summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-02-25 07:54:09 +1300
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-03-06 10:09:05 +0530
commit6781da83ae3e6b73d38df05fb1955ce9608ffe5f (patch)
tree8946ff5dfe0cb434b226139e8a8629697e23d88d /meta-networking
parent9039381ef0352e71c066e0e7994740deac464db1 (diff)
downloadmeta-openembedded-6781da83ae3e6b73d38df05fb1955ce9608ffe5f.tar.gz
wolfssl: patch CVE-2025-13912
Backport changes from PR[1] mentioned in nvd[2] [1] https://github.com/wolfSSL/wolfssl/pull/9148 [2] https://nvd.nist.gov/vuln/detail/CVE-2025-13912 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-13912.patch439
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb1
2 files changed, 440 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-13912.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-13912.patch
new file mode 100644
index 0000000000..32252058f7
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-13912.patch
@@ -0,0 +1,439 @@
1From 797e0e7abf5830d515ca838201c03a47f83356b0 Mon Sep 17 00:00:00 2001
2From: Daniel Pouzzner <douzzer@wolfssl.com>
3Date: Tue, 30 Sep 2025 20:35:52 -0500
4Subject: [PATCH] Merge pull request #9148 from SparkiDev/ct_volatile
5
6Mark variables as volatile
7
8CVE: CVE-2025-13912
9Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/234ba7780ad3b7c8c1509973accdc43ed6c328b3]
10Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
11---
12 src/internal.c | 25 ++++++++++++---------
13 src/tls.c | 8 +++++--
14 wolfcrypt/src/aes.c | 4 ++--
15 wolfcrypt/src/ecc.c | 8 +++----
16 wolfcrypt/src/misc.c | 4 ++--
17 wolfcrypt/src/rsa.c | 18 +++++++++------
18 wolfcrypt/src/sp_int.c | 51 ++++++++++++++++++++++--------------------
19 7 files changed, 67 insertions(+), 51 deletions(-)
20
21diff --git a/src/internal.c b/src/internal.c
22index eb2f16d63..6b3a227bc 100644
23--- a/src/internal.c
24+++ b/src/internal.c
25@@ -20887,7 +20887,7 @@ static byte MaskPadding(const byte* data, int sz, int macSz)
26 checkSz = TLS_MAX_PAD_SZ;
27
28 for (i = 0; i < checkSz; i++) {
29- byte mask = ctMaskLTE(i, paddingSz);
30+ volatile byte mask = ctMaskLTE(i, paddingSz);
31 good |= mask & (data[sz - 1 - i] ^ paddingSz);
32 }
33
34@@ -20907,16 +20907,21 @@ static byte MaskPadding(const byte* data, int sz, int macSz)
35 static byte MaskMac(const byte* data, int sz, int macSz, byte* expMac)
36 {
37 int i, j;
38- unsigned char mac[WC_MAX_DIGEST_SIZE];
39- int scanStart = sz - 1 - TLS_MAX_PAD_SZ - macSz;
40- int macEnd = sz - 1 - data[sz - 1];
41- int macStart = macEnd - macSz;
42 int r = 0;
43- unsigned char started, notEnded;
44+ unsigned char mac[WC_MAX_DIGEST_SIZE];
45+ volatile int scanStart = sz - 1 - TLS_MAX_PAD_SZ - macSz;
46+ volatile int macEnd = sz - 1 - data[sz - 1];
47+ volatile int macStart = macEnd - macSz;
48+ volatile int maskScanStart;
49+ volatile int maskMacStart;
50+ volatile unsigned char started;
51+ volatile unsigned char notEnded;
52 unsigned char good = 0;
53
54- scanStart &= ctMaskIntGTE(scanStart, 0);
55- macStart &= ctMaskIntGTE(macStart, 0);
56+ maskScanStart = ctMaskIntGTE(scanStart, 0);
57+ maskMacStart = ctMaskIntGTE(macStart, 0);
58+ scanStart &= maskScanStart;
59+ macStart &= maskMacStart;
60
61 /* Div on Intel has different speeds depending on value.
