Merge branch 'feat/update_mbedtls_3.6.4_v5.4' into 'release/v5.4'

feat(mbedtls): update to version 3.6.4 (v5.4) See merge request espressif/esp-idf!40376
2025-08-03 12:44:33 +02:00 · 2025-07-11 13:43:42 +08:00
parent f10ac3eec2 98fa9a3829
commit 583fd13cd5
5 changed files with 30 additions and 3 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -245,6 +245,15 @@ menu "mbedTLS"

                See mbedTLS documentation for required API and more details.

+        config MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+            bool "Enable keying material export"
+            default n
+            depends on MBEDTLS_TLS_ENABLED
+            help
+                Enable shared symmetric keys export for TLS sessions using mbedtls_ssl_export_keying_material()
+                after SSL handshake. The process for deriving the keys is specified in RFC 5705 for TLS 1.2
+                and in RFC 8446, Section 7.5, for TLS 1.3.
+
        config MBEDTLS_PKCS7_C
            bool "Enable PKCS number 7"
            default y
--- a/components/mbedtls/mbedtls
+++ b/components/mbedtls/mbedtls
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -1143,6 +1143,24 @@
 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #endif

+/**
+ * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+ *
+ * When this option is enabled, the client and server can extract additional
+ * shared symmetric keys after an SSL handshake using the function
+ * mbedtls_ssl_export_keying_material().
+ *
+ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and
+ * in RFC 8446, Section 7.5, for TLS 1.3.
+ *
+ * Comment this macro to disable mbedtls_ssl_export_keying_material().
+ */
+#ifdef CONFIG_MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#else
+#undef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#endif
+
 /**
 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
 *
--- a/docs/en/api-reference/protocols/mbedtls.rst
+++ b/docs/en/api-reference/protocols/mbedtls.rst
@@ -118,5 +118,5 @@ Reducing Binary Size
 Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` docs.


-.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/
+.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/
 .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/
--- a/docs/zh_CN/api-reference/protocols/mbedtls.rst
+++ b/docs/zh_CN/api-reference/protocols/mbedtls.rst
@@ -118,5 +118,5 @@ ESP-IDF 中的示例使用 :doc:`/api-reference/protocols/esp_tls`，为访问
 在 ``Component Config -> mbedTLS`` 中，有多个 Mbed TLS 功能默认为启用状态。如果不需要这些功能，可将其禁用以减小固件大小。要了解更多信息，请参考 :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` 文档。


-.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/
+.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/
 .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/