Download raw body.
SECURITY update to mbedtls-3.6.5
On Sat, Feb 14, 2026 at 03:24:56PM +0100, Jeremie Courreges-Anglas wrote:
> PS: my current plan is to try to move -current to the 3.6 LTS branch.
> openvpn-2.7.0 requires mbedtls-3.2.1 and landry@ apparently needs
> mbedtls-3* for linphone. I'd also like to move the port to
> security/mbedtls, IMO using the official name makes it easier to find
> the port and we have tools to make renaming painless for users.
So 2.28.10 is in, here's a tarball for security/mbedtls moving to
3.6.5 (latest LTS). I'll make a summary of the fixes in the commit
message, please look at https://github.com/Mbed-TLS/mbedtls/releases
for now.
This also comes with a diff to tweak consumers. Two of them have been
a bit of a pain:
- the mbedtls v3 code in bctoolbox tries to use a non-default
MBEDTLS_THREADING_ALT feature that is incompatible with
MBEDTLS_THREADING_C - according to upstream anyway. Fix: IIUC no
need to use that to get thread safety, according to the docs
MBEDTLS_THREADING_C should be enough for the library to be usable in
a multithreaded app. Untested. Landry, this one is for you.
- lang/haxe hasn't seen a release with the changes needed to cope with
mbedtls v3. But at least there's a diff in the development/preview
trees that looks a bit like the diff below (again untested)
https://github.com/HaxeFoundation/haxe/commit/c3258892c3c829ddd9faddcc0167108e62c84390
thfr: here I'll defer to you.
The rest of the consumers appeared to require no change. Consumers
build-tested on amd64 and arm64, mbedtls-3.6.5 build-tested on
sparc64. So:
1. ok to import mbedtls-3.6.5 as security/mbedtls?
2. thoughts/test reports/oks welcome on bctoolbox, haxe and the rest
of the diff
Obviously since security/polarssl and security/mbedtls conflict the
switch has to happen in one go.
Cheers
Index: emulators/dolphin/Makefile
===================================================================
RCS file: /home/cvs/ports/emulators/dolphin/Makefile,v
diff -u -p -r1.26 Makefile
--- emulators/dolphin/Makefile 13 Feb 2026 12:02:15 -0000 1.26
+++ emulators/dolphin/Makefile 16 Feb 2026 21:37:06 -0000
@@ -6,7 +6,7 @@ COMMENT-main = Nintendo GameCube and Wi
COMMENT-nogui = Nintendo GameCube and Wii emulator
PKGNAME = dolphin-5.0.0.20240524
-REVISION = 1
+REVISION = 2
DIST_TUPLE += github dolphin-emu dolphin \
222a3930807545d9ebffebfbd13c3a816f788434 . # GPLv2
@@ -112,7 +112,7 @@ LIB_DEPENDS-nogui = archivers/lz4 \
multimedia/sfml \
net/curl \
net/miniupnp/miniupnpc \
- security/polarssl \
+ security/mbedtls \
sysutils/xxhash \
textproc/pugixml
LIB_DEPENDS-main = ${LIB_DEPENDS-nogui} \
Index: games/godot/Makefile
===================================================================
RCS file: /home/cvs/ports/games/godot/Makefile,v
diff -u -p -r1.58 Makefile
--- games/godot/Makefile 18 Jan 2026 17:28:59 -0000 1.58
+++ games/godot/Makefile 16 Feb 2026 21:38:13 -0000
@@ -5,6 +5,7 @@ COMMENT-tools= 2D and 3D game engine (wi
COMMENT-sharp= .NET libs for mono/C# module of Godot
V = 3.6.2
+REVISION = 0
SHARPFILES_V = 3.5.2
DISTNAME = godot-${V}-stable
PKGNAME = godot-${V}
@@ -93,7 +94,7 @@ LIB_DEPENDS = archivers/zstd \
multimedia/libtheora \
multimedia/libvpx \
net/enet \
- security/polarssl
+ security/mbedtls
RUN_DEPENDS-tools = devel/desktop-file-utils
Index: games/godot4/Makefile
===================================================================
RCS file: /home/cvs/ports/games/godot4/Makefile,v
diff -u -p -r1.14 Makefile
--- games/godot4/Makefile 14 Sep 2025 09:19:55 -0000 1.14
+++ games/godot4/Makefile 16 Feb 2026 21:41:14 -0000
@@ -9,6 +9,7 @@ COMMENT-main = 2D and 3D game engine
COMMENT-editor= 2D and 3D game engine (with the editor)
V = 4.4.1
+REVISION = 0
PKGNAME = godot4-${V}
DIST_TUPLE += github godotengine godot ${V}-stable .
