From 5f74ce2d4b2031b46a8774758867166f0c7e0c13 Mon Sep 17 00:00:00 2001
From: Ashish Sharma <ashish.sharma@espressif.com>
Date: Tue, 1 Jul 2025 16:51:06 +0800
Subject: [PATCH] feat(mbedtls): update to version 3.6.4

---
 components/mbedtls/Kconfig                     |  9 +++++++++
 components/mbedtls/mbedtls                     |  2 +-
 .../mbedtls/port/include/mbedtls/esp_config.h  | 18 ++++++++++++++++++
 docs/en/api-reference/protocols/mbedtls.rst    |  3 +++
 4 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index fc5b448517..a9277c2b57 100644
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -245,6 +245,15 @@ menu "mbedTLS"
 
                 See mbedTLS documentation for required API and more details.
 
+        config MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+            bool "Enable keying material export"
+            default n
+            depends on MBEDTLS_TLS_ENABLED
+            help
+                Enable shared symmetric keys export for TLS sessions using mbedtls_ssl_export_keying_material()
+                after SSL handshake. The process for deriving the keys is specified in RFC 5705 for TLS 1.2
+                and in RFC 8446, Section 7.5, for TLS 1.3.
+
         config MBEDTLS_PKCS7_C
             bool "Enable PKCS #7"
             default y
diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls
index 601990b1d8..b5d87eaa67 160000
--- a/components/mbedtls/mbedtls
+++ b/components/mbedtls/mbedtls
@@ -1 +1 @@
-Subproject commit 601990b1d81510a135da9bb0476d6ed3cb8c011b
+Subproject commit b5d87eaa6748b7a6fa70593178c08b4480e9b71e
diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h
index 5695d811c6..384eb78e7e 100644
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -1104,6 +1104,24 @@
 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #endif
 
+/**
+ * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+ *
+ * When this option is enabled, the client and server can extract additional
+ * shared symmetric keys after an SSL handshake using the function
+ * mbedtls_ssl_export_keying_material().
+ *
+ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and
+ * in RFC 8446, Section 7.5, for TLS 1.3.
+ *
+ * Comment this macro to disable mbedtls_ssl_export_keying_material().
+ */
+#ifdef CONFIG_MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#else
+#undef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#endif
+
 /**
  * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
  *
diff --git a/docs/en/api-reference/protocols/mbedtls.rst b/docs/en/api-reference/protocols/mbedtls.rst
index ab9691b20a..effd185b33 100644
--- a/docs/en/api-reference/protocols/mbedtls.rst
+++ b/docs/en/api-reference/protocols/mbedtls.rst
@@ -95,3 +95,6 @@ Reducing Binary Size
 
 Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` docs.
 
+
+.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/
+.. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/