wolfssl: patch CVE-2025-7395

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395

Backport the patches from the PR[1] that is referenced by the project's
changelog[2] to fix this issue.

[1]: https://github.com/wolfSSL/wolfssl/pull/8833
[2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch

@@ -0,0 +1,84 @@
+From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001
+From: Ruby Martin <ruby@wolfssl.com>
+Date: Mon, 2 Jun 2025 16:38:32 -0600
+Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION,
+ domain name checking
+
+CVE: CVE-2025-7395
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/internal.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 6bbd38fa8..2b090382f 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
+ #include <Security/SecCertificate.h>
+ #include <Security/SecTrust.h>
+ #include <Security/SecPolicy.h>
+-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
++static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
+                                             int totalCerts);
+ #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
+ 
+@@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+              * into wolfSSL, try to validate against the system certificates
+              * using Apple's native trust APIs */
+             if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
+-                if (DoAppleNativeCertValidation(args->certs,
++                if (DoAppleNativeCertValidation(ssl, args->certs,
+                                                      args->totalCerts)) {
+                     WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
+                     ret = 0;
+@@ -41246,7 +41246,8 @@ cleanup:
+  * wolfSSL's built-in certificate validation mechanisms anymore. We instead
+  * must call into the Security Framework APIs to authenticate peer certificates
+  */
+-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
++static int DoAppleNativeCertValidation(WOLFSSL* ssl,
++                                            const WOLFSSL_BUFFER_INFO* certs,
+                                             int totalCerts)
+ {
+     int i;
+@@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
+     CFMutableArrayRef certArray = NULL;
+     SecCertificateRef secCert   = NULL;
+     SecTrustRef       trust     = NULL;
+-    SecPolicyRef      policy    = NULL ;
++    SecPolicyRef      policy    = NULL;
++    CFStringRef       hostname  = NULL;
+ 
+     WOLFSSL_ENTER("DoAppleNativeCertValidation");
+ 
+@@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
+     }
+ 
+     /* Create trust object for SecCertifiate Ref */
+-    policy = SecPolicyCreateSSL(true, NULL);
++    if (ssl->buffers.domainName.buffer &&
++            ssl->buffers.domainName.length > 0) {
++        /* Create policy with specified value to require host name match */
++        hostname = CFStringCreateWithCString(kCFAllocatorDefault,
++        (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
++    }
++    if (hostname != NULL) {
++        policy = SecPolicyCreateSSL(true, hostname);
++    } else {
++        policy = SecPolicyCreateSSL(true, NULL);
++    }
+     status = SecTrustCreateWithCertificates(certArray, policy, &trust);
+     if (status != errSecSuccess) {
+         WOLFSSL_MSG_EX("Error creating trust object, "
+@@ -41314,6 +41326,9 @@ cleanup:
+     if (policy) {
+         CFRelease(policy);
+     }
++    if (hostname) {
++        CFRelease(hostname);
++    }
+ 
+     WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
+ 

meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch

@@ -0,0 +1,27 @@
+From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001
+From: Brett <bigbrett@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 15:48:15 -0600
+Subject: [PATCH] prevent apple native cert validation from overriding error
+ codes other than ASN_NO_SIGNER_E
+
+CVE: CVE-2025-7395
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/internal.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 2b090382f..79f584a0a 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+             /* If we can't validate the peer cert chain against the CAs loaded
+              * into wolfSSL, try to validate against the system certificates
+              * using Apple's native trust APIs */
+-            if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
++            if ((ret == ASN_NO_SIGNER_E) &&
++                (ssl->ctx->doAppleNativeCertValidationFlag)) {
+                 if (DoAppleNativeCertValidation(ssl, args->certs,
+                                                      args->totalCerts)) {
+                     WOLFSSL_MSG("Apple native cert chain validation SUCCESS");

meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch

@@ -0,0 +1,25 @@
+From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001
+From: Brett <bigbrett@users.noreply.github.com>
+Date: Wed, 4 Jun 2025 16:56:16 -0600
+Subject: [PATCH] add missing error trace macro
+
+CVE: CVE-2025-7395
+Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/internal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index 79f584a0a..5557b5698 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+             /* If we can't validate the peer cert chain against the CAs loaded
+              * into wolfSSL, try to validate against the system certificates
+              * using Apple's native trust APIs */
+-            if ((ret == ASN_NO_SIGNER_E) &&
++            if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
+                 (ssl->ctx->doAppleNativeCertValidationFlag)) {
+                 if (DoAppleNativeCertValidation(ssl, args->certs,
+                                                      args->totalCerts)) {

meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb

@@ -12,10 +12,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 PROVIDES += "cyassl"
 RPROVIDES:${PN} = "cyassl"
 
-SRC_URI = " \
-    git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
-    file://run-ptest \
-"
+SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
+           file://run-ptest \
+           file://CVE-2025-7395-1.patch \
+           file://CVE-2025-7395-2.patch \
+           file://CVE-2025-7395-3.patch \
+           "
 SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472"
 
 S = "${WORKDIR}/git"