We're badly lagging behind, the latest 2.28 LTS release was published during march 2025. Releases that fixed security issues since 2.28.0:
2.28.5 Buffer overread in TLS stream cipher suites https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/ 2.28.6 Not a security update but a relevant licensing update: Apache v2 OR GPLv2-or-later 2.28.7 Timing side channel in private key RSA operations. https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/ Buffer overflow in mbedtls_x509_set_extension() https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/ 2.28.8 Insecure handling of shared memory in PSA Crypto APIs https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md 2.28.9 CTR_DRBG prioritized over HMAC_DRBG as the PSA DRBG https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/ 2.28.10 Potential authentication bypass in TLS handshake https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/ TLS clients may unwittingly skip server authentication https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/ I think we want to update -current and -stable to 2.28.10 first so here's a diff on top of -current. make test passes on -current amd64 and i386, both with 2.28.0 and 2.28.10. I also checked -stable on amd64. On -current arm64, with MAKE_JOBS=10: - 2.28.0: The following tests FAILED: 84 - psa_crypto_storage_format.current-suite (Failed) 85 - psa_crypto_storage_format.v0-suite (Failed) 86 - psa_its-suite (Failed) 90 - ssl-suite (Failed) 93 - x509parse-suite (Failed) - 2.28.10: The following tests FAILED: 81 - psa_crypto-suite (Failed) 95 - psa_crypto_persistent_key-suite (Failed) 98 - psa_crypto_slot_management-suite (Failed) 99 - psa_crypto_storage_format.current-suite (Failed) 100 - psa_crypto_storage_format.misc-suite (Failed) 101 - psa_crypto_storage_format.v0-suite (Failed) 102 - psa_its-suite (Failed) but 2.28.10 tests appear to succeed when run with MAKE_JOBS=1. That's... a bit unexpected and probably something to investigate! Partial bulk builds on amd64 and arm64 show no build failures in consumers. sparc64 partial bulk build still ongoing. Runtime very lightly tested with openvpn on -current amd64. Test reports from actual users are obviously welcome (minor bumps only so no need to rebuild consumers). ok? PS: my current plan is to try to move -current to the 3.6 LTS branch. openvpn-2.7.0 requires mbedtls-3.2.1 and landry@ apparently needs mbedtls-3* for linphone. I'd also like to move the port to security/mbedtls, IMO using the official name makes it easier to find the port and we have tools to make renaming painless for users. Index: Makefile =================================================================== RCS file: /cvs/ports/security/polarssl/Makefile,v diff -u -p -r1.52 Makefile --- Makefile 13 Feb 2026 18:53:44 -0000 1.52 +++ Makefile 13 Feb 2026 19:48:52 -0000 @@ -4,20 +4,19 @@ COMMENT= SSL library with an intuitive A GH_ACCOUNT= Mbed-TLS GH_PROJECT= mbedtls -GH_TAGNAME= mbedtls-2.28.0 +GH_TAGNAME= mbedtls-2.28.10 DISTNAME= ${GH_TAGNAME} -REVISION= 2 # check SOVERSION -SHARED_LIBS += mbedtls 7.0 -SHARED_LIBS += mbedcrypto 5.0 -SHARED_LIBS += mbedx509 3.2 +SHARED_LIBS += mbedtls 7.1 +SHARED_LIBS += mbedcrypto 5.1 +SHARED_LIBS += mbedx509 3.3 CATEGORIES= security HOMEPAGE= https://www.trustedfirmware.org/projects/mbed-tls/ -# Apache v2 (or commercial license) +# Apache v2 or GPLv2+ PERMIT_PACKAGE= Yes WANTLIB += c pthread Index: distinfo =================================================================== RCS file: /cvs/ports/security/polarssl/distinfo,v diff -u -p -r1.32 distinfo --- distinfo 21 Mar 2022 04:32:57 -0000 1.32 +++ distinfo 13 Feb 2026 19:48:52 -0000 @@ -1,2 +1,2 @@ -SHA256 (mbedtls-2.28.0.tar.gz) = 9kQkjyPPBDFc+btY2IxMlHHBbKBTPs8z+G+3dJo+X6Y= -SIZE (mbedtls-2.28.0.tar.gz) = 3712239 +SHA256 (mbedtls-2.28.10.tar.gz) = x4Xd8q1ml2q0KcNt/9SgIUkeQPBP5JPPw51u2RU7wkY= +SIZE (mbedtls-2.28.10.tar.gz) = 4369924 Index: patches/patch-CMakeLists_txt =================================================================== RCS file: /cvs/ports/security/polarssl/patches/patch-CMakeLists_txt,v diff -u -p -r1.12 patch-CMakeLists_txt --- patches/patch-CMakeLists_txt 2 Apr 2022 13:52:41 -0000 1.12 +++ patches/patch-CMakeLists_txt 13 Feb 2026 19:48:52 -0000 @@ -1,7 +1,7 @@ Index: CMakeLists.txt --- CMakeLists.txt.orig +++ CMakeLists.txt -@@ -200,8 +200,6 @@ if(CMAKE_COMPILER_IS_GNU) +@@ -203,8 +203,6 @@ if(CMAKE_COMPILER_IS_GNU) if (GCC_VERSION VERSION_GREATER 7.0 OR GCC_VERSION VERSION_EQUAL 7.0) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-overflow=2 -Wformat-truncation") endif() @@ -10,7 +10,7 @@ Index: CMakeLists.txt set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3") set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls") -@@ -211,8 +209,6 @@ endif(CMAKE_COMPILER_IS_GNU) +@@ -214,8 +212,6 @@ endif(CMAKE_COMPILER_IS_GNU) if(CMAKE_COMPILER_IS_CLANG) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral") @@ -19,7 +19,7 @@ Index: CMakeLists.txt set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3") set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls") -@@ -236,7 +232,7 @@ if(MBEDTLS_FATAL_WARNINGS) +@@ -241,7 +237,7 @@ if(MBEDTLS_FATAL_WARNINGS) endif(CMAKE_COMPILER_IS_MSVC) if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU) Index: patches/patch-include_mbedtls_config_h =================================================================== RCS file: /cvs/ports/security/polarssl/patches/patch-include_mbedtls_config_h,v diff -u -p -r1.16 patch-include_mbedtls_config_h --- patches/patch-include_mbedtls_config_h 21 Mar 2022 04:32:57 -0000 1.16 +++ patches/patch-include_mbedtls_config_h 13 Feb 2026 19:48:52 -0000 @@ -4,7 +4,7 @@ www/hiawatha. Index: include/mbedtls/config.h --- include/mbedtls/config.h.orig +++ include/mbedtls/config.h -@@ -2129,7 +2129,7 @@ +@@ -2309,7 +2309,7 @@ * * Uncomment this to enable pthread mutexes. */ @@ -13,9 +13,9 @@ Index: include/mbedtls/config.h /** * \def MBEDTLS_USE_PSA_CRYPTO -@@ -3452,7 +3452,7 @@ +@@ -3692,7 +3692,7 @@ * - * Enable this layer to allow use of mutexes within mbed TLS + * Enable this layer to allow use of mutexes within Mbed TLS */ -//#define MBEDTLS_THREADING_C +#define MBEDTLS_THREADING_C Index: patches/patch-library_timing_c =================================================================== RCS file: /cvs/ports/security/polarssl/patches/patch-library_timing_c,v diff -u -p -r1.1 patch-library_timing_c --- patches/patch-library_timing_c 2 Apr 2022 19:38:56 -0000 1.1 +++ patches/patch-library_timing_c 13 Feb 2026 19:48:52 -0000 @@ -3,21 +3,27 @@ Use unprivileged read from %tick registe Index: library/timing.c --- library/timing.c.orig +++ library/timing.c -@@ -137,7 +137,7 @@ unsigned long mbedtls_timing_hardclock( void ) +@@ -120,18 +120,19 @@ unsigned long mbedtls_timing_hardclock(void) #if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) && \ defined(__GNUC__) && defined(__sparc64__) -#if defined(__OpenBSD__) -+#if 0 - #warning OpenBSD does not allow access to tick register using software version instead - #else +-#warning OpenBSD does not allow access to tick register using software version instead +-#else #define HAVE_HARDCLOCK -@@ -145,7 +145,7 @@ unsigned long mbedtls_timing_hardclock( void ) - unsigned long mbedtls_timing_hardclock( void ) + + unsigned long mbedtls_timing_hardclock(void) { unsigned long tick; -- asm volatile( "rdpr %%tick, %0;" : "=&r" (tick) ); -+ asm volatile( "rd %%tick, %0;" : "=&r" (tick) ); - return( tick ); ++#ifdef __OpenBSD__ ++ /* OpenBSD allows unprivileged reads of %tick */ ++ asm volatile ("rd %%tick, %0;" : "=&r" (tick)); ++#else + asm volatile ("rdpr %%tick, %0;" : "=&r" (tick)); ++#endif + return tick; } - #endif /* __OpenBSD__ */ +-#endif /* __OpenBSD__ */ + #endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM && + __GNUC__ && __sparc64__ */ + Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/polarssl/pkg/PLIST,v diff -u -p -r1.20 PLIST --- pkg/PLIST 21 Mar 2022 04:32:57 -0000 1.20 +++ pkg/PLIST 13 Feb 2026 19:48:52 -0000 @@ -1,4 +1,24 @@ @conflict polarssl-* +include/everest/ +include/everest/Hacl_Curve25519.h +include/everest/everest.h +include/everest/kremlib/ +include/everest/kremlib.h +include/everest/kremlib/FStar_UInt128.h +include/everest/kremlib/FStar_UInt64_FStar_UInt32_FStar_UInt16_FStar_UInt8.h +include/everest/kremlin/ +include/everest/kremlin/c_endianness.h +include/everest/kremlin/internal/ +include/everest/kremlin/internal/builtin.h +include/everest/kremlin/internal/callconv.h +include/everest/kremlin/internal/compat.h +include/everest/kremlin/internal/debug.h +include/everest/kremlin/internal/target.h +include/everest/kremlin/internal/types.h +include/everest/kremlin/internal/wasmsupport.h +include/everest/vs2010/ +include/everest/vs2010/Hacl_Curve25519.h +include/everest/x25519.h include/mbedtls/ include/mbedtls/aes.h include/mbedtls/aesni.h @@ -103,6 +123,9 @@ include/psa/crypto_values.h @lib lib/libmbedtls.so.${LIBmbedtls_VERSION} @static-lib lib/libmbedx509.a @lib lib/libmbedx509.so.${LIBmbedx509_VERSION} +lib/pkgconfig/mbedcrypto.pc +lib/pkgconfig/mbedtls.pc +lib/pkgconfig/mbedx509.pc share/doc/mbedtls/ share/doc/mbedtls/ChangeLog share/doc/mbedtls/README.md @@ -133,6 +156,7 @@ share/examples/mbedtls/README @bin share/examples/mbedtls/key_ladder_demo share/examples/mbedtls/key_ladder_demo.sh @bin share/examples/mbedtls/load_roots +@bin share/examples/mbedtls/metatest @bin share/examples/mbedtls/mini_client @bin share/examples/mbedtls/mpi_demo @bin share/examples/mbedtls/pem2der -- jca
