SECURITY update: switch consumers from security/polarssl to security/mbedtls

Adapt bctoolbox to stop (ab)using the MBEDTLS_THREADING_ALT, supposedly incompatible with MBEDTLS_THREADING_C which ought to be sufficient. Adapt haxe to avoid using removed interfaces, partly inspired by https://github.com/HaxeFoundation/haxe/pull/11646 ok sthen, no objection from landry@ (bctoolbox) and thfr@ (haxe) Issues fixed by this switch: https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-2/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-3/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-2/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-03-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-1/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-2/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-3/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-4/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-5/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-6/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-06-7/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/ https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-ssbleed-mstep/
2026-06-17 23:13:55 +02:00 · 2026-02-18 18:25:17 +00:00
parent 14c3eaa4b9
commit 181d53c126
11 changed files with 114 additions and 12 deletions
@@ -6,7 +6,7 @@ COMMENT-main =		Nintendo GameCube and Wii emulator with GUI
 COMMENT-nogui =		Nintendo GameCube and Wii emulator

 PKGNAME =		dolphin-5.0.0.20240524
-REVISION =		1
+REVISION =		2
 DIST_TUPLE +=		github dolphin-emu dolphin \
 			222a3930807545d9ebffebfbd13c3a816f788434 . # GPLv2

@@ -112,7 +112,7 @@ LIB_DEPENDS-nogui =	archivers/lz4 \
 			multimedia/sfml \
 			net/curl \
 			net/miniupnp/miniupnpc \
-			security/polarssl \
+			security/mbedtls \
 			sysutils/xxhash \
 			textproc/pugixml
 LIB_DEPENDS-main =	${LIB_DEPENDS-nogui} \
@@ -5,6 +5,7 @@ COMMENT-tools=	2D and 3D game engine (with tools)
 COMMENT-sharp=	.NET libs for mono/C# module of Godot

 V =		3.6.2
+REVISION =	0
 SHARPFILES_V =	3.5.2
 DISTNAME =	godot-${V}-stable
 PKGNAME =	godot-${V}
@@ -93,7 +94,7 @@ LIB_DEPENDS =		archivers/zstd \
 			multimedia/libtheora \
 			multimedia/libvpx \
 			net/enet \
-			security/polarssl
+			security/mbedtls

 RUN_DEPENDS-tools =	devel/desktop-file-utils

@@ -9,6 +9,7 @@ COMMENT-main =	2D and 3D game engine
 COMMENT-editor=	2D and 3D game engine (with the editor)

 V =		4.4.1
+REVISION =	0
 PKGNAME =	godot4-${V}
 DIST_TUPLE +=	github godotengine godot ${V}-stable .
 DIST_TUPLE +=	github GodotSteam GodotSteam v4.3 godotsteam
@@ -104,7 +105,7 @@ LIB_DEPENDS =		archivers/zstd \
 			multimedia/libtheora \
 			net/enet \
 			net/miniupnp/miniupnpc \
-			security/polarssl \
+			security/mbedtls \
 			x11/dbus,-main \
 			x11/xkbcommon \
 			www/wslay
@@ -5,7 +5,7 @@ PKGNAME =		moonlight-qt-${V}

 DISTNAME =		MoonlightSrc-${V}
 SITES =			https://github.com/moonlight-stream/moonlight-qt/releases/download/v${V}/
-REVISION =		0
+REVISION =		1

 CATEGORIES =		games

@@ -29,7 +29,7 @@ RUN_DEPENDS =		x11/gtk+4,-guic \

 # avoid build breakage due to dpb junking: moc creates dependencies on mbedtls
 # headers but does not actually use them because USE_MBEDTLS isn't defined.
-BUILD_DEPENDS =		security/polarssl
+BUILD_DEPENDS =		security/mbedtls

 LIB_DEPENDS =		audio/opus \
 			devel/sdl2 \
@@ -12,7 +12,7 @@ COMMENT =	virtual machine for Haxe
 V =		1.15pl0
 COMMIT =	109f831769ab26a6fa0cf08ef1b926776a77c372
 PKGNAME =	hashlink-${V}
-REVISION =	0
+REVISION =	1

 # commit from 2026-01-05; tagged as 'latest'
 DIST_TUPLE +=	github HaxeFoundation hashlink ${COMMIT} .
@@ -40,7 +40,7 @@ LIB_DEPENDS =	audio/libvorbis \
 		devel/sdl2 \
 		graphics/jpeg \
 		graphics/png \
-		security/polarssl
+		security/mbedtls