62 * Use a bitwise AND or mod a specific value (converted to mul). */
63@@ -41636,7 +41641,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
64 case rsa_kea:
65 {
66 RsaKey* key = (RsaKey*)ssl->hsKey;
67- int lenErrMask;
68+ volatile int lenErrMask;
69
70 ret = RsaDec(ssl,
71 input + args->idx,
72@@ -41850,7 +41855,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
73 case rsa_kea:
74 {
75 byte *tmpRsa;
76- byte mask;
77+ volatile byte mask;
78
79 /* Add the signature length to idx */
80 args->idx += args->length;
81diff --git a/src/tls.c b/src/tls.c
82index 6ad21c924..4f57ea938 100644
83--- a/src/tls.c
84+++ b/src/tls.c
85@@ -944,7 +944,10 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
86 unsigned int k;
87 int blockBits, blockMask;
88 int lastBlockLen, extraLen, eocIndex;
89- int blocks, safeBlocks, lenBlock, eocBlock;
90+ int blocks;
91+ int safeBlocks;
92+ int lenBlock;
93+ int eocBlock;
94 word32 maxLen;
95 int blockSz, padSz;
96 int ret;
97@@ -1054,7 +1057,8 @@ static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
98
99 for (j = 0; j < blockSz; j++) {
100 unsigned char atEoc = ctMaskEq(j, eocIndex) & isEocBlock;
101- unsigned char pastEoc = ctMaskGT(j, eocIndex) & isEocBlock;
102+ volatile unsigned char maskPastEoc = ctMaskGT(j, eocIndex);
103+ volatile unsigned char pastEoc = maskPastEoc & isEocBlock;
104 unsigned char b = 0;
105
106 if (k < headerSz)
107diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
108index 6e7f104dd..2cf7c695e 100644
109--- a/wolfcrypt/src/aes.c
110+++ b/wolfcrypt/src/aes.c
111@@ -6577,7 +6577,7 @@ static WC_INLINE void RIGHTSHIFTX(byte* x)
112 {
113 int i;
114 int carryIn = 0;
115- byte borrow = (byte)((0x00U - (x[15] & 0x01U)) & 0xE1U);
116+ volatile byte borrow = (byte)((0x00U - (x[15] & 0x01U)) & 0xE1U);
117
118 for (i = 0; i < WC_AES_BLOCK_SIZE; i++) {
119 int carryOut = (x[i] & 0x01) << 7;
120@@ -9113,7 +9113,7 @@ int WARN_UNUSED_RESULT AES_GCM_decrypt_C(
121 ALIGN16 byte scratch[WC_AES_BLOCK_SIZE];
122 ALIGN16 byte Tprime[WC_AES_BLOCK_SIZE];
123 ALIGN16 byte EKY0[WC_AES_BLOCK_SIZE];
124- sword32 res;
125+ volatile sword32 res;
126
127 if (ivSz == GCM_NONCE_MID_SZ) {
128 /* Counter is IV with bottom 4 bytes set to: 0x00,0x00,0x00,0x01. */
129diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
130index 6d4cd4de7..1fd30cfd9 100644
131--- a/wolfcrypt/src/ecc.c
132+++ b/wolfcrypt/src/ecc.c
133@@ -3166,7 +3166,7 @@ static int ecc_mulmod(const mp_int* k, ecc_point* P, ecc_point* Q,
134 ecc_point** R, mp_int* a, mp_int* modulus, mp_digit mp, WC_RNG* rng)
135 {
136 int err = MP_OKAY;
137- int bytes = (mp_count_bits(modulus) + 7) / 8;
138+ int bytes = (mp_count_bits(modulus) + 7) >> 3;
139 int i;
140 int j = 1;
141 int cnt = DIGIT_BIT;
142@@ -3406,7 +3406,7 @@ static int ecc_mulmod(const mp_int* k, ecc_point* P, ecc_point* Q,
143 ecc_point** R, mp_int* a, mp_int* modulus, mp_digit mp, WC_RNG* rng)
144 {
145 int err = MP_OKAY;
146- int bytes = (mp_count_bits(modulus) + 7) / 8;
147+ int bytes = (mp_count_bits(modulus) + 7) >> 3;
148 int i;
149 int j = 1;
150 int cnt;
151@@ -4450,7 +4450,7 @@ int wc_ecc_get_curve_id_from_params(int fieldSize,
152 Gx == NULL || Gy == NULL)
153 return BAD_FUNC_ARG;
154
155- curveSz = (fieldSize + 1) / 8; /* round up */
156+ curveSz = (fieldSize + 1) >> 3; /* round up */
157
158 for (idx = 0; ecc_sets[idx].size != 0; idx++) {
