pioarduino
diff --git a/‎components/bootloader_support/CMakeLists.txt‎
Lines changed: 4 additions & 4 deletions b/‎components/bootloader_support/CMakeLists.txt‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎components/bootloader_support/src/esp_image_format.c‎
Lines changed: 10 additions & 5 deletions b/‎components/bootloader_support/src/esp_image_format.c‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎components/bt/controller/lib_esp32c3_family‎ b/‎components/bt/controller/lib_esp32c3_family‎
diff --git a/‎components/esp-tls/esp-tls-crypto/esp_tls_crypto.c‎
Lines changed: 28 additions & 3 deletions b/‎components/esp-tls/esp-tls-crypto/esp_tls_crypto.c‎
Lines changed: 28 additions & 3 deletions
diff --git a/‎components/esp_http_server/src/httpd_ws.c‎
Lines changed: 37 additions & 8 deletions b/‎components/esp_http_server/src/httpd_ws.c‎
Lines changed: 37 additions & 8 deletions
diff --git a/‎components/esp_rom/esp32c3/ld/esp32c3.rom.bt_funcs.ld‎
Lines changed: 2 additions & 2 deletions b/‎components/esp_rom/esp32c3/ld/esp32c3.rom.bt_funcs.ld‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎components/esp_rom/esp32c3/ld/esp32c3.rom.eco7_bt_funcs.ld‎
Lines changed: 1 addition & 1 deletion b/‎components/esp_rom/esp32c3/ld/esp32c3.rom.eco7_bt_funcs.ld‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎components/esp_rom/esp32s3/ld/esp32s3.rom.bt_funcs.ld‎
Lines changed: 2 additions & 2 deletions b/‎components/esp_rom/esp32s3/ld/esp32s3.rom.bt_funcs.ld‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎components/mbedtls/Kconfig‎
Lines changed: 15 additions & 0 deletions b/‎components/mbedtls/Kconfig‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎components/mbedtls/port/include/mbedtls/esp_config.h‎
Lines changed: 4 additions & 1 deletion b/‎components/mbedtls/port/include/mbedtls/esp_config.h‎
Lines changed: 4 additions & 1 deletion
@@ -36,6 +36,10 @@ if(CONFIG_APP_BUILD_TYPE_APP_2NDBOOT)
         )
 endif()
 
+if(CONFIG_ESP_ROM_REV0_HAS_NO_ECDSA_INTERFACE)
+    list(APPEND srcs "src/${IDF_TARGET}/bootloader_ecdsa.c")
+endif()
+
 if(BOOTLOADER_BUILD OR CONFIG_APP_BUILD_TYPE_RAM)
     set(include_dirs "include" "bootloader_flash/include"
         "private_include")
@@ -50,10 +54,6 @@ if(BOOTLOADER_BUILD OR CONFIG_APP_BUILD_TYPE_RAM)
     "src/${IDF_TARGET}/bootloader_${IDF_TARGET}.c"
     )
     list(APPEND priv_requires hal)
-    if(CONFIG_ESP_ROM_REV0_HAS_NO_ECDSA_INTERFACE)
-        list(APPEND srcs
-            "src/${IDF_TARGET}/bootloader_ecdsa.c")
-    endif()
 else()
     list(APPEND srcs
         "src/idf/bootloader_sha.c")
 
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -47,7 +47,12 @@ static const char *TAG = "esp_image";
 
 #define HASH_LEN ESP_IMAGE_HASH_LEN
 
-#define SIXTEEN_MB 0x1000000
+#if SOC_SPI_MEM_SUPPORT_CACHE_32BIT_ADDR_MAP
+#define ESP_IMAGE_MAX_FLASH_ADDR_SIZE    UINT32_MAX
+#else
+#define ESP_IMAGE_MAX_FLASH_ADDR_SIZE    0x1000000
+#endif
+
 #define ESP_ROM_CHECKSUM_INITIAL 0xEF
 
 /* Headroom to ensure between stack SP (at time of checking) and data loaded from flash */
@@ -138,7 +143,7 @@ static esp_err_t image_load(esp_image_load_mode_t mode, const esp_partition_pos_
     verify_sha = (part->offset != ESP_BOOTLOADER_OFFSET) && do_verify;
 #endif
 
