feat(mbedtls): update to version 3.6.4

Ashish285 · Ashish285 · commit 9c546002cbb5 · 2025-07-03T11:23:34.000+08:00
diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
@@ -245,6 +245,15 @@ menu "mbedTLS"
 
                 See mbedTLS documentation for required API and more details.
 
+        config MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+            bool "Enable keying material export"
+            default n
+            depends on MBEDTLS_TLS_ENABLED
+            help
+                Enable shared symmetric keys export for TLS sessions using mbedtls_ssl_export_keying_material()
+                after SSL handshake. The process for deriving the keys is specified in RFC 5705 for TLS 1.2
+                and in RFC 8446, Section 7.5, for TLS 1.3.
+
         config MBEDTLS_PKCS7_C
             bool "Enable PKCS number 7"
             default y
diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls
@@ -1 +1 @@
-Subproject commit 98ae8db06b8acc1dc1c6b1f78c2719cb776f4147
+Subproject commit b5d87eaa6748b7a6fa70593178c08b4480e9b71e
diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -1143,6 +1143,24 @@
 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #endif
 
+/**
+ * \def MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+ *
+ * When this option is enabled, the client and server can extract additional
+ * shared symmetric keys after an SSL handshake using the function
+ * mbedtls_ssl_export_keying_material().
+ *
+ * The process for deriving the keys is specified in RFC 5705 for TLS 1.2 and
+ * in RFC 8446, Section 7.5, for TLS 1.3.
+ *
+ * Comment this macro to disable mbedtls_ssl_export_keying_material().
+ */
+#ifdef CONFIG_MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#define MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#else
+#undef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
+#endif
+
 /**
  * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
  *
diff --git a/docs/en/api-reference/protocols/mbedtls.rst b/docs/en/api-reference/protocols/mbedtls.rst
@@ -118,5 +118,5 @@ Reducing Binary Size
 Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` docs.
 
 
-.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/
+.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/
 .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/
diff --git a/docs/zh_CN/api-reference/protocols/mbedtls.rst b/docs/zh_CN/api-reference/protocols/mbedtls.rst
@@ -118,5 +118,5 @@ ESP-IDF 中的示例使用 :doc:`/api-reference/protocols/esp_tls`，为访问
 在 ``Component Config -> mbedTLS`` 中，有多个 Mbed TLS 功能默认为启用状态。如果不需要这些功能，可将其禁用以减小固件大小。要了解更多信息，请参考 :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` 文档。
 
 
-.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.3/
+.. _`API Reference`: https://mbed-tls.readthedocs.io/projects/api/en/v3.6.4/
 .. _`Knowledge Base`: https://mbed-tls.readthedocs.io/en/latest/kb/
