[nrf noup] mbedtls: Remove unsupported algorithms in PSA crypto

-This commit is a [nrf noup] because it removes configuration options
 for cryptographic algortihms available in Mbed TLS but which is not
 actively supported in nRF Connect SDK.
 The list of algorithms removed:
 - AES CFB - Cipher Feedback block cipher
 - AES OFB - Output Feedback block cipher
 - FFDH
 - RIPEMD160
 - Aria
 - Camellia
 - DES

 The removal of these algorithms is based both on a wish to remove
 weaker cryptography and unsupported features in the products we have
 today.

Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>

Author: frkv

modules/mbedtls/Kconfig.psa.auto

@@ -30,10 +30,6 @@ config PSA_WANT_ALG_CMAC
 	bool "PSA_WANT_ALG_CMAC" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_ALG_CFB
-	bool "PSA_WANT_ALG_CFB" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_ALG_CHACHA20_POLY1305
 	bool "PSA_WANT_ALG_CHACHA20_POLY1305" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -54,10 +50,6 @@ config PSA_WANT_ALG_ECDH
 	bool "PSA_WANT_ALG_ECDH" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_ALG_FFDH
-	bool "PSA_WANT_ALG_FFDH" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_ALG_ECDSA
 	bool "PSA_WANT_ALG_ECDSA" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -94,9 +86,6 @@ config PSA_WANT_ALG_MD5
 	help
 	  The MD5 hash algorithm is weak, deprecated, and should not be used.
 
-config PSA_WANT_ALG_OFB
-	bool "PSA_WANT_ALG_OFB" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
 
 config PSA_WANT_ALG_PBKDF2_HMAC
 	bool "PSA_WANT_ALG_PBKDF2_HMAC" if !MBEDTLS_PROMPTLESS
@@ -108,9 +97,6 @@ config PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
 	default y if PSA_CRYPTO_ENABLE_ALL
 	depends on PSA_WANT_ALG_CMAC
 
-config PSA_WANT_ALG_RIPEMD160
-	bool "PSA_WANT_ALG_RIPEMD160" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
 
 config PSA_WANT_ALG_RSA_OAEP
 	bool "PSA_WANT_ALG_RSA_OAEP" if !MBEDTLS_PROMPTLESS
@@ -232,26 +218,6 @@ config PSA_WANT_ECC_SECP_R1_521
 	bool "PSA_WANT_ECC_SECP_R1_521" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_DH_RFC7919_2048
-	bool "PSA_WANT_DH_RFC7919_2048" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_DH_RFC7919_3072
-	bool "PSA_WANT_DH_RFC7919_3072" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_DH_RFC7919_4096
-	bool "PSA_WANT_DH_RFC7919_4096" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_DH_RFC7919_6144
-	bool "PSA_WANT_DH_RFC7919_6144" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_DH_RFC7919_8192
-	bool "PSA_WANT_DH_RFC7919_8192" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_DERIVE
 	bool "PSA_WANT_KEY_TYPE_DERIVE" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -272,14 +238,6 @@ config PSA_WANT_KEY_TYPE_AES
 	bool "PSA_WANT_KEY_TYPE_AES" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_ARIA
-	bool "PSA_WANT_KEY_TYPE_ARIA" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_KEY_TYPE_CAMELLIA
-	bool "PSA_WANT_KEY_TYPE_CAMELLIA" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_CHACHA20
 	bool "PSA_WANT_KEY_TYPE_CHACHA20" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -290,10 +248,6 @@ config PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
 	bool "PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
-	bool "PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 config PSA_WANT_KEY_TYPE_RAW_DATA
 	bool "PSA_WANT_KEY_TYPE_RAW_DATA" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
@@ -330,16 +284,4 @@ config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
 	bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" if !MBEDTLS_PROMPTLESS
 	default y if PSA_CRYPTO_ENABLE_ALL
 
-config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
-	bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
-	bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
-config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
-	bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE" if !MBEDTLS_PROMPTLESS
-	default y if PSA_CRYPTO_ENABLE_ALL
-
 endif # PSA_CRYPTO

modules/mbedtls/Kconfig.psa.logic

@@ -47,10 +47,3 @@ config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
 	depends on PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT || \
 		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT || \
 		   PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
-
-config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
-	bool
-	default y
-	depends on PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT || \
-		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT || \
-		   PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE

modules/mbedtls/Kconfig.tf-psa-crypto

@@ -27,7 +27,6 @@ comment "Supported ciphers and cipher modes"
 config MBEDTLS_CIPHER_ALL_ENABLED
 	bool "All available ciphers and modes"
 	select PSA_WANT_KEY_TYPE_AES
-	select PSA_WANT_KEY_TYPE_CAMELLIA
 	select PSA_WANT_KEY_TYPE_CHACHA20
 	select PSA_WANT_ALG_GCM
 	select PSA_WANT_ALG_CCM
@@ -40,8 +39,7 @@ config MBEDTLS_SOME_AEAD_CIPHER_ENABLED
 	bool
 	default y
 	depends on \
-		PSA_WANT_KEY_TYPE_AES || \
-		PSA_WANT_KEY_TYPE_CAMELLIA
+		PSA_WANT_KEY_TYPE_AES
 
 config MBEDTLS_SOME_CIPHER_ENABLED
 	bool

tests/benchmarks/mbedtls/prj.conf

@@ -10,8 +10,6 @@ CONFIG_PSA_WANT_ALG_SHA_384=y
 CONFIG_PSA_WANT_ALG_SHA_512=y
 
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
-CONFIG_PSA_WANT_KEY_TYPE_ARIA=y
-CONFIG_PSA_WANT_KEY_TYPE_CAMELLIA=y
 CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
 
 CONFIG_MAIN_STACK_SIZE=4096

tests/benchmarks/mbedtls/src/benchmark.c

@@ -112,30 +112,6 @@ int main(void)
 		printk("Failed to import AES key (%d)", status);
 	}
 
-	status = make_cipher_key(PSA_KEY_TYPE_ARIA, PSA_ALG_ECB_NO_PADDING, &key_id);
-	if (status == PSA_SUCCESS) {
-		COMPUTE_THROUGHPUT("ARIA-256-ECB",
-			psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING,
-					   in_buf, sizeof(in_buf),
-					   out_buf, sizeof(out_buf), &out_len)
-		);
-		psa_destroy_key(key_id);
-	} else {
-		printk("Failed to import ARIA key (%d)", status);
-	}
-
-	status = make_cipher_key(PSA_KEY_TYPE_CAMELLIA, PSA_ALG_ECB_NO_PADDING, &key_id);
-	if (status == PSA_SUCCESS) {
-		COMPUTE_THROUGHPUT("CAMELLIA-256-ECB",
-			psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING,
-					   in_buf, sizeof(in_buf),
-					   out_buf, sizeof(out_buf), &out_len)
-		);
-		psa_destroy_key(key_id);
-	} else {
-		printk("Failed to import Camellia key (%d)", status);
-	}
-
 	printk("Benchmark completed\n");
 	return 0;
 }