From c7e82be4b55e5a993e635135728b3436df83c69d Mon Sep 17 00:00:00 2001
From: Shawn Thiah <shawn.thiah@kape.com>
Date: Thu, 26 Mar 2026 14:46:08 +0800
Subject: [PATCH 1/3] wolfssl: upgrade to 5.9.0

---
 Cargo.lock               | 111 +++++++++++++++------------------------
 Cargo.toml               |   6 ++-
 lightway-core/Cargo.toml |   2 +-
 3 files changed, 48 insertions(+), 71 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 01833a81..8560d78e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -172,9 +172,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-rs"
-version = "1.16.1"
+version = "1.16.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf"
+checksum = "a054912289d18629dc78375ba2c3726a3afe3ff71b4edba9dedfca0e3446d1fc"
 dependencies = [
  "aws-lc-sys",
  "untrusted",
@@ -183,9 +183,9 @@ dependencies = [
 
 [[package]]
 name = "aws-lc-sys"
-version = "0.38.0"
+version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e"
+checksum = "1fa7e52a4c5c547c741610a2c6f123f3881e409b714cd27e6798ef020c514f0a"
 dependencies = [
  "cc",
  "cmake",
@@ -498,9 +498,9 @@ dependencies = [
 
 [[package]]
 name = "core-foundation"
-version = "0.9.4"
+version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -659,9 +659,9 @@ dependencies = [
 
 [[package]]
 name = "derive-deftly"
-version = "1.7.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ade443ded9d40f4b7cde2d7a1ae475881df23f7148b3f0817f758306959a66f3"
+checksum = "19d58941910ab2a3c37d104db454733de67ebc23d56fc1ac32f8eaf851c5d0ed"
 dependencies = [
  "derive-deftly-macros",
  "heck 0.5.0",
@@ -669,9 +669,9 @@ dependencies = [
 
 [[package]]
 name = "derive-deftly-macros"
-version = "1.7.0"
+version = "1.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61728d654c470a5af0f0746ee9ac295848c1d037849f7bf75360d083e8c19d86"
+checksum = "dbcc364debee2951fd1a8763fab27b9347311c9f6b48c9919e9e6abcae65c996"
 dependencies = [
  "heck 0.5.0",
  "indexmap 2.13.0",
@@ -682,6 +682,7 @@ dependencies = [
  "sha3",
  "strum 0.28.0",
  "syn 2.0.117",
+ "unicode-ident",
  "void",
 ]
 
@@ -1279,9 +1280,9 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.17"
+version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
 [[package]]
 name = "jobserver"
@@ -1700,16 +1701,16 @@ dependencies = [
 
 [[package]]
 name = "netconfig-rs"
-version = "0.1.5"
+version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "207561c8758738388c2fd851c3e759f503583d8dd70ddc895baae806753ad4c9"
+checksum = "733ad7a1352f0748a620368f2ea5cd94f0e449c5108fbac86ace31df1601bf6f"
 dependencies = [
  "cfg-if",
  "core-foundation",
  "ipnet",
  "libc",
- "netlink-packet-core 0.7.0",
- "netlink-packet-route 0.24.0",
+ "netlink-packet-core",
+ "netlink-packet-route 0.25.1",
  "netlink-sys",
  "nix 0.30.1",
  "scopeguard",
@@ -1719,17 +1720,6 @@ dependencies = [
  "windows",
 ]
 
-[[package]]
-name = "netlink-packet-core"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72724faf704479d67b388da142b186f916188505e7e0b26719019c525882eda4"
-dependencies = [
- "anyhow",
- "byteorder",
- "netlink-packet-utils",
-]
-
 [[package]]
 name = "netlink-packet-core"
 version = "0.8.1"
@@ -1741,17 +1731,14 @@ dependencies = [
 
 [[package]]
 name = "netlink-packet-route"
-version = "0.24.0"
+version = "0.25.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56d83370a96813d7c977f8b63054f1162df6e5784f1c598d689236564fb5a6f2"
+checksum = "3ec2f5b6839be2a19d7fa5aab5bc444380f6311c2b693551cb80f45caaa7b5ef"
 dependencies = [
- "anyhow",
  "bitflags",
- "byteorder",
  "libc",
  "log",
- "netlink-packet-core 0.7.0",
- "netlink-packet-utils",
+ "netlink-packet-core",
 ]
 
