From b8cbbe7c9048ca2166219ad1bd4fdcfd9940f76a Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Fri, 26 Apr 2024 16:32:48 +0100
Subject: [PATCH 01/10] Modify
 component_test_tls1_2_default_stream_cipher_only_use_psa

Replace relevant Mbed TLS API config options with their PSA
API equivalents.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 28009d56a8..8fbb0fb072 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1899,14 +1899,16 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () {
     msg "build: default with only stream cipher use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
+    # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))

From 6258621a0b41e9c980843799cb401de7c1613bad Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Fri, 26 Apr 2024 17:01:16 +0100
Subject: [PATCH 02/10] Modify
 component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa

Replace relevant Mbed TLS API config options with their PSA
API equivalents.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 8fbb0fb072..869fd039c9 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1957,14 +1957,17 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
     msg "build: default with only CBC-legacy cipher use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+    # Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be set here to fully enable CBC
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_PKCS7
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))

From ff33abd599674fb39b49c5d319dff4b3c363e030 Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Fri, 26 Apr 2024 17:08:34 +0100
Subject: [PATCH 03/10] Modify
 component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa

Replace relevant Mbed TLS API config options with their PSA
API equivalents.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 869fd039c9..ecb15414bf 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2017,14 +2017,17 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
     msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
+    # Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be set here to fully enable CBC
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
+    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_PKCS7
     # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))

From 1ca1f3d62f50d8c688b3716c46ab2f7e242eba6a Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Thu, 2 May 2024 09:48:29 +0100
Subject: [PATCH 04/10] Restore Mbed TLS style AEAD options for now

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index ecb15414bf..95053fb194 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1904,6 +1904,10 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () {
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+    # Note: The three unsets below are to be removed for Mbed TLS 4.0
+    scripts/config.py unset MBEDTLS_GCM_C
+    scripts/config.py unset MBEDTLS_CCM_C
+    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
@@ -1962,6 +1966,10 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+    # Note: The three unsets below are to be removed for Mbed TLS 4.0
+    scripts/config.py unset MBEDTLS_GCM_C
+    scripts/config.py unset MBEDTLS_CCM_C
+    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
@@ -2022,6 +2030,10 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
+    # Note: The three unsets below are to be removed for Mbed TLS 4.0
+    scripts/config.py unset MBEDTLS_GCM_C
+    scripts/config.py unset MBEDTLS_CCM_C
+    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))

From 67338c050ab840d96dbaceb90d51c9a01d621527 Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Thu, 9 May 2024 15:21:14 +0100
Subject: [PATCH 05/10] Restore toggling of MBEDTLS_CIPHER_MODE_CBC

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 95053fb194..deb13b71fc 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1913,6 +1913,9 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () {
     # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
+    # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+    # Note: The unset below is to be removed for 4.0
+    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -1973,6 +1976,8 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+    # Note: The set below is to be removed for 4.0
+    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
     # Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be set here to fully enable CBC
     scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
     scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_PKCS7
@@ -2037,6 +2042,8 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+    # Note: The set below is to be removed for 4.0
+    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
     # Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be set here to fully enable CBC
     scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
     scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_PKCS7

From 5f2595a018b3cad05ac12d8e02f3e4411878dc98 Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Tue, 14 May 2024 16:09:34 +0100
Subject: [PATCH 06/10] Remove non- _use_psa versions of components

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 83 --------------------------------------------
 1 file changed, 83 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index deb13b71fc..ee28109877 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1868,33 +1868,6 @@ component_test_full_no_bignum () {
     make test
 }
 
-component_test_tls1_2_default_stream_cipher_only () {
-    msg "build: default with only stream cipher"
-
-    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    #Disable TLS 1.3 (as no AEAD)
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
-    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
-    # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
-    scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
-    # Modules that depend on AEAD
-    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
-    scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
-    make
-
-    msg "test: default with only stream cipher"
-    make test
-
-    # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
-}
-
 component_test_tls1_2_default_stream_cipher_only_use_psa () {
     msg "build: default with only stream cipher use psa"
 
@@ -1932,34 +1905,6 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () {
     # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
 }
 
