From d03219527800d933a84131ad4f4f527a4d0e992b Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Thu, 29 Oct 2020 21:37:36 -0700
Subject: [PATCH 01/11] Phase 2 support for MBEDTLS_PSA_CRYPTO_CONFIG

This phase adds in support for the following features being
added to the list of features that can be configured in the
include/psa/crypto_config.h header file using the PSA_WANT_ALG_xxx
macros: ECDH, HMAC, HKDF, and RSA. These changes include changes to
the PSA crypto library to use the appropriate new guards that
will allow the feature to be compiled in or out either using
new PSA_WANT_ALG_xxx or the previous MBEDTLS_xxx macros.

For HKDF and HMAC, most of the PSA library code did not have a
specific matching MBEDTLS_xxx macro for that feature, but was instead
using the generic dependent MBEDTLS_MD_C macro. The ECDH and RSA
features more closely aligned with a direct replacement with a similar
macro.

The new tests for RSA, HMAC, and HKDF would normally unset additional
dependent macros, but when attempting to implement that level of
testing it required removal of too many core features like MD_C, PK_C,
ECP_C and other low level features. This may point to additional phases of
work to complete the transition of these features to the new model.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/config_psa.h |  55 +++++++++++++-
 include/psa/crypto_config.h  |   4 +
 library/psa_crypto.c         | 138 +++++++++++++++++++----------------
 tests/scripts/all.sh         |  57 +++++++++++++++
 4 files changed, 187 insertions(+), 67 deletions(-)

diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 6af4d1999..8f90630da 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -54,9 +54,42 @@ extern "C" {
 #define MBEDTLS_ECDSA_C
 #define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_MD_C
-#endif /* MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */
 #endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */
 
+#if defined(PSA_WANT_ALG_ECDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH                    1
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) */
+#endif /* defined(PSA_WANT_ALG_ECDH) */
+
+#if defined(PSA_WANT_ALG_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
+#define MBEDTLS_MD_C
+#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) */
+#endif /* defined(PSA_WANT_ALG_HMAC) */
+
+#if defined(PSA_WANT_ALG_HKDF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
+#define MBEDTLS_HKDF_C
+#define MBEDTLS_MD_C
+#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) */
+#endif /* defined(PSA_WANT_ALG_HKDF) */
+
+#if defined(PSA_WANT_ALG_RSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_RSA) */
+#endif /* defined(PSA_WANT_ALG_RSA) */
+
 #else /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
 /*
@@ -64,15 +97,31 @@ extern "C" {
  * is not defined
  */
 #if defined(MBEDTLS_ECDSA_C)
-#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA                   1
 
 // Only add in DETERMINISTIC support if ECDSA is also enabled
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA     1
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
 #endif /* MBEDTLS_ECDSA_C */
 
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH                    1
+#endif /* MBEDTLS_ECDH_C */
+
+#if defined(MBEDTLS_MD_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_HKDF_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
+#endif /* MBEDTLS_HKDF_C */
+
+#ifdef MBEDTLS_RSA_C
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA                     1
+#endif /* MBEDTLS_RSA_C */
+
 #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
 #ifdef __cplusplus
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 8dbb18d50..854981314 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -52,5 +52,9 @@
 
 #define PSA_WANT_ALG_ECDSA                      1
 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
+#define PSA_WANT_ALG_ECDH                       1
+#define PSA_WANT_ALG_HMAC                       1
+#define PSA_WANT_ALG_HKDF                       1
+#define PSA_WANT_ALG_RSA                        1
 
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ab4e47ab0..f349ff5c1 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -491,7 +491,7 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
 
 #if defined(MBEDTLS_PK_PARSE_C)
 /* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
@@ -709,7 +709,7 @@ exit:
 
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_RSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
 
 #if defined(MBEDTLS_ECP_C)
 /** Load the contents of a key buffer into an internal ECP representation
@@ -1075,12 +1075,12 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
             return( psa_import_ecp_key( slot, data, data_length ) );
         }
 #endif /* defined(MBEDTLS_ECP_C) */
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
             return( psa_import_rsa_key( slot, data, data_length ) );
         }
-#endif /* defined(MBEDTLS_RSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
 
         /* Fell through the fallback as well, so have nothing else to try. */
         return( PSA_ERROR_NOT_SUPPORTED );
@@ -1426,7 +1426,7 @@ psa_status_t psa_get_key_domain_parameters(
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
 static psa_status_t psa_get_rsa_public_exponent(
     const mbedtls_rsa_context *rsa,
     psa_key_attributes_t *attributes )
@@ -1466,7 +1466,7 @@ exit:
         mbedtls_free( buffer );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* MBEDTLS_RSA_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
 