159 if (curveSz == ecc_sets[idx].size) {
160@@ -11922,7 +11922,7 @@ int wc_ecc_sig_size(const ecc_key* key)
161 keySz = key->dp->size;
162 orderBits = wc_ecc_get_curve_order_bit_count(key->dp);
163 if (orderBits > keySz * 8) {
164- keySz = (orderBits + 7) / 8;
165+ keySz = (orderBits + 7) >> 3;
166 }
167 /* maximum possible signature header size is 7 bytes */
168 maxSigSz = (keySz * 2) + SIG_HEADER_SZ;
169diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c
170index 98b83c7ae..496b0dbcc 100644
171--- a/wolfcrypt/src/misc.c
172+++ b/wolfcrypt/src/misc.c
173@@ -762,7 +762,7 @@ WC_MISC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src,
174 WC_MISC_STATIC WC_INLINE word32 min(word32 a, word32 b)
175 {
176 #if !defined(WOLFSSL_NO_CT_OPS) && defined(WORD64_AVAILABLE)
177- word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
178+ volatile word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
179 return (a & ~gte_mask) | (b & gte_mask);
180 #else /* WOLFSSL_NO_CT_OPS */
181 return a > b ? b : a;
182@@ -778,7 +778,7 @@ WC_MISC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src,
183 WC_MISC_STATIC WC_INLINE word32 max(word32 a, word32 b)
184 {
185 #if !defined(WOLFSSL_NO_CT_OPS) && defined(WORD64_AVAILABLE)
186- word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
187+ volatile word32 gte_mask = (word32)ctMaskWord32GTE(a, b);
188 return (a & gte_mask) | (b & ~gte_mask);
189 #else /* WOLFSSL_NO_CT_OPS */
190 return a > b ? a : b;
191diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
192index 94d57bd8b..acd0c04c5 100644
193--- a/wolfcrypt/src/rsa.c
194+++ b/wolfcrypt/src/rsa.c
195@@ -1561,11 +1561,11 @@ static int RsaUnPad_OAEP(byte *pkcsBlock, unsigned int pkcsBlockLen,
196 byte* optLabel, word32 labelLen, void* heap)
197 {
198 word32 hLen;
199- int ret;
200+ volatile int ret;
201 byte h[WC_MAX_DIGEST_SIZE]; /* max digest size */
202 word32 idx;
203 word32 i;
204- word32 inc;
205+ volatile word32 inc;
206
207 #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC)
208 byte* tmp = NULL;
209@@ -1850,9 +1850,11 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
210 }
211 #ifndef WOLFSSL_RSA_VERIFY_ONLY
212 else {
213- unsigned int j;
214- word16 pastSep = 0;
215- byte invalid = 0;
216+ unsigned int j;
217+ volatile word16 pastSep = 0;
218+ volatile byte invalid = 0;
219+ volatile byte minPad;
220+ volatile int invalidMask;
221
222 i = 0;
223 /* Decrypted with private key - unpad must be constant time. */
224@@ -1864,7 +1866,8 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
225 }
226
227 /* Minimum of 11 bytes of pre-message data - including leading 0x00. */
228- invalid |= ctMaskLT(i, RSA_MIN_PAD_SZ);
229+ minPad = ctMaskLT(i, RSA_MIN_PAD_SZ);
230+ invalid |= minPad;
231 /* Must have seen separator. */
232 invalid |= (byte)~pastSep;
233 /* First byte must be 0x00. */
234@@ -1873,7 +1876,8 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
235 invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
236
237 *output = (byte *)(pkcsBlock + i);
238- ret = ((int)-1 + (int)(invalid >> 7)) & ((int)pkcsBlockLen - i);
239+ invalidMask = (int)-1 + (int)(invalid >> 7);
240+ ret = invalidMask & ((int)pkcsBlockLen - i);
241 }
242 #endif
243
244diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c
245index 1769840e7..0ee8aa252 100644
246--- a/wolfcrypt/src/sp_int.c
247+++ b/wolfcrypt/src/sp_int.c
