From 5c9eeb1ce81d8bb4dbe55d019aecb6b908d12d08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Duda?= <lukasz.duda@nordicsemi.no>
Date: Thu, 15 Jan 2026 16:44:32 +0100
Subject: [PATCH] [crypto] mbedtls: refactor mbedtls-config.h for better
 readability (#12292)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Group mbedTLS configuration macros into logical sections and improve
formatting.

This commit helps prepare for PSA API backend introduction.

Signed-off-by: Łukasz Duda <lukasz.duda@nordicsemi.no>
---
 third_party/mbedtls/mbedtls-config.h | 143 +++++++++++++++++----------
 1 file changed, 91 insertions(+), 52 deletions(-)

diff --git a/third_party/mbedtls/mbedtls-config.h b/third_party/mbedtls/mbedtls-config.h
index 65f195dcd..54bdfad72 100644
--- a/third_party/mbedtls/mbedtls-config.h
+++ b/third_party/mbedtls/mbedtls-config.h
@@ -40,7 +40,9 @@
 #include <openthread/platform/logging.h>
 #include <openthread/platform/crypto.h>
 
-#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+// ==============================================================================
+// Cryptographic configuration
+// ==============================================================================
 
 #define MBEDTLS_AES_C
 #if (MBEDTLS_VERSION_NUMBER >= 0x03050000)
@@ -66,19 +68,30 @@
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_HAVE_ASM
 #define MBEDTLS_HMAC_DRBG_C
-#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 #define MBEDTLS_MD_C
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#define MBEDTLS_OID_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_PLATFORM_MEMORY
-#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
 #define MBEDTLS_SHA224_C
 #define MBEDTLS_SHA256_C
 #define MBEDTLS_SHA256_SMALLER
+
+#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE || OPENTHREAD_CONFIG_TLS_ENABLE || OPENTHREAD_CONFIG_ECDSA_ENABLE
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECDSA_C
+#endif
+
+#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE
+#define MBEDTLS_GCM_C
+#endif
+
+#if OPENTHREAD_CONFIG_ECDSA_ENABLE
+#if OPENTHREAD_CONFIG_DETERMINISTIC_ECDSA_ENABLE
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#endif
+#endif
+
+// ==============================================================================
+// SSL configuration
+// ==============================================================================
+
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
@@ -93,6 +106,12 @@
 #define MBEDTLS_SSL_SRV_C
 #endif
 
+#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE
+#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+#endif
+
+#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+
 #if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #endif
@@ -102,56 +121,76 @@
 #endif
 
 #if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE
-#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
-#define MBEDTLS_GCM_C
-#endif
-
-#ifdef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_ECDH_C
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_X509_USE_C
-#define MBEDTLS_X509_CRT_PARSE_C
-#endif
-
-#if OPENTHREAD_CONFIG_ECDSA_ENABLE
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_ECDH_C
-#define MBEDTLS_ECDSA_C
-#if OPENTHREAD_CONFIG_DETERMINISTIC_ECDSA_ENABLE
-#define MBEDTLS_ECDSA_DETERMINISTIC
-#endif
-#define MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-#endif
-
-#define MBEDTLS_MPI_WINDOW_SIZE            1 /**< Maximum windows size used. */
-#define MBEDTLS_MPI_MAX_SIZE              32 /**< Maximum number of bytes for usable MPIs. */
-#define MBEDTLS_ECP_MAX_BITS             256 /**< Maximum bit size of groups */
-#define MBEDTLS_ECP_WINDOW_SIZE            2 /**< Maximum window size used */
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM      0 /**< Enable fixed-point speed-up */
-#define MBEDTLS_ENTROPY_MAX_SOURCES        1 /**< Maximum number of sources supported */
-
-#if OPENTHREAD_CONFIG_HEAP_EXTERNAL_ENABLE
-#define MBEDTLS_PLATFORM_STD_CALLOC      otPlatCryptoCAlloc /**< Default allocator to use, can be undefined */
-#define MBEDTLS_PLATFORM_STD_FREE        otPlatCryptoFree   /**< Default free to use, can be undefined */
-#else
-#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
-#endif
-
-#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE
-#define MBEDTLS_SSL_MAX_CONTENT_LEN      2000 /**< Maxium fragment length in bytes */
+#define MBEDTLS_SSL_MAX_CONTENT_LEN      2000 /**< Maximum fragment length in bytes */
 #elif OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE
-#define MBEDTLS_SSL_MAX_CONTENT_LEN      900 /**< Maxium fragment length in bytes */
+#define MBEDTLS_SSL_MAX_CONTENT_LEN      900 /**< Maximum fragment length in bytes */
 #else
-#define MBEDTLS_SSL_MAX_CONTENT_LEN      768 /**< Maxium fragment length in bytes */
+#define MBEDTLS_SSL_MAX_CONTENT_LEN      768 /**< Maximum fragment length in bytes */
 #endif
 
 #define MBEDTLS_SSL_IN_CONTENT_LEN       MBEDTLS_SSL_MAX_CONTENT_LEN
 #define MBEDTLS_SSL_OUT_CONTENT_LEN      MBEDTLS_SSL_MAX_CONTENT_LEN
 #define MBEDTLS_SSL_CIPHERSUITES         MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
 
+// ==============================================================================
+// x509 & PK configuration
+// ==============================================================================
+
+#define MBEDTLS_OID_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+
+#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE || OPENTHREAD_CONFIG_TLS_ENABLE || OPENTHREAD_CONFIG_ECDSA_ENABLE
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_PEM_PARSE_C
+#endif
+
+#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE || OPENTHREAD_CONFIG_TLS_ENABLE
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#endif
+
+#if OPENTHREAD_CONFIG_ECDSA_ENABLE
+#define MBEDTLS_PK_WRITE_C
+#endif
+
+// ==============================================================================
+// MPI configuration
+// ==============================================================================
+
+#define MBEDTLS_MPI_WINDOW_SIZE            1 /**< Maximum windows size used. */
+#define MBEDTLS_MPI_MAX_SIZE              32 /**< Maximum number of bytes for usable MPIs. */
+
+// ==============================================================================
+// ECP configuration
+// ==============================================================================
+
+#if (MBEDTLS_VERSION_NUMBER < 0x03000000)
+#define MBEDTLS_ECP_MAX_BITS             256 /**< Maximum bit size of groups */
+#endif
+#define MBEDTLS_ECP_WINDOW_SIZE            2 /**< Maximum window size used */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM      0 /**< Enable fixed-point speed-up */
+
+// ==============================================================================
+// Platform configuration
+// ==============================================================================
+
+#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
+
+#if OPENTHREAD_CONFIG_HEAP_EXTERNAL_ENABLE
+#define MBEDTLS_PLATFORM_STD_CALLOC     otPlatCryptoCAlloc /**< Default allocator to use, can be undefined */
+#define MBEDTLS_PLATFORM_STD_FREE       otPlatCryptoFree   /**< Default free to use, can be undefined */
+#else
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#endif
+
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_ENTROPY_MAX_SOURCES 1
+
 // Spans multiple lines to avoid being processed by unifdef
 #if defined(\
     MBEDTLS_USER_CONFIG_FILE)