 /** Retrieve all the publicly-accessible attributes of a key.
  */
@@ -1493,7 +1493,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
 
     switch( slot->attr.type )
     {
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
         case PSA_KEY_TYPE_RSA_KEY_PAIR:
         case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@@ -1520,7 +1520,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
                 mbedtls_free( rsa );
             }
             break;
-#endif /* MBEDTLS_RSA_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
         default:
             /* Nothing else to do. */
             break;
@@ -1620,7 +1620,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
          * so conversion is needed */
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
             mbedtls_rsa_context *rsa = NULL;
             psa_status_t status = psa_load_rsa_representation(
                                     slot->attr.type,
@@ -1643,7 +1643,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
 #else
             /* We don't know how to convert a private RSA key to public. */
             return( PSA_ERROR_NOT_SUPPORTED );
-#endif
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
         }
         else
         {
@@ -2059,7 +2059,7 @@ static psa_status_t psa_validate_optional_attributes(
 
     if( attributes->domain_parameters_size != 0 )
     {
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
             mbedtls_rsa_context *rsa = NULL;
@@ -2096,7 +2096,7 @@ static psa_status_t psa_validate_optional_attributes(
                 return( mbedtls_to_psa_error( ret ) );
         }
         else
-#endif
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
         {
             return( PSA_ERROR_INVALID_ARGUMENT );
         }
@@ -2289,7 +2289,7 @@ exit:
 /* Message digests */
 /****************************************************************/
 
-#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
 static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
 {
     switch( alg )
@@ -2332,7 +2332,7 @@ static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
             return( NULL );
     }
 }
-#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
 
 psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
 {
@@ -2849,7 +2849,7 @@ static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
                                              (int) key_bits, mode ) );
 }
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
 static size_t psa_get_hash_block_size( psa_algorithm_t alg )
 {
     switch( alg )
@@ -2876,7 +2876,7 @@ static size_t psa_get_hash_block_size( psa_algorithm_t alg )
             return( 0 );
     }
 }
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
 /* Initialize the MAC operation structure. Once this function has been
  * called, psa_mac_abort can run and will do the right thing. */
@@ -2901,7 +2901,7 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
     }
     else
 #endif /* MBEDTLS_CMAC_C */
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
     if( PSA_ALG_IS_HMAC( operation->alg ) )
     {
         /* We'll set up the hash operation later in psa_hmac_setup_internal. */
@@ -2909,7 +2909,7 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
         status = PSA_SUCCESS;
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
     {
         if( ! PSA_ALG_IS_MAC( alg ) )
             status = PSA_ERROR_INVALID_ARGUMENT;
@@ -2920,13 +2920,13 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
     return( status );
 }
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
 static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
 {
     mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
     return( psa_hash_abort( &hmac->hash_ctx ) );
 }
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
 psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
 {
@@ -2945,13 +2945,13 @@ psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
     }
     else
 #endif /* MBEDTLS_CMAC_C */
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
     if( PSA_ALG_IS_HMAC( operation->alg ) )
     {
         psa_hmac_abort_internal( &operation->ctx.hmac );
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
     {
         /* Sanity check (shouldn't happen: operation->alg should
          * always have been initialized to a valid value). */
@@ -2997,7 +2997,7 @@ static int psa_cmac_setup( psa_mac_operation_t *operation,
 }
 #endif /* MBEDTLS_CMAC_C */
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
 static psa_status_t psa_hmac_setup_internal( psa_hmac_internal_data *hmac,
                                              const uint8_t *key,
                                              size_t key_length,
@@ -3059,7 +3059,7 @@ cleanup:
 
