Bug 294301 - security/mbedtls4: update to 4.1.0
Summary: security/mbedtls4: update to 4.1.0
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Yusuf Yaman
URL: https://github.com/Mbed-TLS/mbedtls/r...
Keywords:
Depends on:
Blocks: 294302
  Show dependency treegraph
 
Reported: 2026-04-07 13:27 UTC by Paavo-Einari Kaipila
Modified: 2026-04-10 16:52 UTC (History)
3 users (show)

See Also:
pkaipila: maintainer-feedback+
vvd: maintainer-feedback+
osa: maintainer-feedback+
nxjoseph: merge-quarterly+

Attachments
0001-security-mbedtls4-update-4.0.0-to-4.1.0.patch (7.24 KB, patch)
2026-04-07 13:27 UTC, Paavo-Einari Kaipila 		no flags Details | Diff
build fail without files/patch-library_CMakeLists.txt patch (24.68 KB, text/plain)
2026-04-07 14:26 UTC, Yusuf Yaman 		no flags Details
0001-security-mbedtls4-update-4.0.0-to-4.1.0.patch (7.18 KB, patch)
2026-04-07 14:29 UTC, Paavo-Einari Kaipila 		no flags Details | Diff
0001-security-mbedtls4-update-4.0.0-to-4.1.0.patch (7.19 KB, patch)
2026-04-07 14:39 UTC, Paavo-Einari Kaipila 		no flags Details | Diff
0001-security-mbedtls4-Update-4.0.0-4.1.0.patch (nxjoseph) (8.08 KB, patch)
2026-04-07 15:36 UTC, Yusuf Yaman 		no flags Details | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paavo-Einari Kaipila 2026-04-07 13:27:52 UTC 
Created attachment 269454 [details]
0001-security-mbedtls4-update-4.0.0-to-4.1.0.patch
Comment 1 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 13:31:40 UTC 
Sorry, accidentally removed it
Comment 2 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 14:00:36 UTC 
Hi,

Thank you for your submission.

I have tested the patch in Poudriere (14.3-RELEASE-p9, amd64, main(2d6221ae7df3)) and it seems OK including `make test`.

I need to ask for approval from my mentors first.

Thanks.
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2026-04-07 14:20:51 UTC 
PLIST from order:
include/tf-psa-crypto/version.h
include/tf-psa-crypto/private/crypto_adjust_config_auto_enabled.h
Comment 4 Vladimir Druzenko freebsd_committer freebsd_triage 2026-04-07 14:23:18 UTC 
Are you sure security/mbedtls4/files/patch-library_CMakeLists.txt is still needed?
Comment 5 Vladimir Druzenko freebsd_committer freebsd_triage 2026-04-07 14:23:55 UTC 
> PLIST from order:
PLIST wrong order:
Comment 6 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 14:26:31 UTC 
Created attachment 269457 [details]
build fail without files/patch-library_CMakeLists.txt patch
Comment 7 Paavo-Einari Kaipila 2026-04-07 14:27:40 UTC 
(In reply to Vladimir Druzenko from comment #4)

https://github.com/Mbed-TLS/mbedtls/blob/03334868372d9ab34d0b25dfa0a316c5b79d556b/library/CMakeLists.txt#L364(In reply to Vladimir Druzenko from comment #4)
Comment 8 Paavo-Einari Kaipila 2026-04-07 14:29:45 UTC 
Created attachment 269458 [details]
0001-security-mbedtls4-update-4.0.0-to-4.1.0.patch
Comment 9 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 14:33:02 UTC 
(In reply to Paavo-Einari Kaipila from comment #8)
`sort pkg-plist` (if it's right way) still makes some adjustments to this patch.
Comment 10 Vladimir Druzenko freebsd_committer freebsd_triage 2026-04-07 14:35:54 UTC 
(In reply to Paavo-Einari Kaipila from comment #7)
It's strange that the upstream haven't added a patch with a fix yet:
https://github.com/Mbed-TLS/mbedtls/issues/10627
https://github.com/Mbed-TLS/mbedtls/pull/10631
Comment 11 Paavo-Einari Kaipila 2026-04-07 14:39:07 UTC 
Created attachment 269460 [details]
0001-security-mbedtls4-update-4.0.0-to-4.1.0.patch
Comment 12 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 14:42:07 UTC 
(In reply to Paavo-Einari Kaipila from comment #11)
Still the same :/

