diff --git a/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c b/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c
index d08533c9fe..1ec7c8ea87 100644
--- a/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c
+++ b/components/mbedtls/port/psa_driver/esp_mac/psa_crypto_driver_esp_hmac_transparent.c
@@ -291,12 +291,12 @@ psa_status_t esp_hmac_finish_transparent(
         goto exit;
     }
 
-    if (mac_size < hash_size) {
-        status = PSA_ERROR_BUFFER_TOO_SMALL;
-        goto exit;
-    }
-    memcpy(mac, tmp, hash_size);
-    *mac_length = hash_size;
+    /* Copy the MAC, limiting to the actual hash size we computed.
+     * This supports truncated MACs (mac_size < hash_size) and also
+     * handles cases where the output buffer is larger than needed. */
+    size_t bytes_to_copy = (mac_size <= hash_size) ? mac_size : hash_size;
+    memcpy(mac, tmp, bytes_to_copy);
+    *mac_length = bytes_to_copy;
 
 exit:
     mbedtls_platform_zeroize(tmp, hash_size);
diff --git a/components/mbedtls/test_apps/main/test_psa_hmac.c b/components/mbedtls/test_apps/main/test_psa_hmac.c
index afc7a06705..55e044b702 100644
--- a/components/mbedtls/test_apps/main/test_psa_hmac.c
+++ b/components/mbedtls/test_apps/main/test_psa_hmac.c
@@ -58,7 +58,7 @@ static void test_hmac_compute_and_verify(psa_key_id_t key_id,
                                           size_t expected_mac_len)
 {
     psa_status_t status;
-    size_t hmac_length = PSA_HASH_LENGTH(alg);
+    size_t hmac_length = PSA_MAC_TRUNCATED_LENGTH(alg) ? PSA_MAC_TRUNCATED_LENGTH(alg) : PSA_HASH_LENGTH(alg);
     uint8_t *hmac = malloc(hmac_length);
     TEST_ASSERT_NOT_NULL(hmac);
 
@@ -66,6 +66,7 @@ static void test_hmac_compute_and_verify(psa_key_id_t key_id,
     status = psa_mac_compute(key_id, alg, data, data_len,
                              hmac, hmac_length, &mac_length);
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
+    TEST_ASSERT_EQUAL(expected_mac_len, mac_length);
 
     status = psa_mac_verify(key_id, alg, data, data_len,
                             expected_mac, expected_mac_len);
@@ -185,3 +186,25 @@ TEST_CASE("PSA HMAC SHA-256 multipart test", "[psa_hmac]")
     psa_destroy_key(key_id);
     free(hmac);
 }
+
+TEST_CASE("PSA HMAC SHA-256 truncated test", "[psa_hmac]")
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    // Create truncated HMAC algorithm (16 bytes instead of full 32 bytes)
+    psa_algorithm_t alg = PSA_ALG_TRUNCATED_MAC(PSA_ALG_HMAC(PSA_ALG_SHA_256), 16);
+
+    setup_hmac_key_attributes(&attributes, alg, PSA_KEY_LIFETIME_VOLATILE);
+
+    status = psa_import_key(&attributes, key_256, sizeof(key_256), &key_id);
+    TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
+
+    // Test single-shot compute and verify with truncated MAC
+    test_hmac_compute_and_verify(key_id, alg, test_data, sizeof(test_data),
+                                 expected_hmac_sha256,
+                                 16);
+
+    psa_destroy_key(key_id);
+    psa_reset_key_attributes(&attributes);
+}