 USE_GMAKE =	Yes

@@ -6,6 +6,7 @@ ONLY_FOR_ARCHS = ${OCAML_NATIVE_ARCHS}
 COMMENT =	toolkit for the Haxe programming language

 V =		4.3.6
+REVISION =	0
 DIST_TUPLE +=	github HaxeFoundation haxe ${V} .
 DIST_TUPLE +=	github HaxeFoundation haxelib \
 		f17fffa97554b1bdba37750e3418051f017a5bc2 \
@@ -42,7 +43,7 @@ BUILD_DEPENDS =		devel/p5-IPC-System-Simple \
 LIB_DEPENDS =		devel/libuv \
 			devel/pcre2 \
 			lang/nekovm \
-			security/polarssl
+			security/mbedtls

 CFLAGS +=		-I${LOCALBASE}/include \
 			-L${LOCALBASE}/lib
@@ -0,0 +1,52 @@
+Index: libs/mbedtls/mbedtls_stubs.c
+--- libs/mbedtls/mbedtls_stubs.c.orig
+++ libs/mbedtls/mbedtls_stubs.c
+@@ -18,13 +18,11 @@
+ #include <caml/callback.h>
+ #include <caml/custom.h>
+ 
+-#include "mbedtls/debug.h"
+ #include "mbedtls/error.h"
+-#include "mbedtls/config.h"
+ #include "mbedtls/ssl.h"
+ #include "mbedtls/entropy.h"
+ #include "mbedtls/ctr_drbg.h"
+-#include "mbedtls/certs.h"
+#include "mbedtls/psa_util.h"
+ #include "mbedtls/oid.h"
+ 
+ #define PVoid_val(v) (*((void**) Data_custom_val(v)))
+@@ -200,7 +198,7 @@ CAMLprim value hx_cert_get_alt_names(value chain) {
+ 	CAMLparam1(chain);
+ 	CAMLlocal1(obj);
+ 	mbedtls_x509_crt* cert = X509Crt_val(chain);
+-	if (cert->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME == 0 || &cert->subject_alt_names == NULL) {
+	if (!mbedtls_x509_crt_has_ext_type(cert, MBEDTLS_X509_EXT_SUBJECT_ALT_NAME)) {
+ 		obj = Atom(0);
+ 	} else {
+ 		mbedtls_asn1_sequence* cur = &cert->subject_alt_names;
+@@ -374,7 +372,7 @@ CAMLprim value ml_mbedtls_pk_parse_key(value ctx, valu
+ 		pwd = String_val(Field(password, 0));
+ 		pwdlen = caml_string_length(Field(password, 0));
+ 	}
+-	CAMLreturn(mbedtls_pk_parse_key(PkContext_val(ctx), String_val(key), caml_string_length(key) + 1, pwd, pwdlen));
+	CAMLreturn(mbedtls_pk_parse_key(PkContext_val(ctx), String_val(key), caml_string_length(key) + 1, pwd, pwdlen, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
+ }
+ 
+ CAMLprim value ml_mbedtls_pk_parse_keyfile(value ctx, value path, value password) {
+@@ -383,7 +381,7 @@ CAMLprim value ml_mbedtls_pk_parse_keyfile(value ctx, 
+ 	if (password != Val_none) {
+ 		pwd = String_val(Field(password, 0));
+ 	}
+-	CAMLreturn(mbedtls_pk_parse_keyfile(PkContext_val(ctx), String_val(path), pwd));
+	CAMLreturn(mbedtls_pk_parse_keyfile(PkContext_val(ctx), String_val(path), pwd, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
+ }
+ 
+ CAMLprim value ml_mbedtls_pk_parse_public_key(value ctx, value key) {
+@@ -595,4 +593,4 @@ CAMLprim value hx_get_ssl_transport_flags(value unit) 
+ 	const char* names[] = {"SSL_TRANSPORT_STREAM", "SSL_TRANSPORT_DATAGRAM"};
+ 	int values[] = {MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_TRANSPORT_DATAGRAM};
+ 	CAMLreturn(build_fields(sizeof(values) / sizeof(values[0]), names, values));
+-}
+\ No newline at end of file
+}
@@ -1,6 +1,7 @@
 COMMENT=	easy-to-use, robust, and highly configurable VPN

