Remove support for static ECDH cipher suites

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-12-24 17:41:01 +03:00 · 2025-07-10 09:41:09 +01:00
parent 414878aa7f
commit 15f1d7f812
16 changed files with 14 additions and 618 deletions
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -437,7 +437,6 @@ component_test_everest_curve25519_only () {
    scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
    scripts/config.py unset PSA_WANT_ALG_ECDSA
    scripts/config.py set PSA_WANT_ALG_ECDH
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
    scripts/config.py unset MBEDTLS_ECJPAKE_C
    scripts/config.py unset PSA_WANT_ALG_JPAKE
@@ -574,7 +573,6 @@ component_test_psa_crypto_config_accel_ecdsa () {

    # Disable things that depend on it
    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED

    # Build
    # -----
@@ -615,8 +613,6 @@ component_test_psa_crypto_config_accel_ecdh () {
    scripts/config.py unset MBEDTLS_ECDH_C

    # Disable things that depend on it
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -1147,7 +1143,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
    # Also disable key exchanges that depend on RSA
    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED

    if [ "$test_target" = "ECC" ]; then
        # When testing ECC only, we disable FFDH support, both from builtin and
@@ -1496,7 +1491,8 @@ component_test_new_psa_want_key_pair_symbol () {
    scripts/config.py crypto

    # Remove RSA support and its dependencies
-    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+    scripts/config.py unset MBEDTLS_PKCS1_V15
+    scripts/config.py unset MBEDTLS_PKCS1_V21
    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
    scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT

--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -280,7 +280,6 @@ REVERSE_DEPENDENCIES = {

    'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA',
                           'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
-                           'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
                           'MBEDTLS_ECDSA_C'],
    'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC': [
        'PSA_WANT_ALG_ECDSA',
@@ -294,7 +293,6 @@ REVERSE_DEPENDENCIES = {
        'MBEDTLS_ECP_RESTARTABLE',
        'MBEDTLS_PK_PARSE_EC_EXTENDED',
        'MBEDTLS_PK_PARSE_EC_COMPRESSED',
-        'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
        'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED',
        'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
        'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED',
@@ -313,7 +311,7 @@ REVERSE_DEPENDENCIES = {
        'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
        'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
        'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE',
-        'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'],
+        'MBEDTLS_RSA_C'],

    'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
                             'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',