samples|tests: replace usage of legacy Mbed TLS crypto with PSA Crypto API

samples/net/cloud/mqtt_azure/prj.conf

@@ -28,20 +28,26 @@ CONFIG_MQTT_LIB_TLS=y
 
 # Enable Mbed TLS configuration
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=100000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240
 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
-CONFIG_MBEDTLS_SHA1=y
-CONFIG_MBEDTLS_SHA384=y
-CONFIG_MBEDTLS_RSA_C=y
-CONFIG_MBEDTLS_PKCS1_V15=y
-CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
-CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
-CONFIG_MBEDTLS_ECDH_C=y
-CONFIG_MBEDTLS_ECP_C=y
+CONFIG_PSA_WANT_ALG_SHA_1=y
+CONFIG_PSA_WANT_ALG_SHA_384=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
+CONFIG_PSA_WANT_ALG_RSA_OAEP=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
+CONFIG_PSA_WANT_ECC_SECP_R1_256=y
+CONFIG_PSA_WANT_ALG_ECDH=y
+CONFIG_PSA_WANT_ALG_ECDSA=y
 
 # Network configuration
 CONFIG_NET_CONFIG_SETTINGS=y

samples/net/lwm2m_client/overlay-dtls.conf

@@ -12,8 +12,8 @@ CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=1500
-CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
+CONFIG_PSA_WANT_KEY_TYPE_AES=y
+CONFIG_PSA_WANT_ALG_CCM=y
 
 # Disable RSA, we don't parse certs: saves flash/memory
 CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n

samples/net/sockets/big_http_download/prj.conf

@@ -1,8 +1,8 @@
 # General config
 CONFIG_REQUIRES_FULL_LIBC=y
-CONFIG_MBEDTLS=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
-CONFIG_MBEDTLS_MD_C=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
 CONFIG_MAIN_STACK_SIZE=2536
 
 # Networking config

samples/net/sockets/big_http_download/src/big_http_download.c

@@ -11,7 +11,7 @@
 #include <ctype.h>
 #include <errno.h>
 
-#include "mbedtls/md.h"
+#include "psa/crypto.h"
 
 #if !defined(__ZEPHYR__) || defined(CONFIG_POSIX_API)
 
@@ -79,8 +79,6 @@
 const char *uri_path = "";
 static char response[1024];
 static char response_hash[32];
-mbedtls_md_context_t hash_ctx;
-const mbedtls_md_info_t *hash_info;
 unsigned int cur_bytes;
 
 void dump_addrinfo(const struct addrinfo *ai)
@@ -250,12 +248,15 @@
 	}
 }
 
 bool download(struct addrinfo *ai, bool is_tls, bool *redirect)
 {
 	int sock;
 	struct timeval timeout = {
 		.tv_sec = 5
 	};
+	psa_hash_operation_t hash_op = PSA_HASH_OPERATION_INIT;
+	psa_status_t psa_status;
+	size_t hash_len;
 
 	cur_bytes = 0U;
 	*redirect = false;
@@ -313,7 +314,11 @@
 		goto error;
 	}
 
-	mbedtls_md_starts(&hash_ctx);
+	psa_status = psa_hash_setup(&hash_op, PSA_ALG_SHA_256);
+	if (psa_status != PSA_SUCCESS) {
+		printf("Failed to setup PSA hash operation %d\n", psa_status);
+		goto error;
+	}
 
 	while (1) {
 		int len = recv(sock, response, sizeof(response) - 1, 0);
@@ -332,7 +337,11 @@
 			break;
 		}
 
-		mbedtls_md_update(&hash_ctx, response, len);
+		psa_status = psa_hash_update(&hash_op, response, len);
+		if (psa_status != PSA_SUCCESS) {
+			printf("Failed to update PSA operation %d\n", psa_status);
+			goto error;
+		}
 
 		cur_bytes += len;
 		printf("Download progress: %u Bytes; %u KiB; %u MiB\r",
@@ -344,18 +353,22 @@
 
 	printf("\n");
 
-	mbedtls_md_finish(&hash_ctx, response_hash);
+	psa_status = psa_hash_finish(&hash_op, response_hash, sizeof(response_hash), &hash_len);
+	if (psa_status != PSA_SUCCESS) {
+		printf("Failed to terminate PSA operation %d\n", psa_status);
+		goto error;
+	}
 
 	printf("Hash: ");
-	print_hex(response_hash, mbedtls_md_get_size(hash_info));
+	print_hex(response_hash, hash_len);
 	printf("\n");
 
-	if (memcmp(response_hash, download_hash,
-		   mbedtls_md_get_size(hash_info)) != 0) {
+	if (memcmp(response_hash, download_hash, hash_len) != 0) {
 		printf("HASH MISMATCH!\n");
 	}
 
 error:
+	psa_hash_abort(&hash_op);
 	(void)close(sock);
 
 	return redirect;
@@ -449,16 +462,6 @@
 
 	dump_addrinfo(res);
 
-	hash_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
-	if (!hash_info) {
-		fatal("Unable to request hash type from mbedTLS");
-	}
-
-	mbedtls_md_init(&hash_ctx);
-	if (mbedtls_md_setup(&hash_ctx, hash_info, 0) < 0) {
-		fatal("Can't setup mbedTLS hash engine");
-	}
-
 	const uint32_t total_iterations = num_iterations;
 	uint32_t current_iteration = 1;
 	do {
@@ -484,7 +487,6 @@
 
 	printf("Finished downloading.\n");
 
