modules: mbedtls: rename CONFIG_MBEDTLS_MAC_*_ENABLED and rm duplicates

Remove the `_MAC` part because those Kconfig options enable only hash
algorithms, nothing MAC-related, and the `_ENABLED` part to align the
naming to the Mbed TLS defines (plus we don't need such a part).

As a bonus, enabling SHA-256 does not automatically enable SHA-224
anymore.

See the migration guide entries for more details on the practical
changes.

Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>

doc/releases/migration-guide-3.7.rst

@@ -81,6 +81,14 @@ MbedTLS
 
 * The hash algorithms SHA-384, SHA-512, MD5 and SHA-1 are not enabled by default anymore.
   Their respective Kconfig options now need to be explicitly enabled to be able to use them.
+* The Kconfig options previously named `CONFIG_MBEDTLS_MAC_*_ENABLED` have been renamed.
+  The `_MAC` and `_ENABLED` parts have been removed from their names.
+* The :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED` Kconfig option has been fixed to actually
+  enable all the available hash algorithms. Previously, it used to only enable the SHA-2 ones.
+* The `CONFIG_MBEDTLS_HASH_SHA*_ENABLED` Kconfig options have been removed. They were duplicates
+  of other Kconfig options which are now named `CONFIG_MBEDTLS_SHA*`.
+* The `CONFIG_MBEDTLS_MAC_ALL_ENABLED` Kconfig option has been removed. Its equivalent is the
+  combination of :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED` and :kconfig:option:`CONFIG_MBEDTLS_CMAC`.
 
 MCUboot
 =======

drivers/crypto/Kconfig

@@ -52,7 +52,7 @@ config CRYPTO_MBEDTLS_SHIM
 	bool "MbedTLS shim driver [EXPERIMENTAL]"
 	select MBEDTLS
 	select MBEDTLS_ENABLE_HEAP
-	select MBEDTLS_MAC_SHA512_ENABLED
+	select MBEDTLS_SHA512
 	select EXPERIMENTAL
 	help
 	  Enable mbedTLS shim layer compliant with crypto APIs. You will need

drivers/wifi/esp32/Kconfig.esp32

@@ -269,7 +269,7 @@ config ESP32_WIFI_MBEDTLS_CRYPTO
 	select MBEDTLS_PKCS5_C
 	select MBEDTLS_PK_WRITE_C
 	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
-	select MBEDTLS_MAC_CMAC_ENABLED
+	select MBEDTLS_CMAC
 	select MBEDTLS_ZEPHYR_ENTROPY
 	help
 	  Select this option to use MbedTLS crypto APIs which utilize hardware acceleration.

modules/hostap/Kconfig

@@ -114,7 +114,7 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO
 	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
 	select MBEDTLS_ECP_C
 	select MBEDTLS_ECP_ALL_ENABLED
-	select MBEDTLS_MAC_CMAC_ENABLED
+	select MBEDTLS_CMAC
 	select MBEDTLS_PKCS5_C
 	select MBEDTLS_PK_WRITE_C
 	select MBEDTLS_ECDH_C

modules/mbedtls/Kconfig.tls-generic

@@ -12,15 +12,15 @@ menu "Supported TLS version"
 config MBEDTLS_TLS_VERSION_1_0
 	bool "Support for TLS 1.0"
 	select MBEDTLS_CIPHER
-	select MBEDTLS_MAC_MD5_ENABLED
+	select MBEDTLS_MD5
-	select MBEDTLS_MAC_SHA1_ENABLED
+	select MBEDTLS_SHA1
 	select MBEDTLS_MD
 
 config MBEDTLS_TLS_VERSION_1_1
 	bool "Support for TLS 1.1 (DTLS 1.0)"
 	select MBEDTLS_CIPHER
-	select MBEDTLS_MAC_MD5_ENABLED
+	select MBEDTLS_MD5
-	select MBEDTLS_MAC_SHA1_ENABLED
+	select MBEDTLS_SHA1
 	select MBEDTLS_MD
 
