library: check_config: remove RSA encryption requirement from ECDHE-RSA by valeriosetti · Pull Request #10639 · Mbed-TLS/mbedtls

valeriosetti · 2026-03-13T13:12:23Z

Description

ECDHE-RSA only requires RSA signature, not encryption. This commits fixes guards in "mbedtls_check_config.h".

PR checklist

changelog not required because: minor fix which is a bit of corner case configuration wise.
development PR not required because: this one
TF-PSA-Crypto PR not required because: no change there
framework PR not required
3.6 PR not required because: only applies to development where guards are PSA only
tests not required because: minor improvement

yanesca

LGTM

bjwtaylor · 2026-03-13T14:32:56Z

 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) &&                 \
    ( !defined(MBEDTLS_CAN_ECDH) || !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
-      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) || !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) )
+      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) )


Can we also update the dependency here tests/scripts/depends.py:277, or is this still required?

Nice catch, thanks!

yanesca · 2026-03-17T09:33:11Z

                              'MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
-    'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN',
-                                        'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'],
+    'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN'],


I can't see this dependency in either of the check_config.h files. I think what we need here is:

Suggested change

'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN'],

'PSA_WANT_ALG_RSA_PKCS1V15_SIGN': ['MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'],

(I haven't tested whether this would make the CI happy.)

Oh yes, of course. Previously it was working because PSA_WANT_ALG_RSA_PKCS1V15_SIGN and MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED were disabled at the same time (from the wrong signal, but still...).
Thanks! I will apply immediately

yanesca

LGTM

valeriosetti · 2026-03-17T13:39:29Z

Sorry, I had to patch depends.py once again to fix another failure with pkalgs testing. Thanks @bjwtaylor for the heads up!
Hopefully the CI should be happy now.

yanesca

LGTM

valeriosetti · 2026-03-17T17:38:48Z

@yanesca @bjwtaylor since this PR missed the code freeze, please wait for the CI to be fully green before taking another look.

valeriosetti · 2026-03-18T16:35:42Z

I think that current CI complains in result-analysis reveal a lack of testing:

[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(MD5): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(MD5): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(RIPEMD160): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(RIPEMD160): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_224): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_224): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_256): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_256): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_384): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_384): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_512): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA3_512): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_1): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_1): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_224): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_224): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_256): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_256): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_384): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_384): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_512): !RSA_PKCS1V15_SIGN with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN(SHA_512): !RSA_PKCS1V15_SIGN with RSA_PUBLIC_KEY
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN_RAW: !RSA_PKCS1V15_SIGN_RAW with RSA_KEY_PAIR
[2026-03-17T19:24:46.168Z] Error: Test case not executed: test_suite_psa_crypto_op_fail.generated;PSA sign RSA_PKCS1V15_SIGN_RAW: !RSA_PKCS1V15_SIGN_RAW with RSA_PUBLIC_KEY

It seems we have no tests where RSA_PKCS1V15_SIGN is unset, but RSA_KEY_PAIR/RSA_PUBLIC_KEY are set. Am I wrong?

ECDHE-RSA only requires RSA signature, not encryption. This commits fixes guards in "mbedtls_check_config.h". Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

…SIGN Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

valeriosetti · 2026-03-20T13:47:44Z

                                           'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC',
                                           'PSA_WANT_ALG_RSA_OAEP',
                                           'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
+                                           'PSA_WANT_ALG_RSA_PKCS1V15_SIGN',


@mpg does this somehow reduces gaps for RSA testing you mentioned recently?

I don't think this line does, what I was after was builds with RSA_PUBLIC_KEY but not RSA_KEY_PAIR_BASIC. Though looking at the context, we seem to have that already - not sure why it didn't show when I searched the outcomes file, perhaps it's not being correctly filled by depends.py? That's something I'd like to double-check later. (Unless you beat me to it, of course - please feel free!)

valeriosetti · 2026-03-20T13:48:16Z

@bjwtaylor @yanesca now the CI is fine.

valeriosetti · 2026-04-22T13:22:13Z

@yanesca can you please take another look at this PR?

Question: since this is adding a new check in mbedtls_check_config.h does it need to be backported? On one hand I would say yes because this would be beneficial also for the LTS, but OTOH I'm always a bit cautious when changing a user facing header in an LTS...

yanesca

LGTM.