DIST_TUPLE += github GodotSteam GodotSteam v4.3 godotsteam
@@ -104,7 +105,7 @@ LIB_DEPENDS = archivers/zstd \
multimedia/libtheora \
net/enet \
net/miniupnp/miniupnpc \
- security/polarssl \
+ security/mbedtls \
x11/dbus,-main \
x11/xkbcommon \
www/wslay
Index: games/moonlight-qt/Makefile
===================================================================
RCS file: /home/cvs/ports/games/moonlight-qt/Makefile,v
diff -u -p -r1.11 Makefile
--- games/moonlight-qt/Makefile 14 Dec 2025 18:30:02 -0000 1.11
+++ games/moonlight-qt/Makefile 16 Feb 2026 21:58:44 -0000
@@ -5,7 +5,7 @@ PKGNAME = moonlight-qt-${V}
DISTNAME = MoonlightSrc-${V}
SITES = https://github.com/moonlight-stream/moonlight-qt/releases/download/v${V}/
-REVISION = 0
+REVISION = 1
CATEGORIES = games
@@ -29,7 +29,7 @@ RUN_DEPENDS = x11/gtk+4,-guic \
# avoid build breakage due to dpb junking: moc creates dependencies on mbedtls
# headers but does not actually use them because USE_MBEDTLS isn't defined.
-BUILD_DEPENDS = security/polarssl
+BUILD_DEPENDS = security/mbedtls
LIB_DEPENDS = audio/opus \
devel/sdl2 \
Index: lang/hashlink/Makefile
===================================================================
RCS file: /home/cvs/ports/lang/hashlink/Makefile,v
diff -u -p -r1.24 Makefile
--- lang/hashlink/Makefile 20 Jan 2026 14:30:14 -0000 1.24
+++ lang/hashlink/Makefile 16 Feb 2026 21:41:33 -0000
@@ -12,7 +12,7 @@ COMMENT = virtual machine for Haxe
V = 1.15pl0
COMMIT = 109f831769ab26a6fa0cf08ef1b926776a77c372
PKGNAME = hashlink-${V}
-REVISION = 0
+REVISION = 1
# commit from 2026-01-05; tagged as 'latest'
DIST_TUPLE += github HaxeFoundation hashlink ${COMMIT} .
@@ -40,7 +40,7 @@ LIB_DEPENDS = audio/libvorbis \
devel/sdl2 \
graphics/jpeg \
graphics/png \
- security/polarssl
+ security/mbedtls
USE_GMAKE = Yes
Index: lang/haxe/Makefile
===================================================================
RCS file: /home/cvs/ports/lang/haxe/Makefile,v
diff -u -p -r1.12 Makefile
--- lang/haxe/Makefile 5 Aug 2025 11:58:42 -0000 1.12
+++ lang/haxe/Makefile 16 Feb 2026 21:41:51 -0000
@@ -6,6 +6,7 @@ ONLY_FOR_ARCHS = ${OCAML_NATIVE_ARCHS}
COMMENT = toolkit for the Haxe programming language
V = 4.3.6
+REVISION = 0
DIST_TUPLE += github HaxeFoundation haxe ${V} .
