feat(mbedtls): update to version 3.6.4

2025-08-03 12:44:33 +02:00 · 2025-07-01 16:51:06 +08:00
parent 339499ebcb
commit 936c6495c0
6 changed files with 53 additions and 8 deletions
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -39,6 +39,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki);
 #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */

 #if defined(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
+#include <pk_wrap.h>
 #include "rsa_sign_alt.h"
 static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki);
 #endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */
@@ -359,6 +360,18 @@ void esp_mbedtls_cleanup(esp_tls_t *tls)
 #endif
    mbedtls_x509_crt_free(&tls->cacert);
    mbedtls_x509_crt_free(&tls->clientcert);
+
+#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
+    if (mbedtls_pk_get_type(&tls->clientkey) == MBEDTLS_PK_RSA_ALT) {
+        mbedtls_rsa_alt_context *rsa_alt = tls->clientkey.MBEDTLS_PRIVATE(pk_ctx);
+        if (rsa_alt && rsa_alt->key != NULL) {
+            mbedtls_rsa_free(rsa_alt->key);
+            mbedtls_free(rsa_alt->key);
+            rsa_alt->key = NULL;
+        }
+    }
+#endif
+
    mbedtls_pk_free(&tls->clientkey);
    mbedtls_entropy_free(&tls->entropy);
    mbedtls_ssl_config_free(&tls->conf);
@@ -1105,12 +1118,18 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki)
 {
    int ret = -1;
    /* initialize the mbedtls pk context with rsa context */
-    mbedtls_rsa_context rsakey;
-    mbedtls_rsa_init(&rsakey);
-    if ((ret = mbedtls_pk_setup_rsa_alt(((const esp_tls_pki_t*)pki)->pk_key, &rsakey, NULL, esp_ds_rsa_sign,
+    mbedtls_rsa_context *rsakey = calloc(1, sizeof(mbedtls_rsa_context));
+    if (rsakey == NULL) {
+        ESP_LOGE(TAG, "Failed to allocate memory for mbedtls_rsa_context");
+        return ESP_ERR_NO_MEM;
+    }
+    mbedtls_rsa_init(rsakey);
+    if ((ret = mbedtls_pk_setup_rsa_alt(((const esp_tls_pki_t*)pki)->pk_key, rsakey, NULL, esp_ds_rsa_sign,
                                        esp_ds_get_keylen )) != 0) {
        ESP_LOGE(TAG, "Error in mbedtls_pk_setup_rsa_alt, returned -0x%04X", -ret);
        mbedtls_print_error_msg(ret);
+        mbedtls_rsa_free(rsakey);
+        free(rsakey);
        ret = ESP_FAIL;
        goto exit;
    }
@@ -1121,7 +1140,6 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki)
    }
    ESP_LOGD(TAG, "DS peripheral params initialized.");
 exit:
-    mbedtls_rsa_free(&rsakey);
    return ret;
 }
 #endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -245,6 +245,15 @@ menu "mbedTLS"

                See mbedTLS documentation for required API and more details.

+        config MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+            bool "Enable keying material export"
+            default n
+            depends on MBEDTLS_TLS_ENABLED
+            help
+                Enable shared symmetric keys export for TLS sessions using mbedtls_ssl_export_keying_material()
+                after SSL handshake. The process for deriving the keys is specified in RFC 5705 for TLS 1.2
+                and in RFC 8446, Section 7.5, for TLS 1.3.
+
        config MBEDTLS_PKCS7_C
            bool "Enable PKCS #7"
            default y
--- a/components/mbedtls/mbedtls
+++ b/components/mbedtls/mbedtls
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -1110,6 +1110,24 @@
 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #endif

+/**
+ * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+ *
+ * When this option is enabled, the client and server can extract additional
+ * shared symmetric keys after an SSL handshake using the function
+ * mbedtls_ssl_export_keying_material().
+ *
+ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and
+ * in RFC 8446, Section 7.5, for TLS 1.3.
+ *
+ * Comment this macro to disable mbedtls_ssl_export_keying_material().
+ */
+#ifdef CONFIG_MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#else
+#undef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#endif
+
 /**
 * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
 *
--- a/docs/en/api-reference/protocols/mbedtls.rst
+++ b/docs/en/api-reference/protocols/mbedtls.rst
@@ -118,5 +118,5 @@ Reducing Binary Size
 Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` docs.


-.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/
+.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/
 .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/
--- a/docs/zh_CN/api-reference/protocols/mbedtls.rst
+++ b/docs/zh_CN/api-reference/protocols/mbedtls.rst
@@ -118,5 +118,5 @@ ESP-IDF 中的示例使用 :doc:`/api-reference/protocols/esp_tls`，为访问
 在 ``Component Config -> mbedTLS`` 中，有多个 Mbed TLS 功能默认为启用状态。如果不需要这些功能，可将其禁用以减小固件大小。要了解更多信息，请参考 :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` 文档。


-.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/
+.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/
 .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/