100644
---- a/src/internal.c
-+++ b/src/internal.c
-@@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
- #include <Security/SecCertificate.h>
- #include <Security/SecTrust.h>
- #include <Security/SecPolicy.h>
--static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
-+static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
- int totalCerts);
- #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
-
-@@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- * into wolfSSL, try to validate against the system certificates
- * using Apple's native trust APIs */
- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
-- if (DoAppleNativeCertValidation(args->certs,
-+ if (DoAppleNativeCertValidation(ssl, args->certs,
- args->totalCerts)) {
- WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
- ret = 0;
-@@ -41246,7 +41246,8 @@ cleanup:
- * wolfSSL's built-in certificate validation mechanisms anymore. We instead
- * must call into the Security Framework APIs to authenticate peer certificates
- */
--static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
-+static int DoAppleNativeCertValidation(WOLFSSL* ssl,
-+ const WOLFSSL_BUFFER_INFO* certs,
- int totalCerts)
- {
- int i;
-@@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
- CFMutableArrayRef certArray = NULL;
- SecCertificateRef secCert = NULL;
- SecTrustRef trust = NULL;
-- SecPolicyRef policy = NULL ;
-+ SecPolicyRef policy = NULL;
-+ CFStringRef hostname = NULL;
-
- WOLFSSL_ENTER("DoAppleNativeCertValidation");
-
-@@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
- }
-
- /* Create trust object for SecCertifiate Ref */
-- policy = SecPolicyCreateSSL(true, NULL);
-+ if (ssl->buffers.domainName.buffer &&
-+ ssl->buffers.domainName.length > 0) {
-+ /* Create policy with specified value to require host name match */
-+ hostname = CFStringCreateWithCString(kCFAllocatorDefault,
-+ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
-+ }
-+ if (hostname != NULL) {
-+ policy = SecPolicyCreateSSL(true, hostname);
-+ } else {
-+ policy = SecPolicyCreateSSL(true, NULL);
-+ }
- status = SecTrustCreateWithCertificates(certArray, policy, &trust);
- if (status != errSecSuccess) {
- WOLFSSL_MSG_EX("Error creating trust object, "
-@@ -41314,6 +41326,9 @@ cleanup:
- if (policy) {
- CFRelease(policy);
- }
-+ if (hostname) {
-+ CFRelease(hostname);
-+ }
-
- WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
-
deleted file mode 100644
@@ -1,27 +0,0 @@
-From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001
-From: Brett <bigbrett@users.noreply.github.com>
-Date: Wed, 4 Jun 2025 15:48:15 -0600
-Subject: [PATCH] prevent apple native cert validation from overriding error
- codes other than ASN_NO_SIGNER_E
-
-CVE: CVE-2025-7395
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- src/internal.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/internal.c b/src/internal.c
-index 2b090382f..79f584a0a 100644
---- a/src/internal.c
-+++ b/src/internal.c
-@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- /* If we can't validate the peer cert chain against the CAs loaded
- * into wolfSSL, try to validate against the system certificates
- * using Apple's native trust APIs */
-- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
-+ if ((ret == ASN_NO_SIGNER_E) &&
-+ (ssl->ctx->doAppleNativeCertValidationFlag)) {
- if (DoAppleNativeCertValidation(ssl, args->certs,
- args->totalCerts)) {
- WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
deleted file mode 100644
@@ -1,25 +0,0 @@
-From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001
-From: Brett <bigbrett@users.noreply.github.com>
-Date: Wed, 4 Jun 2025 16:56:16 -0600
-Subject: [PATCH] add missing error trace macro
-
-CVE: CVE-2025-7395
-Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- src/internal.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/internal.c b/src/internal.c
-index 79f584a0a..5557b5698 100644
---- a/src/internal.c
-+++ b/src/internal.c
-@@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
- /* If we can't validate the peer cert chain against the CAs loaded
- * into wolfSSL, try to validate against the system certificates
- * using Apple's native trust APIs */
-- if ((ret == ASN_NO_SIGNER_E) &&
-+ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
- (ssl->ctx->doAppleNativeCertValidationFlag)) {
- if (DoAppleNativeCertValidation(ssl, args->certs,
- args->totalCerts)) {
similarity index 78%
rename from meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
rename to meta-networking/recipes-connectivity/wolfssl/wolfssl_5.9.2.bb
@@ -14,17 +14,8 @@ RPROVIDES:${PN} = "cyassl"
SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
file://run-ptest \
- file://CVE-2025-7395-1.patch \
- file://CVE-2025-7395-2.patch \
- file://CVE-2025-7395-3.patch \
- file://CVE-2025-7394-1.patch \
- file://CVE-2025-7394-2.patch \
- file://CVE-2025-7394-3.patch \
- file://CVE-2025-7394-4.patch \
- file://CVE-2025-7394-5.patch \
- file://CVE-2025-7394-6.patch \
"
-SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472"
+SRCREV = "ac01707f552c611fbd135cc723b2682b3e7f80f2"
S = "${WORKDIR}/git"
- Drop 9 CVE patches (CVE-2025-7394, CVE-2025-7395) fixed upstream - All security fixes included in 5.9.2 release Signed-off-by: Lian Wang <lianux.wang@processmission.com> --- .../wolfssl/files/CVE-2025-7394-1.patch | 46 --- .../wolfssl/files/CVE-2025-7394-2.patch | 275 ------------------ .../wolfssl/files/CVE-2025-7394-3.patch | 125 -------- .../wolfssl/files/CVE-2025-7394-4.patch | 85 ------ .../wolfssl/files/CVE-2025-7394-5.patch | 40 --- .../wolfssl/files/CVE-2025-7394-6.patch | 48 --- .../wolfssl/files/CVE-2025-7395-1.patch | 84 ------ .../wolfssl/files/CVE-2025-7395-2.patch | 27 -- .../wolfssl/files/CVE-2025-7395-3.patch | 25 -- .../{wolfssl_5.7.2.bb => wolfssl_5.9.2.bb} | 11 +- 10 files changed, 1 insertion(+), 765 deletions(-) delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-1.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-2.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-3.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-4.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-5.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7394-6.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch delete mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch rename meta-networking/recipes-connectivity/wolfssl/{wolfssl_5.7.2.bb => wolfssl_5.9.2.bb} (78%)