Regarding the backport, I agree that we shouldn't fiddle with a user facing headers, but this one looks safe: We are removing a requirement, whatever config built successfully will continue to build in the future, this change shouldn't break any existing user.

github-project-automation Bot added this to Roadmap pull requests (new board) Mar 13, 2026

github-project-automation Bot moved this to In Development in Roadmap pull requests (new board) Mar 13, 2026

valeriosetti requested a review from yanesca March 13, 2026 13:12

yanesca previously approved these changes Mar 13, 2026

View reviewed changes

bjwtaylor self-requested a review March 13, 2026 14:20

bjwtaylor reviewed Mar 13, 2026

View reviewed changes

valeriosetti removed the needs-ci Needs to pass CI tests label Mar 15, 2026

valeriosetti dismissed yanesca’s stale review via 9611a5f March 16, 2026 22:13

valeriosetti requested review from bjwtaylor and yanesca March 16, 2026 22:14

yanesca reviewed Mar 17, 2026

View reviewed changes

valeriosetti requested a review from yanesca March 17, 2026 10:05

yanesca previously approved these changes Mar 17, 2026

View reviewed changes

valeriosetti dismissed yanesca’s stale review via ad15abb March 17, 2026 13:38

valeriosetti requested a review from yanesca March 17, 2026 13:39

valeriosetti force-pushed the ecdhe-rsa-fix-check branch from ad15abb to cea8af6 Compare March 17, 2026 13:44

bjwtaylor previously approved these changes Mar 17, 2026

View reviewed changes

yanesca previously approved these changes Mar 17, 2026

View reviewed changes

github-project-automation Bot moved this from In Development to Has Approval in Roadmap pull requests (new board) Mar 17, 2026

valeriosetti enabled auto-merge March 17, 2026 15:02

valeriosetti added approved Design and code approved - may be waiting for CI or backports and removed needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review labels Mar 17, 2026

valeriosetti dismissed yanesca’s stale review via d685e02 March 17, 2026 17:38

valeriosetti dismissed bjwtaylor’s stale review via d685e02 March 17, 2026 17:38

valeriosetti added needs-ci Needs to pass CI tests and removed approved Design and code approved - may be waiting for CI or backports labels Mar 17, 2026

valeriosetti force-pushed the ecdhe-rsa-fix-check branch from d685e02 to 88ba826 Compare March 18, 2026 16:39

valeriosetti added 3 commits March 19, 2026 17:50

library: check_config: remove RSA encryption requirement from ECDHE-RSA

5237963

ECDHE-RSA only requires RSA signature, not encryption. This commits fixes guards in "mbedtls_check_config.h". Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

tests: depends.py: fix reverse dependency for RSA

63df2f7

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

tests: depends.py: extend pkalgs including PSA_WANT_ALG_RSA_PKCS1V15_…

a201a74

…SIGN Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>

valeriosetti force-pushed the ecdhe-rsa-fix-check branch from 0cba37d to a201a74 Compare March 19, 2026 16:51

valeriosetti requested review from bjwtaylor and yanesca March 20, 2026 13:47

valeriosetti removed the needs-ci Needs to pass CI tests label Mar 20, 2026

valeriosetti commented Mar 20, 2026

View reviewed changes

bjwtaylor approved these changes Mar 20, 2026

View reviewed changes

yanesca approved these changes Apr 22, 2026

View reviewed changes

valeriosetti added this pull request to the merge queue Apr 22, 2026

	'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN'],
	'PSA_WANT_ALG_RSA_PKCS1V15_SIGN': ['MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'],

Conversation

valeriosetti commented Mar 13, 2026

Description

PR checklist

Uh oh!

yanesca left a comment

Choose a reason for hiding this comment

Uh oh!

bjwtaylor Mar 13, 2026

Choose a reason for hiding this comment

Uh oh!

valeriosetti Mar 16, 2026

Choose a reason for hiding this comment

Uh oh!

yanesca Mar 17, 2026

Choose a reason for hiding this comment

Uh oh!

valeriosetti Mar 17, 2026

Choose a reason for hiding this comment

Uh oh!

yanesca left a comment

Choose a reason for hiding this comment

Uh oh!

valeriosetti commented Mar 17, 2026

Uh oh!

yanesca left a comment

Choose a reason for hiding this comment

Uh oh!

valeriosetti commented Mar 17, 2026

Uh oh!

valeriosetti commented Mar 18, 2026

Uh oh!

valeriosetti Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

mpg Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

valeriosetti commented Mar 20, 2026

Uh oh!

valeriosetti commented Apr 22, 2026

Uh oh!

yanesca left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

mpg Mar 24, 2026 •

edited

Loading