wolfssl: patch CVE-2026-3230

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-3230

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3230.patch

@@ -0,0 +1,69 @@
+From 015a4cec9f19221c79dbbeef3a92cf297d633a65 Mon Sep 17 00:00:00 2001
+From: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Date: Mon, 9 Feb 2026 17:14:24 +0100
+Subject: [PATCH] Add check for KeyShare in ServerHello
+
+Fixes ZD21171
+
+CVE: CVE-2026-3230
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/f798a585d9dc57f7c42a90e693d8f0aa8a241e52]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/tls.c          | 2 ++
+ src/tls13.c        | 3 ++-
+ tests/api.c        | 2 +-
+ wolfssl/internal.h | 1 +
+ 4 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/tls.c b/src/tls.c
+index 4f57ea938..8552e8daf 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -9774,6 +9774,8 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
+         if (length < OPAQUE16_LEN)
+             return BUFFER_ERROR;
+ 
++        ssl->options.shSentKeyShare = 1;
++
+         /* The data is the named group the server wants to use. */
+         ato16(input, &group);
+ 
+diff --git a/src/tls13.c b/src/tls13.c
+index 6efe44640..538cde030 100644
+--- a/src/tls13.c
++++ b/src/tls13.c
+@@ -5590,7 +5590,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
+     #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+             ssl->options.pskNegotiated == 0 &&
+     #endif
+-            ssl->session->namedGroup == 0) {
++            (ssl->session->namedGroup == 0 ||
++             ssl->options.shSentKeyShare == 0)) {
+             return EXT_MISSING;
+         }
+ 
+diff --git a/tests/api.c b/tests/api.c
+index 9dc92e84a..1abb7f836 100644
+--- a/tests/api.c
++++ b/tests/api.c
+@@ -64055,7 +64055,7 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
+ 
+         ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+ #ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
+-        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(OUT_OF_ORDER_E));
++        ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(EXT_MISSING));
+ #else
+         ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(BUFFER_ERROR));
+ #endif
+diff --git a/wolfssl/internal.h b/wolfssl/internal.h
+index dd191fb1a..c89ab5931 100644
+--- a/wolfssl/internal.h
++++ b/wolfssl/internal.h
+@@ -5107,6 +5107,7 @@ struct Options {
+ #if defined(HAVE_DANE)
+     word16            useDANE:1;
+ #endif /* HAVE_DANE */
++    word16            shSentKeyShare:1;   /* SH sent with key share */
+     word16            disableRead:1;
+ #ifdef WOLFSSL_DTLS
+     byte              haveMcast;          /* using multicast ? */

meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb

@@ -33,6 +33,7 @@ SRC_URI = " \
     file://CVE-2026-3229-1.patch \
     file://CVE-2026-3229-2.patch \
     file://CVE-2026-3229-3.patch \
+    file://CVE-2026-3230.patch \
 "
 
 SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"