-    if (part->size > SIXTEEN_MB) {
+    if (part->size > ESP_IMAGE_MAX_FLASH_ADDR_SIZE) {
         err = ESP_ERR_INVALID_ARG;
         FAIL_LOAD("partition size 0x%"PRIx32" invalid, larger than 16MB", part->size);
     }
@@ -297,7 +302,7 @@ esp_err_t esp_image_verify(esp_image_load_mode_t mode, const esp_partition_pos_t
 esp_err_t esp_image_get_metadata(const esp_partition_pos_t *part, esp_image_metadata_t *metadata)
 {
     esp_err_t err;
-    if (metadata == NULL || part == NULL || part->size > SIXTEEN_MB) {
+    if (metadata == NULL || part == NULL || part->size > ESP_IMAGE_MAX_FLASH_ADDR_SIZE) {
         return ESP_ERR_INVALID_ARG;
     }
 
@@ -751,7 +756,7 @@ static esp_err_t process_segment_data(int segment, intptr_t load_addr, uint32_t
 static esp_err_t verify_segment_header(int index, const esp_image_segment_header_t *segment, uint32_t segment_data_offs, bool silent)
 {
     if ((segment->data_len & 3) != 0
-            || segment->data_len >= SIXTEEN_MB) {
+            || segment->data_len >= ESP_IMAGE_MAX_FLASH_ADDR_SIZE) {
         if (!silent) {
             ESP_LOGE(TAG, "invalid segment length 0x%"PRIx32, segment->data_len);
         }
 
@@ -1,16 +1,18 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
 
 #include "esp_tls_crypto.h"
 #include "esp_log.h"
 #include "esp_err.h"
-static const char *TAG = "esp_crypto";
+#include "sdkconfig.h"
+__attribute__((unused)) static const char *TAG = "esp_crypto";
 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
 #include "mbedtls/sha1.h"
 #include "mbedtls/base64.h"
+#include "mbedtls/error.h"
 #define _esp_crypto_sha1 esp_crypto_sha1_mbedtls
 #define _esp_crypto_base64_encode esp_crypto_bas64_encode_mbedtls
 #elif  CONFIG_ESP_TLS_USING_WOLFSSL
@@ -25,11 +27,34 @@ static int esp_crypto_sha1_mbedtls( const unsigned char *input,
                                     size_t ilen,
                                     unsigned char output[20])
 {
-    int ret = mbedtls_sha1(input, ilen, output);
+#if CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init(&ctx);
+
+    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_sha1_free(&ctx);
     if (ret != 0) {
         ESP_LOGE(TAG, "Error in calculating sha1 sum , Returned 0x%02X", ret);
     }
     return ret;
+#else
+    ESP_LOGE(TAG, "Please enable CONFIG_MBEDTLS_SHA1_C or CONFIG_MBEDTLS_HARDWARE_SHA to support SHA1 operations");
+    return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+#endif /*  CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA*/
 }
 
 static int esp_crypto_bas64_encode_mbedtls( unsigned char *dst, size_t dlen,
 
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -13,10 +13,12 @@
 #include <esp_err.h>
 #include <mbedtls/sha1.h>
 #include <mbedtls/base64.h>
+#include <mbedtls/error.h>
 
 #include <esp_http_server.h>
 #include "esp_httpd_priv.h"
 #include "freertos/event_groups.h"
+#include "sdkconfig.h"
 
 #ifdef CONFIG_HTTPD_WS_SUPPORT
 
@@ -51,23 +53,23 @@ static const char *TAG="httpd_ws";
  */
 static const char ws_magic_uuid[] = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
 
-/* Checks if any subprotocols from the comma seperated list matches the supported one
+/* Checks if any subprotocols from the comma separated list matches the supported one
  *
  * Returns true if the response should contain a protocol field
 */
 