diff --git a/security/mbedtls4/pkg-plist b/security/mbedtls4/pkg-plist
index 318783df18b2..a3950fa69d55 100644
--- a/security/mbedtls4/pkg-plist
+++ b/security/mbedtls4/pkg-plist
@@ -49,9 +49,10 @@ include/mbedtls/oid.h
 include/mbedtls/pem.h
 include/mbedtls/pk.h
 include/mbedtls/pkcs7.h
-include/mbedtls/platform.h
 include/mbedtls/platform_time.h
 include/mbedtls/platform_util.h
+include/mbedtls/platform.h
+include/mbedtls/private_access.h
 include/mbedtls/private/aes.h
 include/mbedtls/private/aria.h
 include/mbedtls/private/bignum.h
@@ -88,21 +89,19 @@ include/mbedtls/private/sha1.h
 include/mbedtls/private/sha256.h
 include/mbedtls/private/sha3.h
 include/mbedtls/private/sha512.h
-include/mbedtls/private_access.h
 include/mbedtls/psa_util.h
-include/mbedtls/ssl.h
 include/mbedtls/ssl_cache.h
 include/mbedtls/ssl_ciphersuites.h
 include/mbedtls/ssl_cookie.h
 include/mbedtls/ssl_ticket.h
+include/mbedtls/ssl.h
 include/mbedtls/threading.h
 include/mbedtls/timing.h
 include/mbedtls/version.h
-include/mbedtls/x509.h
 include/mbedtls/x509_crl.h
 include/mbedtls/x509_crt.h
 include/mbedtls/x509_csr.h
-include/psa/crypto.h
+include/mbedtls/x509.h
 include/psa/crypto_compat.h
 include/psa/crypto_config.h
 include/psa/crypto_driver_common.h
@@ -116,6 +115,7 @@ include/psa/crypto_sizes.h
 include/psa/crypto_struct.h
 include/psa/crypto_types.h
 include/psa/crypto_values.h
+include/psa/crypto.h
 include/tf-psa-crypto/build_info.h
 include/tf-psa-crypto/private/crypto_adjust_config_auto_enabled.h
 include/tf-psa-crypto/private/crypto_adjust_config_dependencies.h
Comment 13 Paavo-Einari Kaipila 2026-04-07 14:54:35 UTC 
(In reply to Yusuf Yaman from comment #12)

sort pkg-plist > pkg-plist.sorted
diff -u pkg-plist pkg-plist.sorted

doesn't return anything here
Comment 14 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 15:36:03 UTC 
Created attachment 269461 [details]
0001-security-mbedtls4-Update-4.0.0-4.1.0.patch (nxjoseph)

It's strange, maybe patches got mixed up? Can you try my patch to see if sorting is needed?
Comment 15 Paavo-Einari Kaipila 2026-04-07 15:53:22 UTC 
(In reply to Yusuf Yaman from comment #14)

This one does print seemingly the same diff as in message 12
Comment 16 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 16:29:05 UTC 
Comment on attachment 269461 [details]
0001-security-mbedtls4-Update-4.0.0-4.1.0.patch (nxjoseph)

(In reply to Paavo-Einari Kaipila from comment #15)
Oh...

I found the culprit with help of Vladimir,

I see that the problem arised because probably we use different locales.

My locale is "en_US.UTF-8", making it "C", no problem with sorting in your patch.