 config MBEDTLS_TLS_VERSION_1_2
@@ -206,25 +206,7 @@ config MBEDTLS_ECP_NIST_OPTIM
 
 endif
 
-comment "Supported hash"
+comment "Supported ciphers and cipher modes"
-
-config MBEDTLS_HASH_ALL_ENABLED
-	bool "All available hashes"
-	select MBEDTLS_HASH_SHA256_ENABLED
-	select MBEDTLS_HASH_SHA384_ENABLED
-	select MBEDTLS_HASH_SHA512_ENABLED
-
-config MBEDTLS_HASH_SHA256_ENABLED
-	bool "SHA224 and SHA256 hashes"
-
-config MBEDTLS_HASH_SHA384_ENABLED
-	bool "SHA384 hash"
-	select MBEDTLS_HASH_SHA512_ENABLED
-
-config MBEDTLS_HASH_SHA512_ENABLED
-	bool "SHA512 hash"
-
-comment "Supported cipher modes"
 
 config MBEDTLS_CIPHER_ALL_ENABLED
 	bool "All available ciphers"
@@ -297,55 +279,57 @@ config MBEDTLS_CIPHER_MODE_CTR_ENABLED
 
 config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
 	bool "ChaCha20-Poly1305 AEAD algorithm"
-	depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
+	depends on MBEDTLS_CIPHER_CHACHA20_ENABLED && MBEDTLS_POLY1305
 
-comment "Supported message authentication methods"
+config MBEDTLS_CMAC
+	bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
+	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
 
-config MBEDTLS_MAC_ALL_ENABLED
+comment "Supported hash algorithms"
+
+config MBEDTLS_HASH_ALL_ENABLED
 	bool "All available MAC methods"
-	select MBEDTLS_MAC_MD4_ENABLED
+	select MBEDTLS_MD4
-	select MBEDTLS_MAC_MD5_ENABLED
+	select MBEDTLS_MD5
-	select MBEDTLS_MAC_SHA1_ENABLED
+	select MBEDTLS_SHA1
-	select MBEDTLS_MAC_SHA256_ENABLED
+	select MBEDTLS_SHA224
-	select MBEDTLS_MAC_SHA384_ENABLED
+	select MBEDTLS_SHA256
-	select MBEDTLS_MAC_SHA512_ENABLED
+	select MBEDTLS_SHA384
-	select MBEDTLS_MAC_POLY1305_ENABLED
+	select MBEDTLS_SHA512
-	select MBEDTLS_MAC_CMAC_ENABLED
+	select MBEDTLS_POLY1305
 
-config MBEDTLS_MAC_MD4_ENABLED
+config MBEDTLS_MD4
 	bool "MD4 hash algorithm"
 
-config MBEDTLS_MAC_MD5_ENABLED
+config MBEDTLS_MD5
 	bool "MD5 hash algorithm"
 
-config MBEDTLS_MAC_SHA1_ENABLED
+config MBEDTLS_SHA1
-	bool "SHA1 hash algorithm"
+	bool "SHA-1 hash algorithm"
 
-config MBEDTLS_MAC_SHA256_ENABLED
+config MBEDTLS_SHA224
-	bool "SHA-224 and SHA-256 hash algorithms"
+	bool "SHA-224 hash algorithm"
+
+config MBEDTLS_SHA256
+	bool "SHA-256 hash algorithm"
 	default y
 
 config MBEDTLS_SHA256_SMALLER
 	bool "Smaller SHA-256 implementation"
-	depends on MBEDTLS_MAC_SHA256_ENABLED
+	depends on MBEDTLS_SHA256
 	default y
 	help
-	  Enable an implementation of SHA-256 that has lower ROM footprint but also
+	  Enable an implementation of SHA-256 that has a
-	  lower performance
+	  smaller ROM footprint but also lower performance.
 