 /**
- * @brief Checks if any subprotocols from the comma seperated list matches the supported one
+ * @brief Checks if any subprotocols from the comma separated list matches the supported one
  *
  * @param supported_subprotocol[in] The subprotocol supported by the URI
- * @param subprotocol[in],  [in]: A comma seperate list of subprotocols requested
+ * @param subprotocol[in],  [in]: A comma separate list of subprotocols requested
  * @param buf_len Length of the buffer
  * @return true: found a matching subprotocol
  * @return false
  */
 static bool httpd_ws_get_response_subprotocol(const char *supported_subprotocol, char *subprotocol, size_t buf_len)
 {
-    /* Request didnt contain any subprotocols */
+    /* Request didn't contain any subprotocols */
     if (strnlen(subprotocol, buf_len) == 0) {
         return false;
     }
@@ -77,7 +79,7 @@ static bool httpd_ws_get_response_subprotocol(const char *supported_subprotocol,
         return false;
     }
 
-    /* Get first subprotocol from comma seperated list */
+    /* Get first subprotocol from comma separated list */
     char *rest = NULL;
     char *s = strtok_r(subprotocol, ", ", &rest);
     do {
@@ -143,7 +145,34 @@ esp_err_t httpd_ws_respond_server_handshake(httpd_req_t *req, const char *suppor
 
     /* Generate SHA-1 first and then encode to Base64 */
     size_t key_len = strlen(server_raw_text);
-    mbedtls_sha1((uint8_t *)server_raw_text, key_len, server_key_hash);
+
+#if CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha1_context ctx;
+    mbedtls_sha1_init(&ctx);
+
+    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+        goto sha_end;
+    }
+
+    if ((ret = mbedtls_sha1_update(&ctx, (uint8_t *)server_raw_text, key_len)) != 0) {
+        goto sha_end;
+    }
+
+    if ((ret = mbedtls_sha1_finish(&ctx, server_key_hash)) != 0) {
+        goto sha_end;
+    }
+
+sha_end:
+    mbedtls_sha1_free(&ctx);
+    if (ret != 0) {
+        ESP_LOGE(TAG, "Error in calculating SHA1 sum , returned 0x%02X", ret);
+        return ESP_FAIL;
+    }
+#else
+    ESP_LOGE(TAG, "Please enable CONFIG_MBEDTLS_SHA1_C or CONFIG_MBEDTLS_HARDWARE_SHA to support SHA1 operations");
+    return ESP_FAIL;
+#endif /* CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA */
 
     size_t encoded_len = 0;
     mbedtls_base64_encode((uint8_t *)server_key_encoded, sizeof(server_key_encoded), &encoded_len,
@@ -153,7 +182,7 @@ esp_err_t httpd_ws_respond_server_handshake(httpd_req_t *req, const char *suppor
 
     char subprotocol[50] = { '\0' };
     if (httpd_req_get_hdr_value_str(req, "Sec-WebSocket-Protocol", subprotocol, sizeof(subprotocol) - 1) == ESP_ERR_HTTPD_RESULT_TRUNC) {
-        ESP_LOGW(TAG, "Sec-WebSocket-Protocol length exceeded buffer size of %"NEWLIB_NANO_COMPAT_FORMAT", was trunctated", NEWLIB_NANO_COMPAT_CAST(sizeof(subprotocol)));
+        ESP_LOGW(TAG, "Sec-WebSocket-Protocol length exceeded buffer size of %"NEWLIB_NANO_COMPAT_FORMAT", was truncated", NEWLIB_NANO_COMPAT_CAST(sizeof(subprotocol)));
     }
 
 
 
@@ -421,10 +421,10 @@ r_llc_ll_reject_ind_pdu_send = 0x40000f3c;
 r_llc_ll_start_enc_rsp_ack_handler = 0x40000f40;
 r_llc_ll_terminate_ind_ack = 0x40000f44;
 r_llc_ll_unknown_ind_handler = 0x40000f48;
-/* r_llc_llcp_send = 0x40000f4c; */
+r_llc_llcp_send = 0x40000f4c;
 r_llc_llcp_state_set = 0x40000f50;
 r_llc_llcp_trans_timer_set = 0x40000f54;
-r_llc_llcp_tx_check = 0x40000f58;
+/* r_llc_llcp_tx_check = 0x40000f58; */
 r_llc_loc_con_upd_proc_err_cb = 0x40000f64;
 r_llc_loc_dl_upd_proc_continue = 0x40000f68;
 r_llc_loc_encrypt_proc_continue = 0x40000f6c;
 
