diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index a08766a889..c3b014b404 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -39,6 +39,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki); #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */ #if defined(CONFIG_ESP_TLS_USE_DS_PERIPHERAL) +#include #include "rsa_sign_alt.h" static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki); #endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */ @@ -359,6 +360,18 @@ void esp_mbedtls_cleanup(esp_tls_t *tls) #endif mbedtls_x509_crt_free(&tls->cacert); mbedtls_x509_crt_free(&tls->clientcert); + +#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL + if (mbedtls_pk_get_type(&tls->clientkey) == MBEDTLS_PK_RSA_ALT) { + mbedtls_rsa_alt_context *rsa_alt = tls->clientkey.MBEDTLS_PRIVATE(pk_ctx); + if (rsa_alt && rsa_alt->key != NULL) { + mbedtls_rsa_free(rsa_alt->key); + mbedtls_free(rsa_alt->key); + rsa_alt->key = NULL; + } + } +#endif + mbedtls_pk_free(&tls->clientkey); mbedtls_entropy_free(&tls->entropy); mbedtls_ssl_config_free(&tls->conf); @@ -1105,12 +1118,18 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki) { int ret = -1; /* initialize the mbedtls pk context with rsa context */ - mbedtls_rsa_context rsakey; - mbedtls_rsa_init(&rsakey); - if ((ret = mbedtls_pk_setup_rsa_alt(((const esp_tls_pki_t*)pki)->pk_key, &rsakey, NULL, esp_ds_rsa_sign, + mbedtls_rsa_context *rsakey = calloc(1, sizeof(mbedtls_rsa_context)); + if (rsakey == NULL) { + ESP_LOGE(TAG, "Failed to allocate memory for mbedtls_rsa_context"); + return ESP_ERR_NO_MEM; + } + mbedtls_rsa_init(rsakey); + if ((ret = mbedtls_pk_setup_rsa_alt(((const esp_tls_pki_t*)pki)->pk_key, rsakey, NULL, esp_ds_rsa_sign, esp_ds_get_keylen )) != 0) { ESP_LOGE(TAG, "Error in mbedtls_pk_setup_rsa_alt, returned -0x%04X", -ret); mbedtls_print_error_msg(ret); + mbedtls_rsa_free(rsakey); + free(rsakey); ret = ESP_FAIL; goto exit; } @@ -1121,7 +1140,6 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki) } ESP_LOGD(TAG, "DS peripheral params initialized."); exit: - mbedtls_rsa_free(&rsakey); return ret; } #endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */ diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index c4dceb924d..d0029ebd47 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -245,6 +245,15 @@ menu "mbedTLS" See mbedTLS documentation for required API and more details. + config MBEDTLS_SSL_KEYING_MATERIAL_EXPORT + bool "Enable keying material export" + default n + depends on MBEDTLS_TLS_ENABLED + help + Enable shared symmetric keys export for TLS sessions using mbedtls_ssl_export_keying_material() + after SSL handshake. The process for deriving the keys is specified in RFC 5705 for TLS 1.2 + and in RFC 8446, Section 7.5, for TLS 1.3. + config MBEDTLS_PKCS7_C bool "Enable PKCS #7" default y diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls index 601990b1d8..b5d87eaa67 160000 --- a/components/mbedtls/mbedtls +++ b/components/mbedtls/mbedtls @@ -1 +1 @@ -Subproject commit 601990b1d81510a135da9bb0476d6ed3cb8c011b +Subproject commit b5d87eaa6748b7a6fa70593178c08b4480e9b71e diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 488c3fbe8b..bac3c34e4e 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -1110,6 +1110,24 @@ #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE #endif +/** + * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT + * + * When this option is enabled, the client and server can extract additional + * shared symmetric keys after an SSL handshake using the function + * mbedtls_ssl_export_keying_material(). + * + * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and + * in RFC 8446, Section 7.5, for TLS 1.3. + * + * Comment this macro to disable mbedtls_ssl_export_keying_material(). + */ +#ifdef CONFIG_MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +#else +#undef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT +#endif + /** * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING * diff --git a/docs/en/api-reference/protocols/mbedtls.rst b/docs/en/api-reference/protocols/mbedtls.rst index 58b7a6eeb9..047dd7b870 100644 --- a/docs/en/api-reference/protocols/mbedtls.rst +++ b/docs/en/api-reference/protocols/mbedtls.rst @@ -118,5 +118,5 @@ Reducing Binary Size Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size ` docs. -.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/ +.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/ .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/ diff --git a/docs/zh_CN/api-reference/protocols/mbedtls.rst b/docs/zh_CN/api-reference/protocols/mbedtls.rst index e9997a2093..c9d497da9a 100644 --- a/docs/zh_CN/api-reference/protocols/mbedtls.rst +++ b/docs/zh_CN/api-reference/protocols/mbedtls.rst @@ -118,5 +118,5 @@ ESP-IDF 中的示例使用 :doc:`/api-reference/protocols/esp_tls`,为访问 在 ``Component Config -> mbedTLS`` 中,有多个 Mbed TLS 功能默认为启用状态。如果不需要这些功能,可将其禁用以减小固件大小。要了解更多信息,请参考 :ref:`Minimizing Binary Size ` 文档。 -.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/ +.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/ .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/