 DISTNAME=	openvpn-2.6.19
+REVISION=	0

 CATEGORIES=	net security

@@ -33,7 +34,7 @@ FLAVORS=	mbedtls
 FLAVOR?=

 .if ${FLAVOR:Mmbedtls}
-LIB_DEPENDS+=	security/polarssl
+LIB_DEPENDS+=	security/mbedtls
 CONFIGURE_ARGS+= --with-crypto-library=mbedtls
 WANTLIB += mbedcrypto mbedtls mbedx509 pthread
 .else
@@ -122,6 +122,7 @@
     SUBDIR += luasec,lua53
     SUBDIR += luasec,lua54
     SUBDIR += lynis
+     SUBDIR += mbedtls
     SUBDIR += mcrypt
     SUBDIR += mhash
     SUBDIR += minisign
@@ -264,7 +265,6 @@
     SUBDIR += pkcs11-helper
     SUBDIR += plaso
     SUBDIR += plass
-     SUBDIR += polarssl
     SUBDIR += portscanner
     SUBDIR += portsentry
     SUBDIR += ppgen
@@ -1,6 +1,7 @@
 COMMENT =	utilities library used by linphone stack

 MODULE =	bctoolbox
+REVISION =	0

 SHARED_LIBS +=	bctoolbox 1.0 # 1
 SHARED_LIBS +=	bctoolbox-tester 0.0 # 1
@@ -12,7 +13,7 @@ MAKE_FLAGS +=CPPFLAGS=-I${LOCALBASE}/include

 # links statically
 BUILD_DEPENDS =	telephony/linphone/bcunit
-LIB_DEPENDS =	security/polarssl \
+LIB_DEPENDS =	security/mbedtls \
 		converters/libiconv

 MODCMAKE_DEBUG=Yes
@@ -0,0 +1,45 @@
+No need to use custom thread locking,
+> Since Mbed TLS 3.6.0, the PSA API is thread-safe when MBEDTLS_THREADING_C is enabled.
+
+Index: src/crypto/mbedtls.cc
+--- src/crypto/mbedtls.cc.orig
+++ src/crypto/mbedtls.cc
+@@ -61,7 +61,7 @@ extern "C" void bctbx_random_bytes(unsigned char *ret,
+ namespace bctoolbox {
+ 
+ namespace {
+-#ifdef BCTBX_USE_MBEDTLS_PSA
+#if defined(BCTBX_USE_MBEDTLS_PSA) && !defined(MBEDTLS_THREADING_C)
+ // This is also defined in mbedtls source code by a custom modification
+ using mbedtls_threading_mutex_t = void *;
+ 
+@@ -95,7 +95,7 @@ int threading_mutex_unlock_cpp(mbedtls_threading_mutex
+ 	static_cast<std::mutex *>(*mutex)->unlock();
+ 	return 0;
+ }
+-#endif // BCTBX_USE_MBEDTLS_PSA
+#endif // BCTBX_USE_MBEDTLS_PSA && !MBEDTLS_THREADING_C
+ 
+ class mbedtlsStaticContexts {
+ public:
+@@ -106,8 +106,10 @@ class mbedtlsStaticContexts { (public)
+ 	std::unique_ptr<RNG> sRNG;
+ 	mbedtlsStaticContexts() {
+ #ifdef BCTBX_USE_MBEDTLS_PSA
+# if !defined(MBEDTLS_THREADING_C)
+ 		mbedtls_threading_set_alt(threading_mutex_init_cpp, threading_mutex_free_cpp, threading_mutex_lock_cpp,
+ 		                          threading_mutex_unlock_cpp);
+# endif // !MBEDTLS_THREADING_C
+ 		if (psa_crypto_init() != PSA_SUCCESS) {
+ 			bctbx_error("MbedTLS PSA init fail");
+ 		}
+@@ -120,7 +122,9 @@ class mbedtlsStaticContexts { (public)
+ 		sRNG = nullptr;
+ #ifdef BCTBX_USE_MBEDTLS_PSA
+ 		mbedtls_psa_crypto_free();
+# if !defined(MBEDTLS_THREADING_C)
+ 		mbedtls_threading_free_alt();
+# endif // !MBEDTLS_THREADING_C
+ #endif // BCTBX_USE_MBEDTLS_PSA
+ 	}
+ };