[crypto] mbedtls: refactor mbedtls-config.h for better readability

LuDuda · LuDuda · commit 69e6f14bead9 · 2026-01-12T22:02:25.000+01:00
Group mbedTLS configuration macros into logical sections and improve
formatting.

This commit helps prepare for PSA API backend introduction.

Signed-off-by: Łukasz Duda &lt;lukasz.duda@nordicsemi.no&gt;
diff --git a/third_party/mbedtls/mbedtls-config.h b/third_party/mbedtls/mbedtls-config.h
@@ -40,7 +40,9 @@
 #include <openthread/platform/logging.h>
 #include <openthread/platform/memory.h>
 
-#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+// ==============================================================================
+// Cryptographic configuration
+// ==============================================================================
 
 #define MBEDTLS_AES_C
 #if (MBEDTLS_VERSION_NUMBER >= 0x03050000)
@@ -66,19 +68,34 @@
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_HAVE_ASM
 #define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 #define MBEDTLS_MD_C
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#define MBEDTLS_OID_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_PLATFORM_MEMORY
-#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
 #define MBEDTLS_SHA224_C
 #define MBEDTLS_SHA256_C
 #define MBEDTLS_SHA256_SMALLER
+
+#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE || OPENTHREAD_CONFIG_TLS_ENABLE
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECDSA_C
+#endif
+
+#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE
+#define MBEDTLS_GCM_C
+#endif
+
+#if OPENTHREAD_CONFIG_ECDSA_ENABLE
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECDSA_C
+#if OPENTHREAD_CONFIG_DETERMINISTIC_ECDSA_ENABLE
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#endif
+#endif
+
+// ==============================================================================
+// SSL configuration
+// ==============================================================================
+
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
@@ -93,6 +110,12 @@
 #define MBEDTLS_SSL_SRV_C
 #endif
 
+#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE
+#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+#endif
+
+#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+
 #if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #endif
@@ -134,8 +157,8 @@
 #define MBEDTLS_ENTROPY_MAX_SOURCES        1 /**< Maximum number of sources supported */
 
 #if OPENTHREAD_CONFIG_HEAP_EXTERNAL_ENABLE
-#define MBEDTLS_PLATFORM_STD_CALLOC      otPlatCAlloc /**< Default allocator to use, can be undefined */
-#define MBEDTLS_PLATFORM_STD_FREE        otPlatFree /**< Default free to use, can be undefined */
+#define MBEDTLS_PLATFORM_STD_CALLOC      otPlatCryptoCAlloc /**< Default allocator to use, can be undefined */
+#define MBEDTLS_PLATFORM_STD_FREE        otPlatCryptoFree /**< Default free to use, can be undefined */
 #else
 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
 #endif
@@ -152,6 +175,63 @@
 #define MBEDTLS_SSL_OUT_CONTENT_LEN      MBEDTLS_SSL_MAX_CONTENT_LEN
 #define MBEDTLS_SSL_CIPHERSUITES         MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
 
+// ==============================================================================
+// x509 & PK configuration
+// ==============================================================================
+
+#define MBEDTLS_OID_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+
+#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE || OPENTHREAD_CONFIG_TLS_ENABLE
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#endif
+
+#if OPENTHREAD_CONFIG_ECDSA_ENABLE
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#endif
+
+// ==============================================================================
+// MPI configuration
+// ==============================================================================
+
+#define MBEDTLS_MPI_WINDOW_SIZE            1 /**< Maximum windows size used. */
+#define MBEDTLS_MPI_MAX_SIZE              32 /**< Maximum number of bytes for usable MPIs. */
+
+// ==============================================================================
+// ECP configuration
+// ==============================================================================
+
+#if (MBEDTLS_VERSION_NUMBER < 0x03000000)
+#define MBEDTLS_ECP_MAX_BITS             256 /**< Maximum bit size of groups */
+#endif
+#define MBEDTLS_ECP_WINDOW_SIZE            2 /**< Maximum window size used */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM      0 /**< Enable fixed-point speed-up */
+
+// ==============================================================================
+// Platform configuration
+// ==============================================================================
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+
+#if OPENTHREAD_CONFIG_HEAP_EXTERNAL_ENABLE
+#define MBEDTLS_PLATFORM_STD_CALLOC     calloc /**< Default allocator to use, can be undefined */
+#define MBEDTLS_PLATFORM_STD_FREE       free   /**< Default free to use, can be undefined */
+#else
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#endif
+
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_ENTROPY_MAX_SOURCES 1
+
 // Spans multiple lines to avoid being processed by unifdef
 #if defined(\
     MBEDTLS_USER_CONFIG_FILE)