 [[package]]
@@ -1763,19 +1750,7 @@ dependencies = [
  "bitflags",
  "libc",
  "log",
- "netlink-packet-core 0.8.1",
-]
-
-[[package]]
-name = "netlink-packet-utils"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ede8a08c71ad5a95cdd0e4e52facd37190977039a4704eb82a283f713747d34"
-dependencies = [
- "anyhow",
- "byteorder",
- "paste",
- "thiserror 1.0.69",
+ "netlink-packet-core",
 ]
 
 [[package]]
@@ -1861,9 +1836,9 @@ dependencies = [
 
 [[package]]
 name = "num-conv"
-version = "0.2.0"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050"
+checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967"
 
 [[package]]
 name = "num-integer"
@@ -2386,7 +2361,7 @@ checksum = "319bb478ff9aae1dc7a544fa599e9eb47e2521621dc3921fba6abcaaa312092c"
 dependencies = [
  "flume",
  "libc",
- "netlink-packet-core 0.8.1",
+ "netlink-packet-core",
  "netlink-packet-route 0.28.0",
  "netlink-sys",
  "tokio",
@@ -2799,9 +2774,9 @@ dependencies = [
 
 [[package]]
 name = "system-configuration-sys"
-version = "0.5.0"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75fb188eb626b924683e3b95e3a48e63551fcfb51949de2f06a9d91dbee93c9"
+checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4"
 dependencies = [
  "core-foundation-sys",
  "libc",
@@ -2996,18 +2971,18 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "1.0.0+spec-1.1.0"
+version = "1.1.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32c2555c699578a4f59f0cc68e5116c8d7cabbd45e1409b989d4be085b53f13e"
+checksum = "97251a7c317e03ad83774a8752a7e81fb6067740609f75ea2b585b569a59198f"
 dependencies = [
  "serde_core",
 ]
 
 [[package]]
 name = "toml_edit"
-version = "0.25.4+spec-1.1.0"
+version = "0.25.8+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7193cbd0ce53dc966037f54351dbbcf0d5a642c7f0038c382ef9e677ce8c13f2"
+checksum = "16bff38f1d86c47f9ff0647e6838d7bb362522bdf44006c7068c2b1e606f1f3c"
 dependencies = [
  "indexmap 2.13.0",
  "toml_datetime",
@@ -3017,9 +2992,9 @@ dependencies = [
 
 [[package]]
 name = "toml_parser"
-version = "1.0.9+spec-1.1.0"
+version = "1.1.0+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4"
+checksum = "2334f11ee363607eb04df9b8fc8a13ca1715a72ba8662a26ac285c98aabb4011"
 dependencies = [
  "winnow",
 ]
@@ -3579,9 +3554,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
 [[package]]
 name = "winnow"
-version = "0.7.15"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df79d97927682d2fd8adb29682d1140b343be4ac0f08fd68b7765d9c059d3945"
+checksum = "a90e88e4667264a994d34e6d1ab2d26d398dcdca8b7f52bec8668957517fc7d8"
 dependencies = [
  "memchr",
 ]
@@ -3686,9 +3661,8 @@ dependencies = [
 
 [[package]]
 name = "wolfssl"
-version = "4.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d92fa0dbd3219b7ace546154e915e27e61dba1267ff11e79ce71af1beeda6c1"
+version = "5.0.0"
+source = "git+https://github.com/expressvpn/wolfssl-rs.git?branch=upgrade%2Fwolfssl-5.9.0#183ddc836e1f3ea8e8a968baa05411de8f8a483e"
 dependencies = [
  "bytes",
  "log",
@@ -3698,9 +3672,8 @@ dependencies = [
 
 [[package]]
 name = "wolfssl-sys"
-version = "3.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "906d2d45bc4afe77826d86c13c1c433a5e17bbe09dd1c0817f0a0f508a74e571"
+version = "4.0.0"
+source = "git+https://github.com/expressvpn/wolfssl-rs.git?branch=upgrade%2Fwolfssl-5.9.0#183ddc836e1f3ea8e8a968baa05411de8f8a483e"
 dependencies = [
  "autotools",
  "bindgen",
@@ -3719,18 +3692,18 @@ dependencies = [
 
