Merge branch 'feature/mbedtls_3_5_0_update_v5.1' into 'release/v5.1'

feat(mbedtls): update to 3.5.0 release (v5.1)

See merge request espressif/esp-idf!26475

components/mbedtls/CMakeLists.txt

@@ -110,9 +110,13 @@ list(REMOVE_ITEM src_x509 x509_crt.c)
 set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509})
 endif()
 
+# Core libraries from the mbedTLS project
 set(mbedtls_targets mbedtls mbedcrypto mbedx509)
+# 3rd party libraries from the mbedTLS project
+list(APPEND mbedtls_targets everest p256m)
 
-set(mbedtls_target_sources "${COMPONENT_DIR}/port/mbedtls_debug.c")
+set(mbedtls_target_sources "${COMPONENT_DIR}/port/mbedtls_debug.c"
+                           "${COMPONENT_DIR}/port/esp_platform_time.c")
 
 if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
 set(mbedtls_target_sources ${mbedtls_target_sources}

components/mbedtls/Kconfig

@@ -1052,16 +1052,4 @@ menu "mbedTLS"
             then the ESP will be unable to process keys greater
             than SOC_RSA_MAX_BIT_LEN.
 
-    menuconfig MBEDTLS_SECURITY_RISKS
-        bool "Show configurations with potential security risks"
-        default n
-
-    config MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT
-        bool "X.509 CRT parsing with unsupported critical extensions"
-        depends on MBEDTLS_SECURITY_RISKS
-        default n
-        help
-            Allow the X.509 certificate parser to load certificates
-            with unsupported critical extensions
-
 endmenu  # mbedTLS

components/mbedtls/port/dynamic/esp_ssl_tls.c

@@ -283,6 +283,8 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
 int __wrap_mbedtls_ssl_setup(mbedtls_ssl_context *ssl, const mbedtls_ssl_config *conf)
 {
     ssl->conf = conf;
+    ssl->tls_version = ssl->conf->max_tls_version;
+
     CHECK_OK(ssl_handshake_init(ssl));
 
     mbedtls_free(ssl->MBEDTLS_PRIVATE(out_buf));

components/mbedtls/port/ecdsa/ecdsa_alt.c

@@ -13,7 +13,7 @@
 #include "esp_private/periph_ctrl.h"
 #include "ecdsa/ecdsa_alt.h"
 
-#define ECDSA_KEY_MAGIC             0xECD5A
+#define ECDSA_KEY_MAGIC             (short) 0xECD5A
 #define ECDSA_SHA_LEN               32
 #define MAX_ECDSA_COMPONENT_LEN     32
 

components/mbedtls/port/esp_platform_time.c

@@ -0,0 +1,25 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_time.h"
+
+#ifdef MBEDTLS_PLATFORM_MS_TIME_ALT
+mbedtls_ms_time_t mbedtls_ms_time()
+{
+    int ret;
+    struct timespec tv = {};
+    mbedtls_ms_time_t current_ms;
+
+    ret = clock_gettime(CLOCK_MONOTONIC, &tv);
+    if (ret) {
+        return time(NULL) * 1000L;
+    }
+
+    current_ms = tv.tv_sec;
+    return current_ms * 1000L + tv.tv_nsec / 1000000L;
+}
+#endif // MBEDTLS_PLATFORM_MS_TIME_ALT

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -56,8 +56,15 @@
  */
 #ifdef CONFIG_MBEDTLS_HAVE_TIME
 #define MBEDTLS_HAVE_TIME
+/**
+ * \def MBEDTLS_PLATFORM_MS_TIME_ALT
+ *
+ * Define platform specific function to get time since bootup in milliseconds.
+ */
+#define MBEDTLS_PLATFORM_MS_TIME_ALT
 #else
 #undef MBEDTLS_HAVE_TIME
+#undef MBEDTLS_PLATFORM_MS_TIME_ALT
 #endif
 
 /**
@@ -2731,25 +2738,6 @@
  */
 #define MBEDTLS_X509_CRT_WRITE_C
 
-/**
- * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
- *
-  * Alow the X509 parser to not break-off when parsing an X509 certificate
- * and encountering an unknown critical extension.
- *
- * Module:  library/x509_crt.c
- *
- * Requires: MBEDTLS_X509_CRT_PARSE_C
- *
- * This module is supports loading of certificates with extensions that
- * may not be supported by mbedtls.
- */
-#ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT
-#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#else
-#undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#endif
-
 /**
  * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
  *