DIST_TUPLE += github HaxeFoundation haxelib \
f17fffa97554b1bdba37750e3418051f017a5bc2 \
@@ -42,7 +43,7 @@ BUILD_DEPENDS = devel/p5-IPC-System-Sim
LIB_DEPENDS = devel/libuv \
devel/pcre2 \
lang/nekovm \
- security/polarssl
+ security/mbedtls
CFLAGS += -I${LOCALBASE}/include \
-L${LOCALBASE}/lib
Index: lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c
===================================================================
RCS file: lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c
diff -N lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ lang/haxe/patches/patch-libs_mbedtls_mbedtls_stubs_c 17 Feb 2026 17:09:12 -0000
@@ -0,0 +1,52 @@
+Index: libs/mbedtls/mbedtls_stubs.c
+--- libs/mbedtls/mbedtls_stubs.c.orig
++++ libs/mbedtls/mbedtls_stubs.c
+@@ -18,13 +18,11 @@
+ #include <caml/callback.h>
+ #include <caml/custom.h>
+
+-#include "mbedtls/debug.h"
+ #include "mbedtls/error.h"
+-#include "mbedtls/config.h"
+ #include "mbedtls/ssl.h"
+ #include "mbedtls/entropy.h"
+ #include "mbedtls/ctr_drbg.h"
+-#include "mbedtls/certs.h"
++#include "mbedtls/psa_util.h"
+ #include "mbedtls/oid.h"
+
+ #define PVoid_val(v) (*((void**) Data_custom_val(v)))
+@@ -200,7 +198,7 @@ CAMLprim value hx_cert_get_alt_names(value chain) {
+ CAMLparam1(chain);
+ CAMLlocal1(obj);
+ mbedtls_x509_crt* cert = X509Crt_val(chain);
+- if (cert->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME == 0 || &cert->subject_alt_names == NULL) {
++ if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_SUBJECT_ALT_NAME)) {
+ obj = Atom(0);
+ } else {
+ mbedtls_asn1_sequence* cur = &cert->subject_alt_names;
+@@ -374,7 +372,7 @@ CAMLprim value ml_mbedtls_pk_parse_key(value ctx, valu
+ pwd = String_val(Field(password, 0));
+ pwdlen = caml_string_length(Field(password, 0));
+ }
+- CAMLreturn(mbedtls_pk_parse_key(PkContext_val(ctx), String_val(key), caml_string_length(key) + 1, pwd, pwdlen));
++ CAMLreturn(mbedtls_pk_parse_key(PkContext_val(ctx), String_val(key), caml_string_length(key) + 1, pwd, pwdlen, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
+ }
+
+ CAMLprim value ml_mbedtls_pk_parse_keyfile(value ctx, value path, value password) {
+@@ -383,7 +381,7 @@ CAMLprim value ml_mbedtls_pk_parse_keyfile(value ctx,
+ if (password != Val_none) {
+ pwd = String_val(Field(password, 0));
+ }
+- CAMLreturn(mbedtls_pk_parse_keyfile(PkContext_val(ctx), String_val(path), pwd));
++ CAMLreturn(mbedtls_pk_parse_keyfile(PkContext_val(ctx), String_val(path), pwd, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
+ }
+
+ CAMLprim value ml_mbedtls_pk_parse_public_key(value ctx, value key) {
+@@ -595,4 +593,4 @@ CAMLprim value hx_get_ssl_transport_flags(value unit)
+ const char* names[] = {"SSL_TRANSPORT_STREAM", "SSL_TRANSPORT_DATAGRAM"};
+ int values[] = {MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_TRANSPORT_DATAGRAM};
+ CAMLreturn(build_fields(sizeof(values) / sizeof(values[0]), names, values));
+-}
+\ No newline at end of file
++}
Index: net/openvpn/Makefile
===================================================================
RCS file: /home/cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.140 Makefile
--- net/openvpn/Makefile 11 Feb 2026 17:57:54 -0000 1.140