-config MBEDTLS_MAC_SHA384_ENABLED
+config MBEDTLS_SHA384
 	bool "SHA-384 hash algorithm"
-	select MBEDTLS_MAC_SHA512_ENABLED
 
-config MBEDTLS_MAC_SHA512_ENABLED
+config MBEDTLS_SHA512
 	bool "SHA-512 hash algorithm"
 
-config MBEDTLS_MAC_POLY1305_ENABLED
+config MBEDTLS_POLY1305
-	bool "Poly1305 MAC algorithm"
+	bool "Poly1305 hash family"
-
-config MBEDTLS_MAC_CMAC_ENABLED
-	bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
-	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
 
 endmenu
 
@@ -387,7 +371,7 @@ config MBEDTLS_HAVE_ASM
 
 config MBEDTLS_ENTROPY_ENABLED
 	bool "MbedTLS generic entropy pool"
-	depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
+	depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512
 	default y if MBEDTLS_ZEPHYR_ENTROPY
 
 config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
@@ -502,7 +486,7 @@ config MBEDTLS_PSA_CRYPTO_CLIENT
 config MBEDTLS_LMS
 	bool "Support LMS signature schemes"
 	depends on MBEDTLS_PSA_CRYPTO_CLIENT
-	depends on MBEDTLS_HASH_SHA256_ENABLED
+	depends on MBEDTLS_SHA256
 	select PSA_WANT_ALG_SHA_256
 
 config MBEDTLS_SSL_DTLS_CONNECTION_ID

modules/mbedtls/configs/config-tls-generic.h

@@ -271,23 +271,25 @@
 #define MBEDTLS_ECP_NIST_OPTIM
 #endif
 
-/* Supported message authentication methods */
+/* Supported hash algorithms */
 
-#if defined(CONFIG_MBEDTLS_MAC_MD4_ENABLED)
+#if defined(CONFIG_MBEDTLS_MD4)
 #define MBEDTLS_MD4_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_MAC_MD5_ENABLED)
+#if defined(CONFIG_MBEDTLS_MD5)
 #define MBEDTLS_MD5_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_MAC_SHA1_ENABLED)
+#if defined(CONFIG_MBEDTLS_SHA1)
 #define MBEDTLS_SHA1_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_MAC_SHA256_ENABLED) || \
+#if defined(CONFIG_MBEDTLS_SHA224)
-	defined(CONFIG_MBEDTLS_HASH_SHA256_ENABLED)
 #define MBEDTLS_SHA224_C
+#endif
+
+#if defined(CONFIG_MBEDTLS_SHA256)
 #define MBEDTLS_SHA256_C
 #endif
 
@@ -295,21 +297,19 @@
 #define MBEDTLS_SHA256_SMALLER
 #endif
 
-#if defined(CONFIG_MBEDTLS_MAC_SHA384_ENABLED) || \
+#if defined(CONFIG_MBEDTLS_SHA384)
-	defined(CONFIG_MBEDTLS_HASH_SHA384_ENABLED)
 #define MBEDTLS_SHA384_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_MAC_SHA512_ENABLED) || \
+#if defined(CONFIG_MBEDTLS_SHA512)
-	defined(CONFIG_MBEDTLS_HASH_SHA512_ENABLED)
 #define MBEDTLS_SHA512_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_MAC_POLY1305_ENABLED)
+#if defined(CONFIG_MBEDTLS_POLY1305)
 #define MBEDTLS_POLY1305_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_MAC_CMAC_ENABLED)
+#if defined(CONFIG_MBEDTLS_CMAC)
 #define MBEDTLS_CMAC_C
 #endif
 

samples/net/sockets/http_get/overlay-tls.conf

@@ -6,6 +6,7 @@ CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=60000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=7168
-CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
+CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
+CONFIG_MBEDTLS_CMAC=y
 
