[nrf fromlist] modules: mbedtls: make key exchange Kconfigs depend on, not select

Turn the MBEDTLS_RSA_FULL selects into depends on.
This is how the other MBEDTLS_KEY_EXCHANGE_* Kconfig options are defined.

This is done to avoid circular dependencies.

At the same time update uses of the affected MBEDTLS_KEY_EXCHANGE_*
Kconfig options to enable/disable the dependencies which used to be
automatically handled.

Upstream PR #: 89200

Signed-off-by: Tomi Fontanilles <[email protected]>
(cherry picked from commit deacfa35eb7bd9d2731ef7f16aedc9b14d1cc3b7)

Author: tomi-font

modules/hostap/Kconfig

@@ -145,6 +145,9 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
 	select MBEDTLS_ECDH_C
 	select MBEDTLS_ECDSA_C
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+	select MBEDTLS_RSA_C
+	select MBEDTLS_PKCS1_V15
+	select MBEDTLS_PKCS1_V21
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	select MBEDTLS_NIST_KW_C
 	select MBEDTLS_DHM_C

modules/mbedtls/Kconfig.mbedtls

@@ -50,30 +50,35 @@ comment "Supported key exchange modes"
 
 config MBEDTLS_RSA_C
 	bool "RSA base support"
+	default y if UOSCORE || UEDHOC
 
 if MBEDTLS_RSA_C
 
 config MBEDTLS_PKCS1_V15
 	bool "RSA PKCS1 v1.5"
+	default y if UOSCORE || UEDHOC
 
 config MBEDTLS_PKCS1_V21
 	bool "RSA PKCS1 v2.1"
+	default y if UOSCORE || UEDHOC
 
 config MBEDTLS_GENPRIME_ENABLED
 	bool "Prime number generation code"
 
 endif # MBEDTLS_RSA_C
 
 config MBEDTLS_RSA_FULL
-	bool
-	select MBEDTLS_RSA_C
-	select MBEDTLS_PKCS1_V15
-	select MBEDTLS_PKCS1_V21
+	def_bool y
+	depends on MBEDTLS_RSA_C && MBEDTLS_PKCS1_V15 && MBEDTLS_PKCS1_V21
 
 if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
 
 config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
 	bool "All available ciphersuite modes"
+	select MBEDTLS_MD
+	select MBEDTLS_RSA_C
+	select MBEDTLS_PKCS1_V15
+	select MBEDTLS_PKCS1_V21
 	select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -98,7 +103,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
 	bool "RSA-PSK based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_RSA_FULL
 
 endif # !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
 
@@ -114,8 +119,8 @@ if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
 config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 	bool "RSA-only based ciphersuite modes"
 	default y if UOSCORE || UEDHOC
-	select MBEDTLS_MD
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_MD
+	depends on MBEDTLS_RSA_FULL
 	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT
@@ -124,16 +129,16 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 	bool "DHE-RSA based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_RSA_FULL
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	bool "ECDHE-RSA based ciphersuite modes"
-	select MBEDTLS_RSA_FULL
+	depends on MBEDTLS_RSA_FULL
 	depends on MBEDTLS_ECDH_C
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 	bool "ECDHE-ECDSA based ciphersuite modes"
-	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
+	depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 	bool "ECDH-ECDSA based ciphersuite modes"
@@ -272,15 +277,13 @@ config MBEDTLS_CIPHER_ALL_ENABLED
 	select MBEDTLS_CHACHAPOLY_AEAD_ENABLED
 
 config MBEDTLS_SOME_AEAD_CIPHER_ENABLED
-	bool
-	default y
+	def_bool y
 	depends on \
 		MBEDTLS_CIPHER_AES_ENABLED || \
 		MBEDTLS_CIPHER_CAMELLIA_ENABLED
 
 config MBEDTLS_SOME_CIPHER_ENABLED
-	bool
-	default y
+	def_bool y
 	depends on \
 		MBEDTLS_SOME_AEAD_CIPHER_ENABLED || \
 		MBEDTLS_CIPHER_DES_ENABLED || \
@@ -423,6 +426,7 @@ if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
 
 config MBEDTLS_MD
 	bool "generic message digest layer."
+	default y if UOSCORE || UEDHOC
 
 endif # !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
 
@@ -634,8 +638,7 @@ config MBEDTLS_USE_PSA_CRYPTO
 	  "intermediate" modules such as PK, MD and Cipher.
 