 [[package]]
 name = "zerocopy"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2578b716f8a7a858b7f02d5bd870c14bf4ddbbcf3a4c05414ba6503640505e3"
+checksum = "efbb2a062be311f2ba113ce66f697a4dc589f85e78a4aea276200804cea0ed87"
 dependencies = [
  "zerocopy-derive",
 ]
 
 [[package]]
 name = "zerocopy-derive"
-version = "0.8.42"
+version = "0.8.47"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e6cc098ea4d3bd6246687de65af3f920c430e236bee1e3bf2e441463f08a02f"
+checksum = "0e8bc7269b54418e7aeeef514aa68f8690b8c0489a06b0136e5f57c4c5ccab89"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/Cargo.toml b/Cargo.toml
index 1e8a7b6d..5b8cf433 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -65,4 +65,8 @@ tracing = "0.1.37"
 tracing-subscriber = "0.3.17"
 tun-rs = { version = "2.5.1", features = ["async"] }
 twelf = { version = "0.15.0", default-features = false, features = ["env", "clap", "yaml", "custom_fn"]}
-windows-sys = "0.61.0"
\ No newline at end of file
+windows-sys = "0.61.0"
+
+[patch.crates-io]
+wolfssl = { git = "https://github.com/expressvpn/wolfssl-rs.git", branch = "upgrade/wolfssl-5.9.0" }
+wolfssl-sys = { git = "https://github.com/expressvpn/wolfssl-rs.git", branch = "upgrade/wolfssl-5.9.0" }
\ No newline at end of file
diff --git a/lightway-core/Cargo.toml b/lightway-core/Cargo.toml
index 746fbd28..b61a1c08 100644
--- a/lightway-core/Cargo.toml
+++ b/lightway-core/Cargo.toml
@@ -36,7 +36,7 @@ rand.workspace = true
 rand_core = "0.9.3"
 thiserror.workspace = true
 tracing.workspace = true
-wolfssl = "4.0.0"
+wolfssl = "5.0.0"
 
 [dev-dependencies]
 async-trait.workspace = true

From 5a88050c61800fb60dec9b024b20d9f2c288df38 Mon Sep 17 00:00:00 2001
From: Shawn Thiah <shawn.thiah@kape.com>
Date: Thu, 26 Mar 2026 14:58:43 +0800
Subject: [PATCH 2/3] nix: update wolfssl hash

---
 nix/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/nix/default.nix b/nix/default.nix
index e7864a0f..6c6bc175 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -42,6 +42,9 @@ rustPlatform.buildRustPackage {
 
   cargoLock = {
     lockFile = ../Cargo.lock;
+    outputHashes = {
+      "wolfssl-5.0.0" = "sha256-u9hclks1wbrYsBqT9wpW4rKRuItpw76Ez8u+O509g/4=";
+    };
   };
 
   buildFeatures = features;

From 20d0dcdfc6be47821718c802895a1ab1520b6a09 Mon Sep 17 00:00:00 2001
From: Shawn Thiah <shawn.thiah@kape.com>
Date: Fri, 27 Mar 2026 11:11:08 +0800
Subject: [PATCH 3/3] ci: temporary fix

---
 deny.toml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/deny.toml b/deny.toml
index 771ee56c..3945ab38 100644
--- a/deny.toml
+++ b/deny.toml
@@ -30,7 +30,6 @@ exceptions = [
     { name = "lightway-core", allow = ["AGPL-3.0-only"], version = "*" },
     { name = "lightway-server", allow = ["AGPL-3.0-only"], version = "*" },
     { name = "lightway-app-utils", allow = ["AGPL-3.0-only"], version = "*" },
-    { name = "aws-lc-sys", allow = ["OpenSSL"], version = "*" },
 ]
 
 [licenses.private]
@@ -47,6 +46,10 @@ external-default-features = "allow"
 unknown-registry = "deny"
 unknown-git = "deny"
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = [
+    # Temporary: wolfssl-rs v5.9.0 upgrade branch (remove once published to crates.io)
+    "https://github.com/expressvpn/wolfssl-rs",
+]
 
 # See https://github.com/briansmith/ring/blob/main/LICENSE Ring
 # contains elements liscensed under all of ISC, MIT and OpenSSL