modules: mbedtls: make key exchange Kconfigs depend on, not select

Turn the MBEDTLS_RSA_FULL selects into depends on. This is how the other MBEDTLS_KEY_EXCHANGE_* Kconfig options are defined. This is done to avoid circular dependencies. At the same time update uses of the affected MBEDTLS_KEY_EXCHANGE_* Kconfig options to enable/disable the dependencies which used to be automatically handled. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
2 months ago · 35f7eda545
9 changed files with 39 additions and 12 deletions
--- a/modules/hostap/Kconfig
+++ b/modules/hostap/Kconfig
@ -145,6 +145,9 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ECDSA_C
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 	select MBEDTLS_RSA_C
 	select MBEDTLS_PKCS1_V15
 	select MBEDTLS_PKCS1_V21
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	select MBEDTLS_NIST_KW_C
 	select MBEDTLS_DHM_C
--- a/modules/mbedtls/Kconfig.mbedtls
+++ b/modules/mbedtls/Kconfig.mbedtls
@ -46,28 +46,29 @@ comment "Supported key exchange modes"
 config MBEDTLS_RSA_C
 	bool "RSA base support"
 	default y if UOSCORE || UEDHOC
 if MBEDTLS_RSA_C
 config MBEDTLS_PKCS1_V15
 	bool "RSA PKCS1 v1.5"
 	default y if UOSCORE || UEDHOC
 config MBEDTLS_PKCS1_V21
 	bool "RSA PKCS1 v2.1"
 	default y if UOSCORE || UEDHOC
 config MBEDTLS_GENPRIME_ENABLED
 	bool "Prime number generation code"
 endif # MBEDTLS_RSA_C
-config MBEDTLS_RSA_FULL
+config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
-	bool
+	bool "All available ciphersuite modes"
 	select MBEDTLS_MD
 	select MBEDTLS_RSA_C
 	select MBEDTLS_PKCS1_V15
 	select MBEDTLS_PKCS1_V21
 config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
 	bool "All available ciphersuite modes"
 	select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@ -92,7 +93,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
 	bool "RSA-PSK based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 config MBEDTLS_PSK_MAX_LEN
 	int "Max size of TLS pre-shared keys"
@ -104,8 +105,8 @@ config MBEDTLS_PSK_MAX_LEN
 config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 	bool "RSA-only based ciphersuite modes"
 	default y if UOSCORE || UEDHOC
-	select MBEDTLS_MD
+	depends on MBEDTLS_MD
-	select MBEDTLS_RSA_FULL
+	depends on PSA_CRYPTO_CLIENT || MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT
@ -113,16 +114,16 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 	bool "DHE-RSA based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	bool "ECDHE-RSA based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 	depends on MBEDTLS_ECDH_C
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 	bool "ECDHE-ECDSA based ciphersuite modes"
-	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
+	depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 	bool "ECDH-ECDSA based ciphersuite modes"
@ -397,6 +398,7 @@ config MBEDTLS_CIPHER
 config MBEDTLS_MD
 	bool "generic message digest layer."
 	default y if UOSCORE || UEDHOC
 config MBEDTLS_ASN1_PARSE_C
 	bool "Support for ASN1 parser functions"
--- a/samples/net/cloud/mqtt_azure/prj.conf
+++ b/samples/net/cloud/mqtt_azure/prj.conf
@ -35,6 +35,9 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
 CONFIG_MBEDTLS_SHA1=y
 CONFIG_MBEDTLS_SHA384=y
 CONFIG_MBEDTLS_RSA_C=y
 CONFIG_MBEDTLS_PKCS1_V15=y
 CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
 CONFIG_MBEDTLS_ECDH_C=y
--- a/samples/tfm_integration/psa_crypto/prj.conf
+++ b/samples/tfm_integration/psa_crypto/prj.conf
@ -39,6 +39,10 @@ CONFIG_MBEDTLS_ENTROPY_C=y
 CONFIG_MBEDTLS_ECP_C=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
 CONFIG_MBEDTLS_ECDSA_C=y
 CONFIG_MBEDTLS_MD=y
 CONFIG_MBEDTLS_RSA_C=y
 CONFIG_MBEDTLS_PKCS1_V15=y
 CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
 CONFIG_MBEDTLS_PK_WRITE_C=y
--- a/subsys/jwt/Kconfig
+++ b/subsys/jwt/Kconfig
@ -20,6 +20,10 @@ config JWT_SIGN_RSA_LEGACY
 	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library."
 	depends on CSPRNG_AVAILABLE
 	select MBEDTLS
 	select MBEDTLS_MD
 	select MBEDTLS_RSA_C
 	select MBEDTLS_PKCS1_V15
 	select MBEDTLS_PKCS1_V21
 	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 config JWT_SIGN_RSA_PSA
--- a/subsys/net/lib/sockets/Kconfig
+++ b/subsys/net/lib/sockets/Kconfig
@ -116,6 +116,10 @@ config NET_SOCKETS_SOCKOPT_TLS
 	imply TLS_CREDENTIALS
 	select MBEDTLS if NET_NATIVE
 	imply MBEDTLS_TLS_VERSION_1_2 if !NET_L2_OPENTHREAD
 	imply MBEDTLS_MD if !NET_L2_OPENTHREAD
 	imply MBEDTLS_RSA_C if !NET_L2_OPENTHREAD
 	imply MBEDTLS_PKCS1_V15 if !NET_L2_OPENTHREAD
 	imply MBEDTLS_PKCS1_V21 if !NET_L2_OPENTHREAD
 	imply MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if !NET_L2_OPENTHREAD
 	imply MBEDTLS_CIPHER_AES_ENABLED if !NET_L2_OPENTHREAD
 	imply PSA_WANT_KEY_TYPE_AES if !NET_L2_OPENTHREAD && PSA_CRYPTO_CLIENT
--- a/tests/net/lib/lwm2m/interop/prj.conf
+++ b/tests/net/lib/lwm2m/interop/prj.conf
@ -82,7 +82,7 @@ CONFIG_MBEDTLS_HEAP_SIZE=7168
 CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
 CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
 # Disable RSA, we don't parse certs: saves flash/memory
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_MBEDTLS_RSA_C=n
 # Enable PSK instead
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
 CONFIG_LWM2M_SECURITY_DTLS_TLS_CIPHERSUITE_MAX=3
--- a/tests/net/socket/tls_configurations/overlay-rsa.conf
+++ b/tests/net/socket/tls_configurations/overlay-rsa.conf
@ -1,3 +1,8 @@
 CONFIG_MBEDTLS_MD=y
 CONFIG_MBEDTLS_RSA_C=y
 CONFIG_MBEDTLS_PKCS1_V15=y
 CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_PSA_WANT_ALG_RSA_OAEP=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
--- a/tests/net/socket/tls_configurations/prj.conf
+++ b/tests/net/socket/tls_configurations/prj.conf
@ -37,6 +37,8 @@ CONFIG_ENTROPY_GENERATOR=y
 # support in overlay files.
 CONFIG_MBEDTLS_TLS_VERSION_1_2=n
 CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
 CONFIG_MBEDTLS_MD=n
 CONFIG_MBEDTLS_RSA_C=n
 CONFIG_MBEDTLS_CIPHER_AES_ENABLED=n
 CONFIG_PSA_WANT_KEY_TYPE_AES=n
 CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=n