     return( status );
 }
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
 static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
                                    psa_key_handle_t handle,
@@ -3109,7 +3109,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
     }
     else
 #endif /* MBEDTLS_CMAC_C */
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
     if( PSA_ALG_IS_HMAC( full_length_alg ) )
     {
         psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( alg );
@@ -3140,7 +3140,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
                                           hash_alg );
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
     {
         (void) key_bits;
         status = PSA_ERROR_NOT_SUPPORTED;
@@ -3212,14 +3212,14 @@ psa_status_t psa_mac_update( psa_mac_operation_t *operation,
     }
     else
 #endif /* MBEDTLS_CMAC_C */
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
     if( PSA_ALG_IS_HMAC( operation->alg ) )
     {
         status = psa_hash_update( &operation->ctx.hmac.hash_ctx, input,
                                   input_length );
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
     {
         /* This shouldn't happen if `operation` was initialized by
          * a setup function. */
@@ -3231,7 +3231,7 @@ psa_status_t psa_mac_update( psa_mac_operation_t *operation,
     return( status );
 }
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
 static psa_status_t psa_hmac_finish_internal( psa_hmac_internal_data *hmac,
                                               uint8_t *mac,
                                               size_t mac_size )
@@ -3269,7 +3269,7 @@ exit:
     mbedtls_platform_zeroize( tmp, hash_size );
     return( status );
 }
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
 static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
                                              uint8_t *mac,
@@ -3295,14 +3295,14 @@ static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
     }
     else
 #endif /* MBEDTLS_CMAC_C */
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
     if( PSA_ALG_IS_HMAC( operation->alg ) )
     {
         return( psa_hmac_finish_internal( &operation->ctx.hmac,
                                           mac, operation->mac_size ) );
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
     {
         /* This shouldn't happen if `operation` was initialized by
          * a setup function. */
@@ -3398,7 +3398,7 @@ cleanup:
 /* Asymmetric cryptography */
 /****************************************************************/
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
 /* Decode the hash algorithm from alg and store the mbedtls encoding in
  * md_alg. Verify that the hash length is acceptable. */
 static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
@@ -3561,7 +3561,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
         return( PSA_ERROR_INVALID_SIGNATURE );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* MBEDTLS_RSA_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
 
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
@@ -3705,7 +3705,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         goto exit;
 
     /* If the operation was not supported by any accelerator, try fallback. */
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
     if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3727,7 +3727,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         mbedtls_free( rsa );
     }
     else
-#endif /* defined(MBEDTLS_RSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
 #if defined(MBEDTLS_ECP_C)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
@@ -3807,7 +3807,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         psa_key_lifetime_is_external( slot->attr.lifetime ) )
         return status;
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
     if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3828,7 +3828,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_RSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
 #if defined(MBEDTLS_ECP_C)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
@@ -3862,7 +3862,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
     }
 }
 
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_PKCS1_V21)
 static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
                                            mbedtls_rsa_context *rsa )
 {
@@ -3871,7 +3871,7 @@ static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
     mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
     mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
 }
-#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_PKCS1_V21) */
 
 psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
                                      psa_algorithm_t alg,
@@ -3904,7 +3904,7 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
             PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
     if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3963,7 +3963,7 @@ rsa_exit:
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_RSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -3999,7 +3999,7 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
     if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
     if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -4058,7 +4058,7 @@ rsa_exit:
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_RSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -4949,7 +4949,7 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation
          * nothing to do. */
     }
     else
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     if( PSA_ALG_IS_HKDF( kdf_alg ) )
     {
         mbedtls_free( operation->ctx.hkdf.info );
@@ -4979,7 +4979,7 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation
          * mbedtls_platform_zeroize() in the end of this function. */
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
     {
         status = PSA_ERROR_BAD_STATE;
     }
@@ -5011,7 +5011,7 @@ psa_status_t psa_key_derivation_set_capacity( psa_key_derivation_operation_t *op
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
 /* Read some bytes from an HKDF-based operation. This performs a chunk
  * of the expand phase of the HKDF algorithm. */
 static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkdf,
@@ -5227,7 +5227,7 @@ static psa_status_t psa_key_derivation_tls12_prf_read(
 
     return( PSA_SUCCESS );
 }
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
 psa_status_t psa_key_derivation_output_bytes(
     psa_key_derivation_operation_t *operation,
@@ -5235,7 +5235,9 @@ psa_status_t psa_key_derivation_output_bytes(
     size_t output_length )
 {
     psa_status_t status;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
+#endif
 
     if( operation->alg == 0 )
     {
@@ -5263,7 +5265,7 @@ psa_status_t psa_key_derivation_output_bytes(
     }
     operation->capacity -= output_length;
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     if( PSA_ALG_IS_HKDF( kdf_alg ) )
     {
         psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
@@ -5279,7 +5281,7 @@ psa_status_t psa_key_derivation_output_bytes(
                                                output_length );
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
     {
         return( PSA_ERROR_BAD_STATE );
     }
@@ -5393,12 +5395,15 @@ static psa_status_t psa_key_derivation_setup_kdf(
     psa_key_derivation_operation_t *operation,
     psa_algorithm_t kdf_alg )
 {
+#if !defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+    (void)kdf_alg;
+#endif
     /* Make sure that operation->ctx is properly zero-initialised. (Macro
      * initialisers for this union leave some bytes unspecified.) */
     memset( &operation->ctx, 0, sizeof( operation->ctx ) );
 
