On Sat, Feb 14, 2026 at 03:24:56PM +0100, Jeremie Courreges-Anglas wrote: > PS: my current plan is to try to move -current to the 3.6 LTS branch. > openvpn-2.7.0 requires mbedtls-3.2.1 and landry@ apparently needs > mbedtls-3* for linphone. I'd also like to move the port to > security/mbedtls, IMO using the official name makes it easier to find > the port and we have tools to make renaming painless for users.
So 2.28.10 is in, here's a tarball for security/mbedtls moving to 3.6.5 (latest LTS). I'll make a summary of the fixes in the commit message, please look at https://github.com/Mbed-TLS/mbedtls/releases for now. This also comes with a diff to tweak consumers. Two of them have been a bit of a pain: - the mbedtls v3 code in bctoolbox tries to use a non-default MBEDTLS_THREADING_ALT feature that is incompatible with MBEDTLS_THREADING_C - according to upstream anyway. Fix: IIUC no need to use that to get thread safety, according to the docs MBEDTLS_THREADING_C should be enough for the library to be usable in a multithreaded app. Untested. Landry, this one is for you. - lang/haxe hasn't seen a release with the changes needed to cope with mbedtls v3. But at least there's a diff in the development/preview trees that looks a bit like the diff below (again untested) https://github.com/HaxeFoundation/haxe/commit/c3258892c3c829ddd9faddcc0167108e62c84390 thfr: here I'll defer to you. The rest of the consumers appeared to require no change. Consumers build-tested on amd64 and arm64, mbedtls-3.6.5 build-tested on sparc64. So: 1. ok to import mbedtls-3.6.5 as security/mbedtls? 2. thoughts/test reports/oks welcome on bctoolbox, haxe and the rest of the diff Obviously since security/polarssl and security/mbedtls conflict the switch has to happen in one go. Cheers Index: emulators/dolphin/Makefile =================================================================== RCS file: /home/cvs/ports/emulators/dolphin/Makefile,v diff -u -p -r1.26 Makefile --- emulators/dolphin/Makefile 13 Feb 2026 12:02:15 -0000 1.26 +++ emulators/dolphin/Makefile 16 Feb 2026 21:37:06 -0000 @@ -6,7 +6,7 @@ COMMENT-main = Nintendo GameCube and Wi COMMENT-nogui = Nintendo GameCube and Wii emulator PKGNAME = dolphin-5.0.0.20240524 -REVISION = 1 +REVISION = 2 DIST_TUPLE += github dolphin-emu dolphin \ 222a3930807545d9ebffebfbd13c3a816f788434 . # GPLv2 @@ -112,7 +112,7 @@ LIB_DEPENDS-nogui = archivers/lz4 \ multimedia/sfml \ net/curl \ net/miniupnp/miniupnpc \ - security/polarssl \ + security/mbedtls \ sysutils/xxhash \ textproc/pugixml LIB_DEPENDS-main = ${LIB_DEPENDS-nogui} \ Index: games/godot/Makefile =================================================================== RCS file: /home/cvs/ports/games/godot/Makefile,v diff -u -p -r1.58 Makefile --- games/godot/Makefile 18 Jan 2026 17:28:59 -0000 1.58 +++ games/godot/Makefile 16 Feb 2026 21:38:13 -0000 @@ -5,6 +5,7 @@ COMMENT-tools= 2D and 3D game engine (wi COMMENT-sharp= .NET libs for mono/C# module of Godot V = 3.6.2 +REVISION = 0 SHARPFILES_V = 3.5.2 DISTNAME = godot-${V}-stable PKGNAME = godot-${V} @@ -93,7 +94,7 @@ LIB_DEPENDS = archivers/zstd \ multimedia/libtheora \ multimedia/libvpx \ net/enet \ - security/polarssl + security/mbedtls RUN_DEPENDS-tools = devel/desktop-file-utils Index: games/godot4/Makefile =================================================================== RCS file: /home/cvs/ports/games/godot4/Makefile,v diff -u -p -r1.14 Makefile --- games/godot4/Makefile 14 Sep 2025 09:19:55 -0000 1.14 +++ games/godot4/Makefile 16 Feb 2026 21:41:14 -0000 @@ -9,6 +9,7 @@ COMMENT-main = 2D and 3D game engine COMMENT-editor= 2D and 3D game engine (with the editor) V = 4.4.1 +REVISION = 0 PKGNAME = godot4-${V} DIST_TUPLE += github godotengine godot ${V}-stable . DIST_TUPLE += github GodotSteam GodotSteam v4.3 godotsteam @@ -104,7 +105,7 @@ LIB_DEPENDS = archivers/zstd \ multimedia/libtheora \ net/enet \ net/miniupnp/miniupnpc \ - security/polarssl \ + security/mbedtls \ x11/dbus,-main \ x11/xkbcommon \ www/wslay Index: games/moonlight-qt/Makefile =================================================================== RCS file: /home/cvs/ports/games/moonlight-qt/Makefile,v diff -u -p -r1.11 Makefile --- games/moonlight-qt/Makefile 14 Dec 2025 18:30:02 -0000 1.11 +++ games/moonlight-qt/Makefile 16 Feb 2026 21:58:44 -0000 @@ -5,7 +5,7 @@ PKGNAME = moonlight-qt-${V} DISTNAME = MoonlightSrc-${V} SITES = https://github.com/moonlight-stream/moonlight-qt/releases/download/v${V}/ -REVISION = 0 +REVISION = 1 CATEGORIES = games @@ -29,7 +29,7 @@ RUN_DEPENDS = x11/gtk+4,-guic \ # avoid build breakage due to dpb junking: moc creates dependencies on mbedtls # headers but does not actually use them because USE_MBEDTLS isn't defined. -BUILD_DEPENDS = security/polarssl +BUILD_DEPENDS = security/mbedtls LIB_DEPENDS = audio/opus \ devel/sdl2 \ Index: lang/hashlink/Makefile =================================================================== RCS file: /home/cvs/ports/lang/hashlink/Makefile,v diff -u -p -r1.24 Makefile --- lang/hashlink/Makefile 20 Jan 2026 14:30:14 -0000 1.24 +++ lang/hashlink/Makefile 16 Feb 2026 21:41:33 -0000 @@ -12,7 +12,7 @@ COMMENT = virtual machine for Haxe V = 1.15pl0 COMMIT = 109f831769ab26a6fa0cf08ef1b926776a77c372 PKGNAME = hashlink-${V} -REVISION = 0 +REVISION = 1 # commit from 2026-01-05; tagged as 'latest' DIST_TUPLE += github HaxeFoundation hashlink ${COMMIT} . @@ -40,7 +40,7 @@ LIB_DEPENDS = audio/libvorbis \ devel/sdl2 \ graphics/jpeg \ graphics/png \ - security/polarssl + security/mbedtls USE_GMAKE = Yes Index: lang/haxe/Makefile =================================================================== RCS file: /home/cvs/ports/lang/haxe/Makefile,v diff -u -p -r1.12 Makefile --- lang/haxe/Makefile 5 Aug 2025 11:58:42 -0000 1.12 +++ lang/haxe/Makefile 16 Feb 2026 21:41:51 -0000 @@ -6,6 +6,7 @@ ONLY_FOR_ARCHS = ${OCAML_NATIVE_ARCHS} COMMENT = toolkit for the Haxe programming language V = 4.3.6 +REVISION = 0 DIST_TUPLE += github HaxeFoundation haxe ${V} . DIST_TUPLE += github HaxeFoundation haxelib \ f17fffa97554b1bdba37750e3418051f017a5bc2 \ @@ -42,7 +43,7 @@ BUILD_DEPENDS = devel/p5-IPC-System-Sim LIB_DEPENDS = devel/libuv \ devel/pcre2 \ lang/nekovm \ - security/polarssl + security/mbedtls CFLAGS += -I${LOCALBASE}/include \ -L${LOCALBASE}/lib Index: lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c =================================================================== RCS file: lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c diff -N lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c 17 Feb 2026 17:09:12 -0000 @@ -0,0 +1,52 @@ +Index: libs/mbedtls/mbedtls_stubs.c +--- libs/mbedtls/mbedtls_stubs.c.orig ++++ libs/mbedtls/mbedtls_stubs.c +@@ -18,13 +18,11 @@ + #include <caml/callback.h> + #include <caml/custom.h> + +-#include "mbedtls/debug.h" + #include "mbedtls/error.h" +-#include "mbedtls/config.h" + #include "mbedtls/ssl.h" + #include "mbedtls/entropy.h" + #include "mbedtls/ctr_drbg.h" +-#include "mbedtls/certs.h" ++#include "mbedtls/psa_util.h" + #include "mbedtls/oid.h" + + #define PVoid_val(v) (*((void**) Data_custom_val(v))) +@@ -200,7 +198,7 @@ CAMLprim value hx_cert_get_alt_names(value chain) { + CAMLparam1(chain); + CAMLlocal1(obj); + mbedtls_x509_crt* cert = X509Crt_val(chain); +- if (cert->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME == 0 || &cert->subject_alt_names == NULL) { ++ if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_SUBJECT_ALT_NAME)) { + obj = Atom(0); + } else { + mbedtls_asn1_sequence* cur = &cert->subject_alt_names; +@@ -374,7 +372,7 @@ CAMLprim value ml_mbedtls_pk_parse_key(value ctx, valu + pwd = String_val(Field(password, 0)); + pwdlen = caml_string_length(Field(password, 0)); + } +- CAMLreturn(mbedtls_pk_parse_key(PkContext_val(ctx), String_val(key), caml_string_length(key) + 1, pwd, pwdlen)); ++ CAMLreturn(mbedtls_pk_parse_key(PkContext_val(ctx), String_val(key), caml_string_length(key) + 1, pwd, pwdlen, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE)); + } + + CAMLprim value ml_mbedtls_pk_parse_keyfile(value ctx, value path, value password) { +@@ -383,7 +381,7 @@ CAMLprim value ml_mbedtls_pk_parse_keyfile(value ctx, + if (password != Val_none) { + pwd = String_val(Field(password, 0)); + } +- CAMLreturn(mbedtls_pk_parse_keyfile(PkContext_val(ctx), String_val(path), pwd)); ++ CAMLreturn(mbedtls_pk_parse_keyfile(PkContext_val(ctx), String_val(path), pwd, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE)); + } + + CAMLprim value ml_mbedtls_pk_parse_public_key(value ctx, value key) { +@@ -595,4 +593,4 @@ CAMLprim value hx_get_ssl_transport_flags(value unit) + const char* names[] = {"SSL_TRANSPORT_STREAM", "SSL_TRANSPORT_DATAGRAM"}; + int values[] = {MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_TRANSPORT_DATAGRAM}; + CAMLreturn(build_fields(sizeof(values) / sizeof(values[0]), names, values)); +-} +\ No newline at end of file ++} Index: net/openvpn/Makefile =================================================================== RCS file: /home/cvs/ports/net/openvpn/Makefile,v diff -u -p -r1.140 Makefile --- net/openvpn/Makefile 11 Feb 2026 17:57:54 -0000 1.140 +++ net/openvpn/Makefile 16 Feb 2026 22:15:11 -0000 @@ -1,6 +1,7 @@ COMMENT= easy-to-use, robust, and highly configurable VPN DISTNAME= openvpn-2.6.19 +REVISION= 0 CATEGORIES= net security @@ -33,7 +34,7 @@ FLAVORS= mbedtls FLAVOR?