Merge branch 'update_v4.4/mbedtls_v2.28.2' into 'release/v4.4'

mbedtls: Update to release v2.28.2 (v4.4) See merge request espressif/esp-idf!21896
2025-08-01 03:34:32 +02:00 · 2023-02-02 22:27:22 +08:00
parent 0e4c086a35 0f46f0cfa4
commit 2a1ede3f9d
3 changed files with 46 additions and 19 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -208,6 +208,7 @@ menu "mbedTLS"
        config MBEDTLS_SSL_CONTEXT_SERIALIZATION
            bool "Enable serialization of the TLS context structures"
            default n
+            depends on MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
            help
                Enable serialization of the TLS context structures
                This is a local optimization in handling a single, potentially long-lived connection.
@@ -696,7 +697,7 @@ menu "mbedTLS"
    config MBEDTLS_SERVER_SSL_SESSION_TICKETS
        bool "TLS: Server Support for RFC 5077 SSL session tickets"
        default y
-        depends on MBEDTLS_TLS_ENABLED
+        depends on MBEDTLS_TLS_ENABLED && (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
        help
            Server support for RFC 5077 session tickets. See mbedTLS documentation for more details.
            Disabling this option will save some code size.
--- a/components/mbedtls/mbedtls
+++ b/components/mbedtls/mbedtls
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -44,7 +44,12 @@
 * The time does not need to be correct, only time differences are used,
 * by contrast with MBEDTLS_HAVE_TIME_DATE
 *
- * Comment if your system does not support time functions
+ * Comment if your system does not support time functions.
+ *
+ * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing
+ *       interface - timing.c will include time.h on suitable platforms
+ *       regardless of the setting of MBEDTLS_HAVE_TIME, unless
+ *       MBEDTLS_TIMING_ALT is used. See timing.c for more information.
 */
 #ifdef CONFIG_MBEDTLS_HAVE_TIME
 #define MBEDTLS_HAVE_TIME
@@ -253,9 +258,8 @@
 #define MBEDTLS_CIPHER_PADDING_ZEROS

 /**
- * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES & MBEDTLS_ARC4_C
+ * \def MBEDTLS_ARC4_C
 *
- * MBEDTLS_ARC4_C
 * Enable the ARCFOUR stream cipher.
 *
 * This module enables/disables the following ciphersuites
@@ -270,7 +274,14 @@
 *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
 *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
 *
- * MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger ciphers instead.
+ *
+ * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ *
 * This flag removes the ciphersuites based on RC4 from the default list as
 * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
 * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
@@ -941,6 +952,8 @@
 * saved after the handshake to allow for more efficient serialization, so if
 * you don't need this feature you'll save RAM by disabling it.
 *
+ * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
+ *
 * Comment to disable the context serialization APIs.
 */
 #ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION
@@ -976,7 +989,7 @@
 * Enable support for RFC 7627: Session Hash and Extended Master Secret
 * Extension.
 *
- * This was introduced as "the proper fix" to the Triple Handshake familiy of
+ * This was introduced as "the proper fix" to the Triple Handshake family of
 * attacks, but it is recommended to always use it (even if you disable
 * renegotiation), since it actually fixes a more fundamental issue in the
 * original SSL/TLS design, and has implications beyond Triple Handshake.
@@ -1026,7 +1039,7 @@
 * \note This option has no influence on the protection against the
 *       triple handshake attack. Even if it is disabled, Mbed TLS will
 *       still ensure that certificates do not change during renegotiation,
- *       for exaple by keeping a hash of the peer's certificate.
+ *       for example by keeping a hash of the peer's certificate.
 *
 * Comment this macro to disable storing the peer's certificate
 * after the handshake.
@@ -1209,7 +1222,7 @@
 * unless you know for sure amplification cannot be a problem in the
 * environment in which your server operates.
 *
- * \warning Disabling this can ba a security risk! (see above)
+ * \warning Disabling this can be a security risk! (see above)
 *
 * Requires: MBEDTLS_SSL_PROTO_DTLS
 *
@@ -1944,7 +1957,7 @@
 *
 * Requires: MBEDTLS_MD_C
 *
- * Uncomment to enable the HMAC_DRBG random number geerator.
+ * Uncomment to enable the HMAC_DRBG random number generator.
 */
 #define MBEDTLS_HMAC_DRBG_C

@@ -1978,11 +1991,19 @@
 /**
 * \def MBEDTLS_NET_C
 *
- * Enable the TCP/IP networking routines.
+ * Enable the TCP and UDP over IPv6/IPv4 networking routines.
 *
- * Module:  library/net.c
+ * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
+ * and Windows. For other platforms, you'll want to disable it, and write your
+ * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
 *
- * This module provides TCP/IP networking routines.
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module:  library/net_sockets.c
+ *
+ * This module provides networking routines.
 */
 #ifdef MBEDTLS_NET_C
 #undef MBEDTLS_NET_C
@@ -2070,7 +2091,7 @@
 /**
 * \def MBEDTLS_PK_C
 *
- * Enable the generic public (asymetric) key layer.
+ * Enable the generic public (asymmetric) key layer.
 *
 * Module:  library/pk.c
 * Caller:  library/ssl_tls.c
@@ -2086,7 +2107,7 @@
 /**
 * \def MBEDTLS_PK_PARSE_C
 *
- * Enable the generic public (asymetric) key parser.
+ * Enable the generic public (asymmetric) key parser.
 *
 * Module:  library/pkparse.c
 * Caller:  library/mbedtls_x509_crt.c
@@ -2101,7 +2122,7 @@
 /**
 * \def MBEDTLS_PK_WRITE_C
 *
- * Enable the generic public (asymetric) key writer.
+ * Enable the generic public (asymmetric) key writer.
 *
 * Module:  library/pkwrite.c
 * Caller:  library/x509write.c
@@ -2290,7 +2311,8 @@
 * Module:  library/ssl_ticket.c
 * Caller:
 *
- * Requires: MBEDTLS_CIPHER_C
+ * Requires: MBEDTLS_CIPHER_C &&
+ *           ( MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C )
 */
 #ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS
 #define MBEDTLS_SSL_TICKET_C
@@ -2366,9 +2388,13 @@
 * your own implementation of the whole module by setting
 * \c MBEDTLS_TIMING_ALT in the current file.
 *
+ * \note The timing module will include time.h on suitable platforms
+ *       regardless of the setting of MBEDTLS_HAVE_TIME, unless
+ *       MBEDTLS_TIMING_ALT is used. See timing.c for more information.
+ *
 * \note See also our Knowledge Base article about porting to a new
 * environment:
- * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
 *
 * Module:  library/timing.c
 * Caller:  library/havege.c
@@ -2680,7 +2706,7 @@
 * contexts are not shared between threads. If you do intend to use contexts
 * between threads, you will need to enable this layer to prevent race
 * conditions. See also our Knowledge Base article about threading:
- * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
+ * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
 *
 * Module:  library/threading.c
 *