-component_test_tls1_2_default_cbc_legacy_cipher_only () {
-    msg "build: default with only CBC-legacy cipher"
-
-    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    #Disable TLS 1.3 (as no AEAD)
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
-    # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
-    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
-    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
-    # Modules that depend on AEAD
-    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
-    scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
-    make
-
-    msg "test: default with only CBC-legacy cipher"
-    make test
-
-    msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)"
-    tests/ssl-opt.sh -f "TLS 1.2"
-}
-
 component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
     msg "build: default with only CBC-legacy cipher use psa"
 
@@ -1998,34 +1943,6 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
     tests/ssl-opt.sh -f "TLS 1.2"
 }
 
-component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
-    msg "build: default with only CBC-legacy and CBC-EtM ciphers"
-
-    # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
-    scripts/config.py unset MBEDTLS_GCM_C
-    scripts/config.py unset MBEDTLS_CCM_C
-    scripts/config.py unset MBEDTLS_CHACHAPOLY_C
-    #Disable TLS 1.3 (as no AEAD)
-    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
-    # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
-    # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
-    # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
-    scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
-    # Modules that depend on AEAD
-    scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION
-    scripts/config.py unset MBEDTLS_SSL_TICKET_C
-
-    make
-
-    msg "test: default with only CBC-legacy and CBC-EtM ciphers"
-    make test
-
-    msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)"
-    tests/ssl-opt.sh -f "TLS 1.2"
-}
-
 component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
     msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
 

From b7c624ddd8c71ccfc3dc2806120918eddf15e385 Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Tue, 14 May 2024 16:11:00 +0100
Subject: [PATCH 07/10] Remove _use_psa suffix from remaining components

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index ee28109877..65b36839d8 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1868,7 +1868,7 @@ component_test_full_no_bignum () {
     make test
 }
 
-component_test_tls1_2_default_stream_cipher_only_use_psa () {
+component_test_tls1_2_default_stream_cipher_only () {
     msg "build: default with only stream cipher use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
@@ -1905,7 +1905,7 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () {
     # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
 }
 
-component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
+component_test_tls1_2_deafult_cbc_legacy_cipher_only () {
     msg "build: default with only CBC-legacy cipher use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
@@ -1943,7 +1943,7 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
     tests/ssl-opt.sh -f "TLS 1.2"
 }
 
-component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
+component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
     msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO

From 69ca57eadca9138771dd5264d1ed13d845fe0292 Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Tue, 14 May 2024 16:29:23 +0100
Subject: [PATCH 08/10] Fix typo

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 65b36839d8..a68f598697 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1905,7 +1905,7 @@ component_test_tls1_2_default_stream_cipher_only () {
     # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite.
 }
 
-component_test_tls1_2_deafult_cbc_legacy_cipher_only () {
+component_test_tls1_2_default_cbc_legacy_cipher_only () {
     msg "build: default with only CBC-legacy cipher use psa"
 
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO

From 8f83ba08e22516bfe0dd171e9737668d283ad68c Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Fri, 17 May 2024 14:44:15 +0100
Subject: [PATCH 09/10] Change the way CBC is set

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index a68f598697..413dfe0fb1 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1921,11 +1921,7 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    # Note: The set below is to be removed for 4.0
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
-    # Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be set here to fully enable CBC
     scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
-    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_PKCS7
     # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -1959,11 +1955,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
     #Disable TLS 1.3 (as no AEAD)
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
-    # Note: The set below is to be removed for 4.0
-    scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
-    # Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be set here to fully enable CBC
     scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
-    scripts/config.py -f $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_PKCS7
     # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
     scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
     # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))

From a8004f27b7f7536b6a7008140e7a0b49b372ea71 Mon Sep 17 00:00:00 2001
From: Thomas Daubney <thomas.daubney@arm.com>
Date: Fri, 17 May 2024 14:46:07 +0100
Subject: [PATCH 10/10] Add additional CCM unset

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
---
 tests/scripts/all.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 413dfe0fb1..03303e0e07 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1875,6 +1875,7 @@ component_test_tls1_2_default_stream_cipher_only () {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
     # Note: The three unsets below are to be removed for Mbed TLS 4.0
@@ -1912,6 +1913,7 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
     # Note: The three unsets below are to be removed for Mbed TLS 4.0
@@ -1946,6 +1948,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
+    scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
     scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
     # Note: The three unsets below are to be removed for Mbed TLS 4.0