= .if ${FLAVOR:Mmbedtls} -LIB_DEPENDS+= security/polarssl +LIB_DEPENDS+= security/mbedtls CONFIGURE_ARGS+= --with-crypto-library=mbedtls WANTLIB += mbedcrypto mbedtls mbedx509 pthread .else Index: telephony/linphone/bctoolbox/Makefile =================================================================== RCS file: /home/cvs/ports/telephony/linphone/bctoolbox/Makefile,v diff -u -p -r1.10 Makefile --- telephony/linphone/bctoolbox/Makefile 15 Apr 2024 05:46:45 -0000 1.10 +++ telephony/linphone/bctoolbox/Makefile 16 Feb 2026 21:43:00 -0000 @@ -1,6 +1,7 @@ COMMENT = utilities library used by linphone stack MODULE = bctoolbox +REVISION = 0 SHARED_LIBS += bctoolbox 1.0 # 1 SHARED_LIBS += bctoolbox-tester 0.0 # 1 @@ -12,7 +13,7 @@ MAKE_FLAGS +=CPPFLAGS=-I${LOCALBASE}/inc # links statically BUILD_DEPENDS = telephony/linphone/bcunit -LIB_DEPENDS = security/polarssl \ +LIB_DEPENDS = security/mbedtls \ converters/libiconv MODCMAKE_DEBUG=Yes Index: telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc =================================================================== RCS file: telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc diff -N telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc 17 Feb 2026 02:46:53 -0000 @@ -0,0 +1,45 @@ +No need to use custom thread locking, +> Since Mbed TLS 3.6.0, the PSA API is thread-safe when MBEDTLS_THREADING_C is enabled. + +Index: src/crypto/mbedtls.cc +--- src/crypto/mbedtls.cc.orig ++++ src/crypto/mbedtls.cc +@@ -61,7 +61,7 @@ extern "C" void bctbx_random_bytes(unsigned char *ret, + namespace bctoolbox { + + namespace { +-#ifdef BCTBX_USE_MBEDTLS_PSA ++#if defined(BCTBX_USE_MBEDTLS_PSA) && !defined(MBEDTLS_THREADING_C) + // This is also defined in mbedtls source code by a custom modification + using mbedtls_threading_mutex_t = void *; + +@@ -95,7 +95,7 @@ int threading_mutex_unlock_cpp(mbedtls_threading_mutex + static_cast<std::mutex *>(*mutex)->unlock(); + return 0; + } +-#endif // BCTBX_USE_MBEDTLS_PSA ++#endif // BCTBX_USE_MBEDTLS_PSA && !MBEDTLS_THREADING_C + + class mbedtlsStaticContexts { + public: +@@ -106,8 +106,10 @@ class mbedtlsStaticContexts { (public) + std::unique_ptr<RNG> sRNG; + mbedtlsStaticContexts() { + #ifdef BCTBX_USE_MBEDTLS_PSA ++# if !defined(MBEDTLS_THREADING_C) + mbedtls_threading_set_alt(threading_mutex_init_cpp, threading_mutex_free_cpp, threading_mutex_lock_cpp, + threading_mutex_unlock_cpp); ++# endif // !MBEDTLS_THREADING_C + if (psa_crypto_init() != PSA_SUCCESS) { + bctbx_error("MbedTLS PSA init fail"); + } +@@ -120,7 +122,9 @@ class mbedtlsStaticContexts { (public) + sRNG = nullptr; + #ifdef BCTBX_USE_MBEDTLS_PSA + mbedtls_psa_crypto_free(); ++# if !defined(MBEDTLS_THREADING_C) + mbedtls_threading_free_alt(); ++# endif // !MBEDTLS_THREADING_C + #endif // BCTBX_USE_MBEDTLS_PSA + } + }; -- jca
mbedtls-3.6.5.tgz
Description: application/tar-gz
