From b76c35d8094241f8de1f7d4d7603928a98cd20b0 Mon Sep 17 00:00:00 2001
From: Robert Lubos <robert.lubos@nordicsemi.no>
Date: Wed, 5 Oct 2022 15:00:42 +0200
Subject: [PATCH] modules: mbedtls: Replace select statement with depends on
 for EC

Instead of using "select" on certain EC configurations, which is
considered unsafe for various reasons, use a "depends on" and rely on
the user to set a proper configuration in the config file.

Update the respective project configurations to comply with the new
configuration scheme.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
---
 drivers/wifi/esp32/Kconfig.esp32    |  3 +++
 modules/mbedtls/Kconfig.tls-generic | 20 +++++++++-----------
 subsys/net/l2/openthread/Kconfig    |  5 +++++
 tests/benchmarks/mbedtls/prj.conf   |  4 ++++
 4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/drivers/wifi/esp32/Kconfig.esp32 b/drivers/wifi/esp32/Kconfig.esp32
index 38688b987fa..ab12a027bc5 100644
--- a/drivers/wifi/esp32/Kconfig.esp32
+++ b/drivers/wifi/esp32/Kconfig.esp32
@@ -12,6 +12,9 @@ menuconfig WIFI_ESP32
 	select MBEDTLS_ENTROPY_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 	select MBEDTLS_ECP_ALL_ENABLED
+	select MBEDTLS_ECDH_C
+	select MBEDTLS_ECDSA_C
+	select MBEDTLS_ECP_C
 	help
 	  Enable ESP32 SoC WiFi support. Only supported in single
 	  core mode because the network stack is not aware of SMP
diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic
index 6475bd22c75..bcbf94fb1e4 100644
--- a/modules/mbedtls/Kconfig.tls-generic
+++ b/modules/mbedtls/Kconfig.tls-generic
@@ -69,7 +69,7 @@ config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 	bool "ECDHE-PSK based ciphersuite modes"
-	select MBEDTLS_ECDH_C
+	depends on MBEDTLS_ECDH_C
 
 config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
 	bool "RSA-PSK based ciphersuite modes"
@@ -97,42 +97,40 @@ config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	bool "ECDHE-RSA based ciphersuite modes"
-	select MBEDTLS_ECDH_C
+	depends on MBEDTLS_ECDH_C
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 	bool "ECDHE-ECDSA based ciphersuite modes"
-	select MBEDTLS_ECDH_C
-	select MBEDTLS_ECDSA_C
+	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 	bool "ECDH-ECDSA based ciphersuite modes"
-	select MBEDTLS_ECDH_C
-	select MBEDTLS_ECDSA_C
+	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
 
 config MBEDTLS_ECDSA_DETERMINISTIC
 	bool "Deterministic ECDSA (RFC 6979)"
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 	bool "ECDH-RSA based ciphersuite modes"
-	select MBEDTLS_ECDH_C
+	depends on MBEDTLS_ECDH_C
 
 config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 	bool "ECJPAKE based ciphersuite modes"
-	select MBEDTLS_ECJPAKE_C
+	depends on MBEDTLS_ECJPAKE_C
 
 comment "Elliptic curve libraries"
 
 config MBEDTLS_ECDH_C
 	bool "Elliptic curve Diffie-Hellman library"
-	select MBEDTLS_ECP_C
+	depends on MBEDTLS_ECP_C
 
 config MBEDTLS_ECDSA_C
 	bool "Elliptic curve DSA library"
-	select MBEDTLS_ECP_C
+	depends on MBEDTLS_ECP_C
 
 config MBEDTLS_ECJPAKE_C
 	bool "Elliptic curve J-PAKE library"
-	select MBEDTLS_ECP_C
+	depends on MBEDTLS_ECP_C
 
 config MBEDTLS_ECP_C
 	bool "Elliptic curve over GF(p) library"
diff --git a/subsys/net/l2/openthread/Kconfig b/subsys/net/l2/openthread/Kconfig
index 5c9d6afebae..781787c1f4c 100644
--- a/subsys/net/l2/openthread/Kconfig
+++ b/subsys/net/l2/openthread/Kconfig
@@ -191,6 +191,7 @@ config OPENTHREAD_MBEDTLS
 	select MBEDTLS_TLS_VERSION_1_2 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
 	select MBEDTLS_DTLS if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
 	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
+	select MBEDTLS_ECJPAKE_C if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
 	select MBEDTLS_ECP_DP_SECP256R1_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || \
 	    OPENTHREAD_SRP_CLIENT || OPENTHREAD_SRP_SERVER
 	select MBEDTLS_ECP_NIST_OPTIM if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
@@ -199,8 +200,12 @@ config OPENTHREAD_MBEDTLS
 	select MBEDTLS_HMAC_DRBG_ENABLED if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || \
 	    OPENTHREAD_SRP_CLIENT || OPENTHREAD_SRP_SERVER
 	select MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED if OPENTHREAD_ECDSA
+	select MBEDTLS_ECDH_C if OPENTHREAD_ECDSA
+	select MBEDTLS_ECDSA_C if OPENTHREAD_ECDSA
 	select MBEDTLS_ECDSA_DETERMINISTIC if OPENTHREAD_ECDSA
 	select MBEDTLS_PK_WRITE_C if OPENTHREAD_ECDSA
+	select MBEDTLS_ECP_C if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER || OPENTHREAD_ECDSA
+
 
 config OPENTHREAD_MBEDTLS_LIB_NAME
 	string "mbedtls lib name"
diff --git a/tests/benchmarks/mbedtls/prj.conf b/tests/benchmarks/mbedtls/prj.conf
index cfb2a4545c5..6339cd45b17 100644
--- a/tests/benchmarks/mbedtls/prj.conf
+++ b/tests/benchmarks/mbedtls/prj.conf
@@ -24,3 +24,7 @@ CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
 CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
 CONFIG_MBEDTLS_GENPRIME_ENABLED=y
 CONFIG_MBEDTLS_HMAC_DRBG_ENABLED=y
+CONFIG_MBEDTLS_ECDH_C=y
+CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_ECJPAKE_C=y
+CONFIG_MBEDTLS_ECP_C=y