diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3230.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3230.patch new file mode 100644 index 0000000000..4d03dfdf75 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2026-3230.patch @@ -0,0 +1,69 @@ +From 015a4cec9f19221c79dbbeef3a92cf297d633a65 Mon Sep 17 00:00:00 2001 +From: Juliusz Sosinowicz +Date: Mon, 9 Feb 2026 17:14:24 +0100 +Subject: [PATCH] Add check for KeyShare in ServerHello + +Fixes ZD21171 + +CVE: CVE-2026-3230 +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/f798a585d9dc57f7c42a90e693d8f0aa8a241e52] +Signed-off-by: Ankur Tyagi +--- + src/tls.c | 2 ++ + src/tls13.c | 3 ++- + tests/api.c | 2 +- + wolfssl/internal.h | 1 + + 4 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/tls.c b/src/tls.c +index 4f57ea938..8552e8daf 100644 +--- a/src/tls.c ++++ b/src/tls.c +@@ -9774,6 +9774,8 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length, + if (length < OPAQUE16_LEN) + return BUFFER_ERROR; + ++ ssl->options.shSentKeyShare = 1; ++ + /* The data is the named group the server wants to use. */ + ato16(input, &group); + +diff --git a/src/tls13.c b/src/tls13.c +index 6efe44640..538cde030 100644 +--- a/src/tls13.c ++++ b/src/tls13.c +@@ -5590,7 +5590,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, + #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) + ssl->options.pskNegotiated == 0 && + #endif +- ssl->session->namedGroup == 0) { ++ (ssl->session->namedGroup == 0 || ++ ssl->options.shSentKeyShare == 0)) { + return EXT_MISSING; + } + +diff --git a/tests/api.c b/tests/api.c +index 9dc92e84a..1abb7f836 100644 +--- a/tests/api.c ++++ b/tests/api.c +@@ -64055,7 +64055,7 @@ static int test_TLSX_CA_NAMES_bad_extension(void) + + ExpectIntEQ(wolfSSL_connect(ssl_c), -1); + #ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS +- ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(OUT_OF_ORDER_E)); ++ ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(EXT_MISSING)); + #else + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(BUFFER_ERROR)); + #endif +diff --git a/wolfssl/internal.h b/wolfssl/internal.h +index dd191fb1a..c89ab5931 100644 +--- a/wolfssl/internal.h ++++ b/wolfssl/internal.h +@@ -5107,6 +5107,7 @@ struct Options { + #if defined(HAVE_DANE) + word16 useDANE:1; + #endif /* HAVE_DANE */ ++ word16 shSentKeyShare:1; /* SH sent with key share */ + word16 disableRead:1; + #ifdef WOLFSSL_DTLS + byte haveMcast; /* using multicast ? */ diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb index 7c46c01ff0..bec2764ad1 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb @@ -33,6 +33,7 @@ SRC_URI = " \ file://CVE-2026-3229-1.patch \ file://CVE-2026-3229-2.patch \ file://CVE-2026-3229-3.patch \ + file://CVE-2026-3230.patch \ " SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"