From ae885590fb4179299b166a6c56b82bf1ee2a8441 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 10 Feb 2026 11:17:27 +0100 Subject: [PATCH] library: bulk replace MBEDTLS_RSA_C with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC Follow the same pattern that was used in the past to remove dependency on MBEDTLS_RSA_C and use PSA_WANT instead. Relying on MBEDTLS_RSA_C is fine only when builtin drivers are compiled since all PSA_WANT are converted to legacy build symbols. However when builtin drivers are not built (ex: in case of TF-M), then part of the code in TLS/X509 won't be compiled because MBEDTLS_RSA_C is not set. OTOH it's not possible to declare that symbol in a configuration file because it's a legacy one and it will be rejected by buildtime checks. Signed-off-by: Valerio Setti --- library/ssl_misc.h | 2 +- library/ssl_tls.c | 27 ++++++++++++++------------- library/ssl_tls12_server.c | 4 ++-- library/x509_crt.c | 4 ++-- library/x509_oid.c | 8 ++++---- 5 files changed, 23 insertions(+), 22 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 5f8980a20e..f0ca823f33 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2468,7 +2468,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported( } switch (sig) { -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) case MBEDTLS_SSL_SIG_RSA: break; #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6df6c4bd88..c99becd9bb 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5271,17 +5271,17 @@ static const uint16_t ssl_preset_default_sig_algs[] = { MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, #endif -#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_512) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && defined(PSA_WANT_ALG_SHA_512) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, -#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_512 */ +#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC && PSA_WANT_ALG_SHA_512 */ -#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_384) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && defined(PSA_WANT_ALG_SHA_384) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, -#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_384 */ +#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC && PSA_WANT_ALG_SHA_384 */ -#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) && defined(PSA_WANT_ALG_SHA_256) MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, -#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 */ +#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC && PSA_WANT_ALG_SHA_256 */ MBEDTLS_TLS_SIG_NONE }; @@ -5297,7 +5297,7 @@ static const uint16_t ssl_tls12_preset_default_sig_algs[] = { #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, #endif -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), #endif #endif /* PSA_WANT_ALG_SHA_512 */ @@ -5309,7 +5309,7 @@ static const uint16_t ssl_tls12_preset_default_sig_algs[] = { #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, #endif -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), #endif #endif /* PSA_WANT_ALG_SHA_384 */ @@ -5321,7 +5321,7 @@ static const uint16_t ssl_tls12_preset_default_sig_algs[] = { #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, #endif -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), #endif #endif /* PSA_WANT_ALG_SHA_256 */ @@ -5615,7 +5615,8 @@ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) } #if defined(MBEDTLS_PK_C) && \ - (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)) + (defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)) /* * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX */ @@ -5623,7 +5624,7 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) { psa_key_type_t key_type = mbedtls_pk_get_key_type(pk); -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) if (PSA_KEY_TYPE_IS_RSA(key_type)) { return MBEDTLS_SSL_SIG_RSA; } @@ -5651,7 +5652,7 @@ unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_sigalg_t type) mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig) { switch (sig) { -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) case MBEDTLS_SSL_SIG_RSA: return MBEDTLS_PK_SIGALG_RSA_PKCS1V15; #endif @@ -5664,7 +5665,7 @@ mbedtls_pk_sigalg_t mbedtls_ssl_pk_sig_alg_from_sig(unsigned char sig) } } #endif /* MBEDTLS_PK_C && - ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */ + ( PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */ /* * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 94e61a8aca..e7b24c05c8 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1299,7 +1299,7 @@ static int ssl_parse_client_hello(mbedtls_ssl_context *ssl) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA1), #endif -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA1), #endif @@ -2246,7 +2246,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) */ ct_len = 0; -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN; #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) diff --git a/library/x509_crt.c b/library/x509_crt.c index dc07ba8334..8fea9bf925 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -210,7 +210,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile, { const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type(pk); -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) if (pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS) { if (mbedtls_pk_get_bitlen(pk) >= profile->rsa_min_bitlen) { return 0; @@ -218,7 +218,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile, return -1; } -#endif /* MBEDTLS_RSA_C */ +#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */ #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) if (pk_alg == MBEDTLS_PK_ECDSA || diff --git a/library/x509_oid.c b/library/x509_oid.c index cc0063bcd3..8c67cdfa1c 100644 --- a/library/x509_oid.c +++ b/library/x509_oid.c @@ -386,7 +386,7 @@ typedef struct { static const oid_sig_alg_t oid_sig_alg[] = { -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) #if defined(PSA_WANT_ALG_MD5) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_MD5, "md5WithRSAEncryption", "RSA with MD5"), @@ -433,7 +433,7 @@ static const oid_sig_alg_t oid_sig_alg[] = MBEDTLS_MD_SHA1, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_1 */ -#endif /* MBEDTLS_RSA_C */ +#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */ #if defined(PSA_HAVE_ALG_SOME_ECDSA) #if defined(PSA_WANT_ALG_SHA_1) { @@ -466,12 +466,12 @@ static const oid_sig_alg_t oid_sig_alg[] = }, #endif /* PSA_WANT_ALG_SHA_512 */ #endif /* PSA_HAVE_ALG_SOME_ECDSA */ -#if defined(MBEDTLS_RSA_C) +#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) { OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS, "RSASSA-PSS", "RSASSA-PSS"), MBEDTLS_MD_NONE, MBEDTLS_PK_SIGALG_RSA_PSS, }, -#endif /* MBEDTLS_RSA_C */ +#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */ { NULL_OID_DESCRIPTOR, MBEDTLS_MD_NONE, MBEDTLS_PK_SIGALG_NONE,