 config MBEDTLS_PSA_CRYPTO_CLIENT
-	bool
-	default y
+	def_bool y
 	depends on BUILD_WITH_TFM || MBEDTLS_PSA_CRYPTO_C
 	select PSA_CRYPTO_CLIENT
 

samples/net/cloud/mqtt_azure/prj.conf

@@ -35,6 +35,9 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
 CONFIG_MBEDTLS_SHA1=y
 CONFIG_MBEDTLS_SHA384=y
+CONFIG_MBEDTLS_RSA_C=y
+CONFIG_MBEDTLS_PKCS1_V15=y
+CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
 CONFIG_MBEDTLS_ECDH_C=y

samples/tfm_integration/psa_crypto/prj.conf

@@ -39,6 +39,10 @@ CONFIG_MBEDTLS_ENTROPY_C=y
 CONFIG_MBEDTLS_ECP_C=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
 CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_MD=y
+CONFIG_MBEDTLS_RSA_C=y
+CONFIG_MBEDTLS_PKCS1_V15=y
+CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
 CONFIG_MBEDTLS_PK_WRITE_C=y
 

subsys/jwt/Kconfig

@@ -20,6 +20,10 @@ config JWT_SIGN_RSA_LEGACY
 	bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library."
 	depends on CSPRNG_AVAILABLE
 	select MBEDTLS
+	select MBEDTLS_MD
+	select MBEDTLS_RSA_C
+	select MBEDTLS_PKCS1_V15
+	select MBEDTLS_PKCS1_V21
 	select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 
 config JWT_SIGN_RSA_PSA

subsys/net/lib/sockets/Kconfig

@@ -116,6 +116,10 @@ config NET_SOCKETS_SOCKOPT_TLS
 	imply TLS_CREDENTIALS
 	select MBEDTLS if NET_NATIVE
 	imply MBEDTLS_TLS_VERSION_1_2 if !NET_L2_OPENTHREAD
+	imply MBEDTLS_MD if !NET_L2_OPENTHREAD
+	imply MBEDTLS_RSA_C if !NET_L2_OPENTHREAD
+	imply MBEDTLS_PKCS1_V15 if !NET_L2_OPENTHREAD
+	imply MBEDTLS_PKCS1_V21 if !NET_L2_OPENTHREAD
 	imply MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if !NET_L2_OPENTHREAD
 	imply MBEDTLS_CIPHER_AES_ENABLED if !NET_L2_OPENTHREAD
 	imply PSA_WANT_KEY_TYPE_AES if !NET_L2_OPENTHREAD && PSA_CRYPTO_CLIENT

tests/net/lib/lwm2m/interop/prj.conf

@@ -82,7 +82,7 @@ CONFIG_MBEDTLS_HEAP_SIZE=7168
 CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
 CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
 # Disable RSA, we don't parse certs: saves flash/memory
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_MBEDTLS_RSA_C=n
 # Enable PSK instead
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
 CONFIG_LWM2M_SECURITY_DTLS_TLS_CIPHERSUITE_MAX=3

tests/net/socket/tls_configurations/overlay-rsa.conf

@@ -1,3 +1,8 @@
+CONFIG_MBEDTLS_MD=y
+CONFIG_MBEDTLS_RSA_C=y
+CONFIG_MBEDTLS_PKCS1_V15=y
+CONFIG_MBEDTLS_PKCS1_V21=y
+
 CONFIG_PSA_WANT_ALG_RSA_OAEP=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y

tests/net/socket/tls_configurations/prj.conf

@@ -36,7 +36,8 @@ CONFIG_ENTROPY_GENERATOR=y
 # have a basic configuration in this "prj.conf" file and then add algorithm
 # support in overlay files.
 CONFIG_MBEDTLS_TLS_VERSION_1_2=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_MBEDTLS_MD=n
+CONFIG_MBEDTLS_RSA_C=n
 CONFIG_MBEDTLS_CIPHER_AES_ENABLED=n
 CONFIG_PSA_WANT_KEY_TYPE_AES=n
 CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=n