Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 30 Apr 2026 15:16:48 +0000
From:      Vladimir Druzenko <vvd@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Cc:        Fabian Keil <fk@fabiankeil.de>
Subject:   git: 12d2ebc10b68 - main - security/mbedtls4: Apply upstream fix for a TLS 1.2 client regression
Message-ID:  <69f37260.18140.16d84000@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by vvd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=12d2ebc10b688232d9e0928c180512d30d445414

commit 12d2ebc10b688232d9e0928c180512d30d445414
Author:     Fabian Keil <fk@fabiankeil.de>
AuthorDate: 2026-04-30 15:13:39 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2026-04-30 15:13:39 +0000

    security/mbedtls4: Apply upstream fix for a TLS 1.2 client regression
    
    TLS 1.2 client regression that caused valid ServerKeyExchange signatures
    using rsa_pss_rsae_* to be rejected:
    https://github.com/Mbed-TLS/mbedtls/issues/10668
    https://github.com/Mbed-TLS/mbedtls/commit/5fc28f401666f3ab3338168f6dcee71e6b468a4e
    
    While at it, add a DEBUG option that was useful to figure out the
    problem.
    
    PR:             294776
    Sponsored by:   UNIS Labs
    Co-authored-by: Vladimir Druzenko <vvd@FreeBSD.org>
    MFH:            2026Q2
---
 security/mbedtls4/Makefile | 14 ++++++++++++++
 security/mbedtls4/distinfo |  4 +++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/security/mbedtls4/Makefile b/security/mbedtls4/Makefile
index 0816fe7b7ee2..0a4b66e45444 100644
--- a/security/mbedtls4/Makefile
+++ b/security/mbedtls4/Makefile
@@ -1,9 +1,16 @@
 PORTNAME=	mbedtls
 DISTVERSION=	4.1.0
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	https://github.com/Mbed-TLS/${PORTNAME}/releases/download/${DISTNAME}/
 PKGNAMESUFFIX=	4
 
+PATCH_SITES=	https://github.com/Mbed-TLS/${PORTNAME}/commit/
+PATCHFILES=	5fc28f401666f3ab3338168f6dcee71e6b468a4e.patch:-p1
+# Fix a TLS 1.2 client regression that caused valid ServerKeyExchange
+# signatures using rsa_pss_rsae_* to be rejected.
+# https://github.com/Mbed-TLS/mbedtls/issues/10668
+
 MAINTAINER=	pkaipila@gmail.com
 COMMENT=	Embedded SSL/TLS and cryptography library
 WWW=		https://www.trustedfirmware.org/projects/mbed-tls/
@@ -31,15 +38,22 @@ PORTSCOUT=	limit:^${DISTVERSION:R:S/./\./g}\.
 
 PLIST_SUB=	DISTVERSION=${DISTVERSION}
 
+OPTIONS_DEFINE=	DEBUG
+
 pre-configure:
 	@${WRKSRC}/scripts/config.py set MBEDTLS_SSL_DTLS_SRTP
 	@${WRKSRC}/scripts/config.py set MBEDTLS_THREADING_C
 	@${WRKSRC}/scripts/config.py set MBEDTLS_THREADING_PTHREAD
 
+pre-configure-DEBUG-on:
+	@${WRKSRC}/scripts/config.py set MBEDTLS_DEBUG_C
+
 post-install:
 	@cd ${STAGEDIR}${PREFIX}/bin && for f in *; do \
 		${MV} "$$f" "mbedtls_$$f"; \
 	done
+
+post-install-DEBUG-off:
 	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libmbedcrypto.so
 
 .include <bsd.port.mk>
diff --git a/security/mbedtls4/distinfo b/security/mbedtls4/distinfo
index d3de5725a39f..badd48273317 100644
--- a/security/mbedtls4/distinfo
+++ b/security/mbedtls4/distinfo
@@ -1,3 +1,5 @@
-TIMESTAMP = 1775565640
+TIMESTAMP = 1777117771
 SHA256 (mbedtls-4.1.0.tar.bz2) = 377a09cf8eb81b5fb2707045e5522d5489d3309fed5006c9874e60558fc81d10
 SIZE (mbedtls-4.1.0.tar.bz2) = 7009629
+SHA256 (5fc28f401666f3ab3338168f6dcee71e6b468a4e.patch) = 1d2522273d11d420a55e8a86b8df0b4482be61e6ec42f8c8e029acba727bc4c0
+SIZE (5fc28f401666f3ab3338168f6dcee71e6b468a4e.patch) = 8585
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f37260.18140.16d84000>