$ env LANG=C sort -c pkg-plist
yusuf@freebsd:~/doc/git/ports/security/mbedtls4 $ echo $?
0

$ env LANG=en_US.UTF-8 sort -c pkg-plist
sort: pkg-plist:53: disorder: include/mbedtls/platform_time.h
yusuf@freebsd:~/doc/git/ports/security/mbedtls4 $ echo $?
1

Sorry, I did not know locale could affect like such...
Comment 17 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 17:26:30 UTC 
in pkg-plist DISTVERSION resolves to 4.1.0, correct order is:

lib/libmbedcrypto.so.18
lib/libmbedcrypto.so.4.1.0

instead of

lib/libmbedcrypto.so.18
lib/libmbedcrypto.so.%%DISTVERSION%%
Comment 18 Paavo-Einari Kaipila 2026-04-07 18:21:20 UTC 
(In reply to Yusuf Yaman from comment #17)

Isn't that the same order?
Comment 19 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-07 18:22:48 UTC 
(In reply to Paavo-Einari Kaipila from comment #18)
Sorry, i've made typo. What I try to say is the lower-number library.so must come first then the library.so.%%DISTVERSION%%.
Comment 20 Paavo-Einari Kaipila 2026-04-07 18:29:51 UTC 
(In reply to Yusuf Yaman from comment #19)

Well, that depends on sorting rules. According to default (C) rules, %%DISTVERSION%% comes first.
Comment 21 commit-hook freebsd_committer freebsd_triage 2026-04-10 16:46:03 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0f67f38ce6bf226f8a8414c6950d5f90e75499e9

commit 0f67f38ce6bf226f8a8414c6950d5f90e75499e9
Author:     Paavo-Einari Kaipila <pkaipila@gmail.com>
AuthorDate: 2026-04-07 14:37:12 +0000
Commit:     Yusuf Yaman <nxjoseph@FreeBSD.org>
CommitDate: 2026-04-10 16:40:20 +0000

    security/mbedtls4: Update 4.0.0 => 4.1.0 (security)

    While here, sort pkg-plist.

    Changelog:
    https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.1.0

    PR:             294301
    Reported by:    Paavo-Einari Kaipila <pkaipila@gmail.com> (maintainer)
    Approved by:    osa, vvd (mentors)
    MFH:            2026Q2
    Security:       CVE-2026-25833
    Security:       CVE-2026-25834

 security/mbedtls4/Makefile  |  3 +--
 security/mbedtls4/distinfo  |  6 ++---
 security/mbedtls4/pkg-plist | 65 +++++++++++++++++++++++----------------------
 3 files changed, 37 insertions(+), 37 deletions(-)
Comment 22 commit-hook freebsd_committer freebsd_triage 2026-04-10 16:49:06 UTC 
A commit in branch 2026Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=798c1e2680cf84f9185644e44077b56526ef505a

commit 798c1e2680cf84f9185644e44077b56526ef505a
Author:     Paavo-Einari Kaipila <pkaipila@gmail.com>
AuthorDate: 2026-04-07 14:37:12 +0000
Commit:     Yusuf Yaman <nxjoseph@FreeBSD.org>
CommitDate: 2026-04-10 16:48:18 +0000

    security/mbedtls4: Update 4.0.0 => 4.1.0 (security)

    While here, sort pkg-plist.

    Changelog:
    https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.1.0

    PR:             294301
    Reported by:    Paavo-Einari Kaipila <pkaipila@gmail.com> (maintainer)
    Approved by:    osa, vvd (mentors)
    MFH:            2026Q2
    Security:       CVE-2026-25833
    Security:       CVE-2026-25834

    (cherry picked from commit 0f67f38ce6bf226f8a8414c6950d5f90e75499e9)

 security/mbedtls4/Makefile  |  3 +--
 security/mbedtls4/distinfo  |  6 ++---
 security/mbedtls4/pkg-plist | 65 +++++++++++++++++++++++----------------------
 3 files changed, 37 insertions(+), 37 deletions(-)
Comment 23 Yusuf Yaman freebsd_committer freebsd_triage 2026-04-10 16:52:31 UTC 
Committed, thanks!