modules: mbedtls: make key exchange Kconfigs depend on, not select

tomi-font · nashif · commit 35f7eda54567 · 2025-05-13T22:22:43.000-04:00
Turn the MBEDTLS_RSA_FULL selects into depends on.
This is how the other MBEDTLS_KEY_EXCHANGE_* Kconfig options are defined.

This is done to avoid circular dependencies.

At the same time update uses of the affected MBEDTLS_KEY_EXCHANGE_*
Kconfig options to enable/disable the dependencies which used to be
automatically handled.

Signed-off-by: Tomi Fontanilles &lt;tomi.fontanilles@nordicsemi.no&gt;
diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -145,6 +145,9 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ECDSA_C
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+	select MBEDTLS_RSA_C
+	select MBEDTLS_PKCS1_V15
+	select MBEDTLS_PKCS1_V21
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	select MBEDTLS_NIST_KW_C
 	select MBEDTLS_DHM_C
diff --git a/modules/mbedtls/Kconfig.mbedtls b/modules/mbedtls/Kconfig.mbedtls
@@ -46,28 +46,29 @@ comment "Supported key exchange modes"
 
 config MBEDTLS_RSA_C
 	bool "RSA base support"
+	default y if UOSCORE || UEDHOC
 
 if MBEDTLS_RSA_C
 
 config MBEDTLS_PKCS1_V15
 	bool "RSA PKCS1 v1.5"
+	default y if UOSCORE || UEDHOC
 
 config MBEDTLS_PKCS1_V21
 	bool "RSA PKCS1 v2.1"
+	default y if UOSCORE || UEDHOC
 
 config MBEDTLS_GENPRIME_ENABLED
 	bool "Prime number generation code"
 
 endif # MBEDTLS_RSA_C
 
-config MBEDTLS_RSA_FULL
-	bool
+config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	bool "All available ciphersuite modes"
+	select MBEDTLS_MD
 	select MBEDTLS_RSA_C
 	select MBEDTLS_PKCS1_V15
 	select MBEDTLS_PKCS1_V21
-
-config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
-	bool "All available ciphersuite modes"
 	select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -92,7 +93,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
 	bool "RSA-PSK based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 
 config MBEDTLS_PSK_MAX_LEN
 	int "Max size of TLS pre-shared keys"
@@ -104,25 +105,25 @@ config MBEDTLS_PSK_MAX_LEN
 config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 	bool "RSA-only based ciphersuite modes"
 	default y if UOSCORE || UEDHOC
-	select MBEDTLS_MD
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_MD
+	depends on PSA_CRYPTO_CLIENT || MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE if PSA_CRYPTO_CLIENT
 
 config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 	bool "DHE-RSA based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	bool "ECDHE-RSA based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21
 	depends on MBEDTLS_ECDH_C
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 	bool "ECDHE-ECDSA based ciphersuite modes"
-	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
+	depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 	bool "ECDH-ECDSA based ciphersuite modes"
@@ -397,6 +398,7 @@ config MBEDTLS_CIPHER
 
 config MBEDTLS_MD
 	bool "generic message digest layer."
+	default y if UOSCORE || UEDHOC
 
 config MBEDTLS_ASN1_PARSE_C
 	bool "Support for ASN1 parser functions"
diff --git a/samples/net/cloud/mqtt_azure/prj.conf b/samples/net/cloud/mqtt_azure/prj.conf
@@ -35,6 +35,9 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
 CONFIG_MBEDTLS_SHA1=y
 CONFIG_MBEDTLS_SHA384=y
+CONFIG_MBEDTLS_RSA_C=y
+CONFIG_MBEDTLS_PKCS1_V15=y
+CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
 CONFIG_MBEDTLS_ECDH_C=y
diff --git a/samples/tfm_integration/psa_crypto/prj.conf b/samples/tfm_integration/psa_crypto/prj.conf
@@ -39,6 +39,10 @@ CONFIG_MBEDTLS_ENTROPY_C=y
 CONFIG_MBEDTLS_ECP_C=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
 CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_MD=y
+CONFIG_MBEDTLS_RSA_C=y
+CONFIG_MBEDTLS_PKCS1_V15=y
+CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
 CONFIG_MBEDTLS_PK_WRITE_C=y
 
diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig
@@ -20,6 +20,10 @@ config JWT_SIGN_RSA_LEGACY
 	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library."
 	depends on CSPRNG_AVAILABLE
 	select MBEDTLS
+	select MBEDTLS_MD
+	select MBEDTLS_RSA_C
+	select MBEDTLS_PKCS1_V15
+	select MBEDTLS_PKCS1_V21
 	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 
 config JWT_SIGN_RSA_PSA
diff --git a/subsys/net/lib/sockets/Kconfig b/subsys/net/lib/sockets/Kconfig
@@ -116,6 +116,10 @@ config NET_SOCKETS_SOCKOPT_TLS
 	imply TLS_CREDENTIALS
 	select MBEDTLS if NET_NATIVE
 	imply MBEDTLS_TLS_VERSION_1_2 if !NET_L2_OPENTHREAD
+	imply MBEDTLS_MD if !NET_L2_OPENTHREAD
+	imply MBEDTLS_RSA_C if !NET_L2_OPENTHREAD
+	imply MBEDTLS_PKCS1_V15 if !NET_L2_OPENTHREAD
+	imply MBEDTLS_PKCS1_V21 if !NET_L2_OPENTHREAD
 	imply MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if !NET_L2_OPENTHREAD
 	imply MBEDTLS_CIPHER_AES_ENABLED if !NET_L2_OPENTHREAD
 	imply PSA_WANT_KEY_TYPE_AES if !NET_L2_OPENTHREAD && PSA_CRYPTO_CLIENT
diff --git a/tests/net/lib/lwm2m/interop/prj.conf b/tests/net/lib/lwm2m/interop/prj.conf
@@ -82,7 +82,7 @@ CONFIG_MBEDTLS_HEAP_SIZE=7168
 CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
 CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
 # Disable RSA, we don't parse certs: saves flash/memory
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_MBEDTLS_RSA_C=n
 # Enable PSK instead
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
 CONFIG_LWM2M_SECURITY_DTLS_TLS_CIPHERSUITE_MAX=3
diff --git a/tests/net/socket/tls_configurations/overlay-rsa.conf b/tests/net/socket/tls_configurations/overlay-rsa.conf
@@ -1,3 +1,8 @@
+CONFIG_MBEDTLS_MD=y
+CONFIG_MBEDTLS_RSA_C=y
+CONFIG_MBEDTLS_PKCS1_V15=y
+CONFIG_MBEDTLS_PKCS1_V21=y
+
 CONFIG_PSA_WANT_ALG_RSA_OAEP=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
diff --git a/tests/net/socket/tls_configurations/prj.conf b/tests/net/socket/tls_configurations/prj.conf
@@ -37,6 +37,8 @@ CONFIG_ENTROPY_GENERATOR=y
 # support in overlay files.
 CONFIG_MBEDTLS_TLS_VERSION_1_2=n
 CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_MBEDTLS_MD=n
+CONFIG_MBEDTLS_RSA_C=n
 CONFIG_MBEDTLS_CIPHER_AES_ENABLED=n
 CONFIG_PSA_WANT_KEY_TYPE_AES=n
 CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=n