@@ -18,7 +18,6 @@ r_lld_con_terminate_max_evt_update = 0x40001c5c;
 r_llc_pref_param_compute_eco = 0x40001ce8;
 r_llc_hci_con_upd_info_send_eco = 0x40001cec;
 r_llc_rem_encrypt_proc_continue_eco = 0x40001cf0;
-r_llc_start_eco = 0x40001cf8;
 r_lld_ext_adv_dynamic_aux_pti_process_eco = 0x40001cfc;
 r_lld_adv_start_eco = 0x40001d04;
 r_lld_con_evt_canceled_cbk_eco = 0x40001d08;
@@ -127,4 +126,5 @@ r_hci_register_vendor_desc_tab = 0x40000d9c;
 r_lld_scan_process_pkt_rx_adv_rep = 0x40001284;
 r_register_esp_vendor_cmd_handler = 0x40001400;
 r_llc_llcp_pdu_handler_get_overwrite = 0x40001d5c;
+r_llc_start_eco = 0x40001cf8;
 */
@@ -421,10 +421,10 @@ r_llc_ll_reject_ind_pdu_send = 0x40003d98;
 r_llc_ll_start_enc_rsp_ack_handler = 0x40003da4;
 r_llc_ll_terminate_ind_ack = 0x40003db0;
 r_llc_ll_unknown_ind_handler = 0x40003dbc;
-/* r_llc_llcp_send = 0x40003dc8; */
+r_llc_llcp_send = 0x40003dc8;
 r_llc_llcp_state_set = 0x40003dd4;
 r_llc_llcp_trans_timer_set = 0x40003de0;
-r_llc_llcp_tx_check = 0x40003dec;
+/* r_llc_llcp_tx_check = 0x40003dec; */
 /* r_llc_loc_ch_map_proc_continue = 0x40003df8; */
 r_llc_loc_con_upd_proc_err_cb = 0x40003e10;
 r_llc_loc_dl_upd_proc_continue = 0x40003e1c;
 
@@ -698,6 +698,21 @@ menu "mbedTLS"
             Standard ECDSA is "fragile" in the sense that lack of entropy when signing
             may result in a compromise of the long-term signing key.
 
+    config MBEDTLS_SHA1_C
+        bool "Enable the SHA-1 cryptographic hash algorithm"
+        default y
+        help
+            Enabling MBEDTLS_SHA1_C adds support for SHA-1.
+            SHA-1 is considered a weak message digest and its use constitutes
+            a security risk.
+            Disabling this configuration option could impact TLS 1.2 / Wi-Fi Enterprise compatibility
+            with certain older certificates that rely on SHA-1 for digital signatures.
+            Before proceeding, ensure that all your certificates are using stronger hash algorithms,
+            such as SHA-256 (part of the SHA-2 family).
+            If you're using older certificates or if you're unsure about the impact on your product,
+            please consider testing the changes in a controlled environment for individual features
+            like OTA updates, cloud connectivity, secure local control, etc.
+
     config MBEDTLS_SHA512_C
         bool "Enable the SHA-384 and SHA-512 cryptographic hash algorithms"
         default y
 
@@ -2490,8 +2490,11 @@
  *            on it, and considering stronger message digests instead.
  *
  */
+#if CONFIG_MBEDTLS_SHA1_C
 #define MBEDTLS_SHA1_C
-
+#else
+#undef MBEDTLS_SHA1_C
+#endif
 /**
  * \def MBEDTLS_SHA224_C
  *
Original file line number	Diff line number	Diff line change
`@@ -2490,8 +2490,11 @@`
`2490`	`2490`	`* on it, and considering stronger message digests instead.`
`2491`	`2491`	`*`
`2492`	`2492`	`*/`
	`2493`	`+#if CONFIG_MBEDTLS_SHA1_C`
`2493`	`2494`	`#define MBEDTLS_SHA1_C`
`2494`		`-`
	`2495`	`+#else`
	`2496`	`+#undef MBEDTLS_SHA1_C`
	`2497`	`+#endif`
`2495`	`2498`	`/**`
`2496`	`2499`	`* \def MBEDTLS_SHA224_C`
`2497`	`2500`	`*`