new file mode 100644
@@ -0,0 +1,57 @@
+From f4f5039eb90918b5248bd6266afdad0b33b2d010 Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alex.kiernan@gmail.com>
+Date: Thu, 30 Apr 2026 08:21:19 +0100
+Subject: [PATCH] mDNSPosix: Rework mbedtls for compatibility with mbedtls4
+
+Upstream-Status: Inactive-Upstream [Upstream does not take patches]
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+---
+ mDNSPosix/mbedtls.c | 21 +++++----------------
+ 1 file changed, 5 insertions(+), 16 deletions(-)
+
+diff --git a/mDNSPosix/mbedtls.c b/mDNSPosix/mbedtls.c
+index 6726ef9b9145..c4b7fd4edfff 100644
+--- a/mDNSPosix/mbedtls.c
++++ b/mDNSPosix/mbedtls.c
+@@ -29,14 +29,10 @@
+ #include <errno.h>
+ #include <unistd.h>
+
++#include <psa/crypto.h>
++
+ #include <mbedtls/error.h>
+-#include <mbedtls/pk.h>
+-#include <mbedtls/ecp.h>
+-#include <mbedtls/ecdsa.h>
+-#include <mbedtls/entropy.h>
+-#include <mbedtls/ctr_drbg.h>
+-#include <mbedtls/sha256.h>
+-#include <mbedtls/base64.h>
++#include <mbedtls/psa_util.h>
+
+ #include <mbedtls/x509.h>
+ #include <mbedtls/ssl.h>
+@@ -53,21 +49,14 @@ struct TLSServerContext_struct {
+ mbedtls_ssl_config config;
+ };
+
+-// Context that is shared amongs all TLS connections, regardless of which server cert/key is in use.
+-static mbedtls_entropy_context entropy;
+-static mbedtls_ctr_drbg_context ctr_drbg;
+-
+ mDNSBool
+ mDNSPosixTLSInit(void)
+ {
+ int status;
+
+- mbedtls_entropy_init(&entropy);
+- mbedtls_ctr_drbg_init(&ctr_drbg);
+-
+- status = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
++ status = psa_crypto_init();
+ if (status != 0) {
+- LogRedact(MDNS_LOG_CATEGORY_DEFAULT, MDNS_LOG_ERROR, "Unable to seed RNG: %x", -status);
++ LogRedact(MDNS_LOG_CATEGORY_DEFAULT, MDNS_LOG_ERROR, "PSA crypto init failed: %x", -status);
+ return mDNSfalse;
+ }
+ return mDNStrue;
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/apple-oss-distributions/mDNSResponder;protocol=https
file://0001-Fix-build-with-gcc-15.patch \
file://mdns.service \
file://0007-mDNSShared-Make-Apple-Wireless-Direct-Link-depend-on.patch \
+ file://0001-mDNSPosix-Rework-mbedtls-for-compatibility-with-mbed.patch \
"
BRANCH = "rel/mDNSResponder-2881"
SRCREV = "ea3902cfeff86a04b4c684753c80e425edbd1a21"
@@ -47,7 +48,8 @@ EXTRA_OEMAKE = "os=linux 'CC=${CCLD}' 'LD=${CCLD}' 'LINKOPTS=${LDFLAGS}' STRIP=:
# MDNS_VERSIONSTR_NODTS disables __DATE__ and __TIME__ in the version string,
# which are fixed anyway for build reproducibility.
-TARGET_CPPFLAGS += "-DMDNS_VERSIONSTR_NODTS"
+TARGET_CPPFLAGS += "-DmDNSResponderVersion=${PV} \
+ -DMDNS_VERSIONSTR_NODTS"
TARGET_CC_ARCH += "${LDFLAGS}"
Switch to psa_crypto_init() which initialises all crypto subsystems, this works for both Mbed TLS 3 and 4. Also set the daemon version so it's correctly reported at runtime. Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> --- ...-mbedtls-for-compatibility-with-mbed.patch | 57 +++++++++++++++++++ .../mdns/mdns_2881.100.56.0.1.bb | 4 +- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-protocols/mdns/mdns/0001-mDNSPosix-Rework-mbedtls-for-compatibility-with-mbed.patch