248@@ -5502,7 +5502,7 @@ int sp_exch(sp_int* a, sp_int* b)
249 int sp_cond_swap_ct_ex(sp_int* a, sp_int* b, int cnt, int swap, sp_int* t)
250 {
251 unsigned int i;
252- sp_int_digit mask = (sp_int_digit)0 - (sp_int_digit)swap;
253+ volatile sp_int_digit mask = (sp_int_digit)0 - (sp_int_digit)swap;
254
255 /* XOR other fields in sp_int into temp - mask set when swapping. */
256 t->used = (a->used ^ b->used) & (sp_size_t)mask;
257@@ -5772,7 +5772,7 @@ static int _sp_cmp_ct(const sp_int* a, const sp_int* b, unsigned int n)
258 {
259 int ret = MP_EQ;
260 int i;
261- int mask = -1;
262+ volatile int mask = -1;
263
264 for (i = n - 1; i >= 0; i--) {
265 sp_int_digit ad = a->dp[i] & ((sp_int_digit)0 - (i < (int)a->used));
266@@ -7305,7 +7305,8 @@ static void _sp_div_2(const sp_int* a, sp_int* r)
267
268 /* Shift down each word by 1 and include bottom bit of next at top. */
269 for (i = 0; i < (int)a->used - 1; i++) {
270- r->dp[i] = (a->dp[i] >> 1) | (a->dp[i+1] << (SP_WORD_SIZE - 1));
271+ r->dp[i] = a->dp[i] >> 1;
272+ r->dp[i] |= a->dp[i+1] << (SP_WORD_SIZE - 1);
273 }
274 /* Last word only needs to be shifted down. */
275 r->dp[i] = a->dp[i] >> 1;
276@@ -7385,7 +7386,7 @@ int sp_div_2_mod_ct(const sp_int* a, const sp_int* m, sp_int* r)
277 sp_int_digit t;
278 #endif
279 /* Mask to apply to modulus. */
280- sp_int_digit mask = (sp_int_digit)0 - (a->dp[0] & 1);
281+ volatile sp_int_digit mask = (sp_int_digit)0 - (a->dp[0] & 1);
282 sp_size_t i;
283
284 #if 0
285@@ -7396,7 +7397,7 @@ int sp_div_2_mod_ct(const sp_int* a, const sp_int* m, sp_int* r)
286 /* Add a to m, if a is odd, into r in constant time. */
287 for (i = 0; i < m->used; i++) {
288 /* Mask to apply to a - set when used value at index. */
289- sp_int_digit mask_a = (sp_int_digit)0 - (i < a->used);
290+ volatile sp_int_digit mask_a = (sp_int_digit)0 - (i < a->used);
291
292 #ifndef SQR_MUL_ASM
293 /* Conditionally add modulus. */
294@@ -8017,7 +8018,7 @@ static void sp_clamp_ct(sp_int* a)
295 {
296 int i;
297 sp_size_t used = a->used;
298- sp_size_t mask = (sp_size_t)-1;
299+ volatile sp_size_t mask = (sp_size_t)-1;
300
301 for (i = (int)a->used - 1; i >= 0; i--) {
302 #if ((SP_WORD_SIZE == 64) && \
303@@ -8066,9 +8067,9 @@ int sp_addmod_ct(const sp_int* a, const sp_int* b, const sp_int* m, sp_int* r)
304 sp_int_digit sh;
305 sp_int_digit t;
306 #endif
307- sp_int_digit mask;
308- sp_int_digit mask_a = (sp_int_digit)-1;
309- sp_int_digit mask_b = (sp_int_digit)-1;
310+ volatile sp_int_digit mask;
311+ volatile sp_int_digit mask_a = (sp_int_digit)-1;
312+ volatile sp_int_digit mask_b = (sp_int_digit)-1;
313 sp_size_t i;
314
315 /* Check result is as big as modulus. */
316@@ -8230,9 +8231,9 @@ static void _sp_submod_ct(const sp_int* a, const sp_int* b, const sp_int* m,
317 sp_int_digit h;
318 sp_int_digit t;
319 #endif
320- sp_int_digit mask;
321- sp_int_digit mask_a = (sp_int_digit)-1;
322- sp_int_digit mask_b = (sp_int_digit)-1;
323+ volatile sp_int_digit mask;
324+ volatile sp_int_digit mask_a = (sp_int_digit)-1;
325+ volatile sp_int_digit mask_b = (sp_int_digit)-1;
326 unsigned int i;
327
328 /* In constant time, subtract b from a putting result in r. */
329@@ -17458,7 +17459,7 @@ static int _sp_mont_red(sp_int* a, const sp_int* m, sp_int_digit mp, int ct)
330 /* 1. mask = (1 << (NumBits(m) % WORD_SIZE)) - 1
331 * Mask when last digit of modulus doesn't have highest bit set.