-	mbedtls_md_free(&hash_ctx);
 	freeaddrinfo(res);
 
 	return 0;

samples/net/sockets/http_client/overlay-tls.conf

@@ -9,9 +9,16 @@ CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=60000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
-CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
-CONFIG_MBEDTLS_ECDH_C=y
-CONFIG_MBEDTLS_ECP_C=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_ECC_SECP_R1_256=y
+CONFIG_PSA_WANT_ALG_ECDH=y
+CONFIG_PSA_WANT_ALG_ECDSA=y
 
 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
 CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6

samples/net/sockets/http_client/sample.yaml

@@ -5,9 +5,11 @@ common:
     - http_client
   min_ram: 32
   depends_on: netif
+  harness: net
 sample:
   description: HTTP client sample
   name: http_client
 tests:
-  sample.net.sockets.http_client:
-    harness: net
+  sample.net.sockets.http_client: {}
+  sample.net.sockets.http_client.tls:
+    extra_args: EXTRA_CONF_FILE="overlay-tls.conf"

samples/subsys/mgmt/mcumgr/smp_svr/udp_dtls.conf

@@ -28,11 +28,14 @@ CONFIG_NET_CONFIG_MY_IPV6_ADDR="2001:db8::1"
 # mbedtls settings
 CONFIG_MBEDTLS_TLS_VERSION_1_2=y
 CONFIG_MBEDTLS_DTLS=y
-CONFIG_MBEDTLS_RSA_C=y
-CONFIG_MBEDTLS_PKCS1_V15=y
-CONFIG_MBEDTLS_PKCS1_V21=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
-CONFIG_MBEDTLS_MD_C=y
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=60000
+CONFIG_PSA_CRYPTO=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
+CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
+CONFIG_PSA_WANT_ALG_RSA_PSS=y

samples/tfm_integration/psa_crypto/prj.conf

@@ -28,23 +28,20 @@ CONFIG_MBEDTLS_HEAP_SIZE=32768
 CONFIG_MBEDTLS_USER_CONFIG_ENABLE=y
 CONFIG_MBEDTLS_USER_CONFIG_FILE="config_mbedtls.h"
 
-CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
 CONFIG_PSA_WANT_ECC_SECP_R1_256=y
 CONFIG_PSA_WANT_ALG_ECDSA=y
 CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
-CONFIG_MBEDTLS_ENTROPY_C=y
-CONFIG_MBEDTLS_ECP_C=y
-CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
-CONFIG_MBEDTLS_ECDSA_C=y
-CONFIG_MBEDTLS_MD_C=y
-CONFIG_MBEDTLS_RSA_C=y
-CONFIG_MBEDTLS_PKCS1_V15=y
-CONFIG_MBEDTLS_PKCS1_V21=y
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
+CONFIG_PSA_WANT_ALG_RSA_PSS=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
 CONFIG_MBEDTLS_PK_WRITE_C=y
+CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
 
 # JSON
 CONFIG_JSON_LIBRARY=y

tests/net/lib/http_server/tls/prj.conf

@@ -29,14 +29,23 @@ CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
 CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
-CONFIG_MBEDTLS_ECDH_C=y
-CONFIG_MBEDTLS_ECDSA_C=y
-CONFIG_MBEDTLS_ECP_C=y
-CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
+CONFIG_PSA_CRYPTO=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
+CONFIG_PSA_WANT_ECC_SECP_R1_256=y
+CONFIG_PSA_WANT_ALG_ECDH=y
+CONFIG_PSA_WANT_ALG_ECDSA=y
+CONFIG_PSA_WANT_ALG_TLS12_PRF=y
+CONFIG_PSA_WANT_ALG_RSA_OAEP=y
+CONFIG_PSA_WANT_ALG_RSA_PSS=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
+CONFIG_PSA_WANT_KEY_TYPE_AES=y
+CONFIG_PSA_WANT_ALG_CCM=y
+CONFIG_PSA_WANT_ALG_GCM=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
 
 # Network buffers / packets / sizes
 CONFIG_NET_BUF_TX_COUNT=32

tests/net/lib/lwm2m/interop/prj.conf

@@ -79,14 +79,16 @@ CONFIG_MBEDTLS_ENABLE_HEAP=y
 # 1280 - 40 - 8 - 21
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=1211
 CONFIG_MBEDTLS_HEAP_SIZE=7168
-CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
 # Disable RSA, we don't parse certs: saves flash/memory
-CONFIG_MBEDTLS_RSA_C=n
+CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
 # Enable PSK instead
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
 CONFIG_LWM2M_SECURITY_DTLS_TLS_CIPHERSUITE_MAX=3
 
+CONFIG_PSA_CRYPTO=y
+CONFIG_PSA_WANT_KEY_TYPE_AES=y
+CONFIG_PSA_WANT_ALG_CCM=y
+
 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
 # For testing purposes, limit DTLS contexts to one,
 # LwM2M engine should not use more than one on any given time.

tests/net/socket/tls_configurations/overlay-rsa.conf

@@ -1,8 +1,6 @@
-CONFIG_MBEDTLS_MD_C=y
-CONFIG_MBEDTLS_RSA_C=y
-CONFIG_MBEDTLS_PKCS1_V15=y
-CONFIG_MBEDTLS_PKCS1_V21=y
-
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE=y
 CONFIG_PSA_WANT_ALG_RSA_OAEP=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y