 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt

@@ -15,7 +15,7 @@ zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32 src/fs_mgm
 zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_HASH_SHA256 src/fs_mgmt_hash_checksum_sha256.c)
 
 if(CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH AND CONFIG_MCUMGR_GRP_FS_HASH_SHA256)
-  if(CONFIG_MBEDTLS_MAC_SHA256_ENABLED)
+  if(CONFIG_MBEDTLS_SHA256)
     zephyr_library_link_libraries(mbedTLS)
   endif()
 endif()

subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig

@@ -125,7 +125,7 @@ config MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32
 
 config MCUMGR_GRP_FS_HASH_SHA256
 	bool "SHA256 hash support"
-	depends on BUILD_WITH_TFM || MBEDTLS_MAC_SHA256_ENABLED
+	depends on BUILD_WITH_TFM || MBEDTLS_SHA256
 	select PSA_WANT_ALG_SHA_256 if BUILD_WITH_TFM
 	help
 	  Enable SHA256 hash support for MCUmgr.

subsys/net/l2/openthread/Kconfig

@@ -181,9 +181,9 @@ config OPENTHREAD_MBEDTLS
 	select MBEDTLS_ENABLE_HEAP
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select MBEDTLS_CIPHER_CCM_ENABLED
-	select MBEDTLS_MAC_SHA256_ENABLED
+	select MBEDTLS_SHA256
 	select MBEDTLS_ENTROPY_ENABLED
-	select MBEDTLS_MAC_CMAC_ENABLED
+	select MBEDTLS_CMAC
 	select MBEDTLS_CIPHER
 	select MBEDTLS_MD
 	select MBEDTLS_TLS_VERSION_1_2 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER

subsys/net/lib/websocket/Kconfig

@@ -9,7 +9,7 @@ config WEBSOCKET_CLIENT
 	select HTTP_CLIENT
 	select MBEDTLS
 	select BASE64
-	select MBEDTLS_MAC_SHA1_ENABLED if MBEDTLS_BUILTIN
+	select MBEDTLS_SHA1 if MBEDTLS_BUILTIN
 	select EXPERIMENTAL
 	help
 	  Enable Websocket client library.

subsys/storage/flash_map/Kconfig

@@ -58,7 +58,7 @@ config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS
 	bool "Use MBEDTLS"
 	select MBEDTLS
 	select MBEDTLS_MD
-	select MBEDTLS_MAC_SHA256_ENABLED
+	select MBEDTLS_SHA256
 	select MBEDTLS_ENABLE_HEAP
 	help
 	  Use MBEDTLS library to perform the integrity check.

tests/benchmarks/mbedtls/prj.conf

@@ -21,7 +21,8 @@ CONFIG_MBEDTLS_TLS_VERSION_1_2=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
 CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
 CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
-CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
+CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
+CONFIG_MBEDTLS_CMAC=y
 CONFIG_MBEDTLS_GENPRIME_ENABLED=y
 CONFIG_MBEDTLS_HMAC_DRBG_ENABLED=y
 CONFIG_MBEDTLS_ECDH_C=y

tests/net/socket/tls/prj.conf

@@ -47,4 +47,5 @@ CONFIG_ZTEST_STACK_SIZE=3072
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=18000
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
-CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
+CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
+CONFIG_MBEDTLS_CMAC=y

tests/subsys/mgmt/mcumgr/all_options/prj.conf

@@ -5,7 +5,7 @@
 #
 CONFIG_ZTEST=y
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
+CONFIG_MBEDTLS_SHA256=y
 CONFIG_FILE_SYSTEM=y
 CONFIG_BASE64=y
 CONFIG_NET_BUF=y

tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf

@@ -6,4 +6,4 @@
 CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=y
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
+CONFIG_MBEDTLS_SHA256=y

tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf

@@ -6,4 +6,4 @@
 CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=n
 CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y
 CONFIG_MBEDTLS=y
-CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
+CONFIG_MBEDTLS_SHA256=y