332 */
333- sp_int_digit mask = (sp_int_digit)
334+ volatile sp_int_digit mask = (sp_int_digit)
335 (((sp_int_digit)1 << (bits & (SP_WORD_SIZE - 1))) - 1);
336 /* Overflow. */
337 sp_int_word o = 0;
338@@ -17539,7 +17540,7 @@ static int _sp_mont_red(sp_int* a, const sp_int* m, sp_int_digit mp, int ct)
339 int bits;
340 sp_int_digit mu;
341 sp_int_digit o;
342- sp_int_digit mask;
343+ volatile sp_int_digit mask;
344
345 #if 0
346 sp_print(a, "a");
347@@ -18041,7 +18042,7 @@ int sp_unsigned_bin_size(const sp_int* a)
348 int cnt = 0;
349
350 if (a != NULL) {
351- cnt = (sp_count_bits(a) + 7) / 8;
352+ cnt = (sp_count_bits(a) + 7) >> 3;
353 }
354
355 return cnt;
356@@ -18265,20 +18266,22 @@ int sp_to_unsigned_bin_len_ct(const sp_int* a, byte* out, int outSz)
357 /* Start at the end of the buffer - least significant byte. */
358 int j;
359 unsigned int i;
360- sp_int_digit mask = (sp_int_digit)-1;
361+ volatile sp_int_digit mask = (sp_int_digit)-1;
362 sp_int_digit d;
363
364 /* Put each digit in. */
365 i = 0;
366 for (j = outSz - 1; j >= 0; ) {
367 unsigned int b;
368+ volatile unsigned int notFull = (i < (unsigned int)a->used - 1);
369+
370 d = a->dp[i];
371 /* Place each byte of a digit into the buffer. */
372 for (b = 0; (j >= 0) && (b < SP_WORD_SIZEOF); b++) {
373 out[j--] = (byte)(d & mask);
374 d >>= 8;
375 }
376- mask &= (sp_int_digit)0 - (i < (unsigned int)a->used - 1);
377+ mask &= (sp_int_digit)0 - notFull;
378 i += (unsigned int)(1 & mask);
379 }
380 }
381@@ -18289,7 +18292,7 @@ int sp_to_unsigned_bin_len_ct(const sp_int* a, byte* out, int outSz)
382 if (err == MP_OKAY) {
383 unsigned int i;
384 int j;
385- sp_int_digit mask = (sp_int_digit)-1;
386+ volatile sp_int_digit mask = (sp_int_digit)-1;
387
388 i = 0;
389 for (j = outSz - 1; j >= 0; j--) {
390@@ -18360,11 +18363,12 @@ static int _sp_read_radix_16(sp_int* a, const char* in)
391 /* Step through string a character at a time starting at end - least
392 * significant byte. */
393 for (i = (int)(XSTRLEN(in) - 1); i >= 0; i--) {
394+ volatile char c = in[i];
395 /* Convert character from hex. */
396- int ch = (int)HexCharToByte(in[i]);
397+ int ch = (int)HexCharToByte(c);
398 /* Check for invalid character. */
399 if (ch < 0) {
400- if (!eol_done && CharIsWhiteSpace(in[i]))
401+ if (!eol_done && CharIsWhiteSpace(c))
402 continue;
403 err = MP_VAL;
404 break;
405@@ -18424,7 +18428,6 @@ static int _sp_read_radix_10(sp_int* a, const char* in)
406 {
407 int err = MP_OKAY;
408 int i;
409- char ch;
410
411 /* Start with a being zero. */
412 _sp_zero(a);
413@@ -18432,7 +18435,7 @@ static int _sp_read_radix_10(sp_int* a, const char* in)
414 /* Process all characters. */
415 for (i = 0; in[i] != '\0'; i++) {
416 /* Get character. */
417- ch = in[i];
418+ volatile char ch = in[i];
419 /* Check character is valid. */
420 if ((ch >= '0') && (ch <= '9')) {
421 /* Assume '0'..'9' are continuous values as characters. */
422@@ -18794,7 +18797,7 @@ int sp_radix_size(const sp_int* a, int radix, int* size)
423 }
424 else {
425 /* Count of nibbles. */
426- int cnt = (sp_count_bits(a) + 3) / 4;
427+ int cnt = (sp_count_bits(a) + 3) >> 2;
428 #ifndef WC_DISABLE_RADIX_ZERO_PAD
429 /* Must have even number of nibbles to have complete bytes. */
430 if (cnt & 1) {
431@@ -19404,7 +19407,7 @@ static int _sp_prime_random_trials(const sp_int* a, int trials, int* result,
432 {
433 int err = MP_OKAY;
434 int bits = sp_count_bits(a);
435- word32 baseSz = ((word32)bits + 7) / 8;
436+ word32 baseSz = ((word32)bits + 7) >> 3;
437 DECL_SP_INT_ARRAY(ds, a->used + 1, 2);
438 DECL_SP_INT_ARRAY(d, a->used * 2 + 1, 2);
439
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
index af591cfd7a..9cd7c07ad2 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.8.0.bb
@@ -16,6 +16,7 @@ SRC_URI = " \
16 git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ 16 git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
17 file://0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch \ 17 file://0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch \
18 file://run-ptest \ 18 file://run-ptest \
19 file://CVE-2025-13912.patch \
19" 20"
20 21
21SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285" 22SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"