+++ net/openvpn/Makefile 16 Feb 2026 22:15:11 -0000
@@ -1,6 +1,7 @@
COMMENT= easy-to-use, robust, and highly configurable VPN
DISTNAME= openvpn-2.6.19
+REVISION= 0
CATEGORIES= net security
@@ -33,7 +34,7 @@ FLAVORS= mbedtls
FLAVOR?=
.if ${FLAVOR:Mmbedtls}
-LIB_DEPENDS+= security/polarssl
+LIB_DEPENDS+= security/mbedtls
CONFIGURE_ARGS+= --with-crypto-library=mbedtls
WANTLIB += mbedcrypto mbedtls mbedx509 pthread
.else
Index: telephony/linphone/bctoolbox/Makefile
===================================================================
RCS file: /home/cvs/ports/telephony/linphone/bctoolbox/Makefile,v
diff -u -p -r1.10 Makefile
--- telephony/linphone/bctoolbox/Makefile 15 Apr 2024 05:46:45 -0000 1.10
+++ telephony/linphone/bctoolbox/Makefile 16 Feb 2026 21:43:00 -0000
@@ -1,6 +1,7 @@
COMMENT = utilities library used by linphone stack
MODULE = bctoolbox
+REVISION = 0
SHARED_LIBS += bctoolbox 1.0 # 1
SHARED_LIBS += bctoolbox-tester 0.0 # 1
@@ -12,7 +13,7 @@ MAKE_FLAGS +=CPPFLAGS=-I${LOCALBASE}/inc
# links statically
BUILD_DEPENDS = telephony/linphone/bcunit
-LIB_DEPENDS = security/polarssl \
+LIB_DEPENDS = security/mbedtls \
converters/libiconv
MODCMAKE_DEBUG=Yes
Index: telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc
===================================================================
RCS file: telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc
diff -N telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ telephony/linphone/bctoolbox/patches/patch-src_crypto_mbedtls_cc 17 Feb 2026 02:46:53 -0000
@@ -0,0 +1,45 @@
+No need to use custom thread locking,
+> Since Mbed TLS 3.6.0, the PSA API is thread-safe when MBEDTLS_THREADING_C is enabled.
+
+Index: src/crypto/mbedtls.cc
+--- src/crypto/mbedtls.cc.orig
++++ src/crypto/mbedtls.cc
+@@ -61,7 +61,7 @@ extern "C" void bctbx_random_bytes(unsigned char *ret,
+ namespace bctoolbox {
+
+ namespace {
+-#ifdef BCTBX_USE_MBEDTLS_PSA
++#if defined(BCTBX_USE_MBEDTLS_PSA) && !defined(MBEDTLS_THREADING_C)
+ // This is also defined in mbedtls source code by a custom modification
+ using mbedtls_threading_mutex_t = void *;
+
+@@ -95,7 +95,7 @@ int threading_mutex_unlock_cpp(mbedtls_threading_mutex
+ static_cast<std::mutex *>(*mutex)->unlock();
+ return 0;
+ }
+-#endif // BCTBX_USE_MBEDTLS_PSA
++#endif // BCTBX_USE_MBEDTLS_PSA && !MBEDTLS_THREADING_C
+
+ class mbedtlsStaticContexts {
+ public:
+@@ -106,8 +106,10 @@ class mbedtlsStaticContexts { (public)
+ std::unique_ptr<RNG> sRNG;
+ mbedtlsStaticContexts() {
+ #ifdef BCTBX_USE_MBEDTLS_PSA
++# if !defined(MBEDTLS_THREADING_C)
+ mbedtls_threading_set_alt(threading_mutex_init_cpp, threading_mutex_free_cpp, threading_mutex_lock_cpp,
+ threading_mutex_unlock_cpp);
++# endif // !MBEDTLS_THREADING_C
+ if (psa_crypto_init() != PSA_SUCCESS) {
+ bctbx_error("MbedTLS PSA init fail");
+ }
+@@ -120,7 +122,9 @@ class mbedtlsStaticContexts { (public)
+ sRNG = nullptr;
+ #ifdef BCTBX_USE_MBEDTLS_PSA
+ mbedtls_psa_crypto_free();
++# if !defined(MBEDTLS_THREADING_C)
+ mbedtls_threading_free_alt();
++# endif // !MBEDTLS_THREADING_C
+ #endif // BCTBX_USE_MBEDTLS_PSA
+ }
+ };
--
jca
SECURITY update to mbedtls-3.6.5