From 8ef7b4ee4ba77a8d58e734753d1c87b1d4d332d7 Mon Sep 17 00:00:00 2001
From: Sander van Deijck <sander@vandeijck.com>
Date: Fri, 24 Apr 2026 02:43:03 +0200
Subject: [PATCH] wolfssl: update to 5.9.1

For changes, see:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.9.1-stable

This includes a fix for a critical (CVSS 9.3) vulnerability:
https://github.com/advisories/GHSA-f5h9-5q52-qrx7

Signed-off-by: Sander van Deijck <sander@vandeijck.com>
Link: https://github.com/openwrt/openwrt/pull/23072
Signed-off-by: Nick Hainke <vincent@systemli.org>
---
 package/libs/wolfssl/Makefile                                 | 4 ++--
 .../libs/wolfssl/patches/100-disable-hardening-check.patch    | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 866ccb635f..958a569a4e 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=5.9.0
+PKG_VERSION:=5.9.1
 PKG_REAL_VERSION:=$(PKG_VERSION)-stable
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_REAL_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_REAL_VERSION)
-PKG_HASH:=6efc62b86f145a5c52bfd62294ca66c20ce85b54e9033f5d7e0ee73eb30306c1
+PKG_HASH:=d5ca7af48cd2d9a91d539e9baedeba55a0605a28d7ac8b01dc3d5254a13ca341
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_REAL_VERSION)
 
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index 7a2674327d..a31905ad89 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -4122,7 +4122,7 @@ extern void uITRON4_free(void *p) ;
+@@ -4154,7 +4154,7 @@ extern void uITRON4_free(void *p) ;
  
  /* warning for not using harden build options (default with ./configure) */
  /* do not warn if big integer support is disabled */