     /* Make sure that kdf_alg is a supported key derivation algorithm. */
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     if( PSA_ALG_IS_HKDF( kdf_alg ) ||
         PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
         PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
@@ -5416,8 +5421,8 @@ static psa_status_t psa_key_derivation_setup_kdf(
         operation->capacity = 255 * hash_size;
         return( PSA_SUCCESS );
     }
-#endif /* MBEDTLS_MD_C */
     else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
         return( PSA_ERROR_NOT_SUPPORTED );
 }
 
@@ -5448,7 +5453,7 @@ psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation
     return( status );
 }
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
 static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
                                     psa_algorithm_t hash_alg,
                                     psa_key_derivation_step_t step,
@@ -5645,7 +5650,7 @@ static psa_status_t psa_tls12_prf_psk_to_ms_input(
 
     return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) );
 }
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
 /** Check whether the given key type is acceptable for the given
  * input step of a key derivation.
@@ -5689,13 +5694,18 @@ static psa_status_t psa_key_derivation_input_internal(
     size_t data_length )
 {
     psa_status_t status;
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
+#else
+    (void)data;
+    (void)data_length;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
     status = psa_key_derivation_check_input_type( step, key_type );
     if( status != PSA_SUCCESS )
         goto exit;
 
-#if defined(MBEDTLS_MD_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     if( PSA_ALG_IS_HKDF( kdf_alg ) )
     {
         status = psa_hkdf_input( &operation->ctx.hkdf,
@@ -5715,7 +5725,7 @@ static psa_status_t psa_key_derivation_input_internal(
                                                 step, data, data_length );
     }
     else
-#endif /* MBEDTLS_MD_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
     {
         /* This can't happen unless the operation object was not initialized */
         return( PSA_ERROR_BAD_STATE );
@@ -5772,7 +5782,7 @@ psa_status_t psa_key_derivation_input_key(
 /* Key agreement */
 /****************************************************************/
 
-#if defined(MBEDTLS_ECDH_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
 static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
                                             size_t peer_key_length,
                                             const mbedtls_ecp_keypair *our_key,
@@ -5823,7 +5833,7 @@ exit:
 
     return( status );
 }
-#endif /* MBEDTLS_ECDH_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
 
 #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
 
@@ -5837,7 +5847,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
 {
     switch( alg )
     {
-#if defined(MBEDTLS_ECDH_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
         case PSA_ALG_ECDH:
             if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
                 return( PSA_ERROR_INVALID_ARGUMENT );
@@ -5856,7 +5866,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
             mbedtls_ecp_keypair_free( ecp );
             mbedtls_free( ecp );
             return( status );
-#endif /* MBEDTLS_ECDH_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
         default:
             (void) private_key;
             (void) peer_key;
@@ -6020,7 +6030,7 @@ psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
 }
 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_GENPRIME)
 static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
                                            size_t domain_parameters_size,
                                            int *exponent )
@@ -6046,7 +6056,7 @@ static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
     *exponent = acc;
     return( PSA_SUCCESS );
 }
-#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
 
 static psa_status_t psa_generate_key_internal(
     psa_key_slot_t *slot, size_t bits,
@@ -6084,7 +6094,7 @@ static psa_status_t psa_generate_key_internal(
     }
     else
 
-#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_GENPRIME)
     if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context rsa;
@@ -6132,7 +6142,7 @@ static psa_status_t psa_generate_key_internal(
         return( status );
     }
     else
-#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
 
 #if defined(MBEDTLS_ECP_C)
     if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 757a9ecc9..a99dd4fe5 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1335,6 +1335,63 @@ component_build_psa_want_ecdsa_disabled_software() {
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DMBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
+# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test.
+component_build_psa_want_ecdh_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDH
+    # without MBEDTLS_ECDH_C
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py unset MBEDTLS_ECDH_C
+    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+    scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
+component_build_psa_want_hmac_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
+component_build_psa_want_hkdf_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HKDF
+    # without MBEDTLS_HKDF_C
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py unset MBEDTLS_HKDF_C
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
+component_build_psa_want_rsa_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
 component_test_check_params_functionality () {
     msg "build+test: MBEDTLS_CHECK_PARAMS functionality"
     scripts/config.py full # includes CHECK_PARAMS

From f4c4cb008c845492ae672c98d920da09a02ac19e Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Wed, 28 Oct 2020 20:09:55 -0700
Subject: [PATCH 02/11] Added additional support for ECP for PSA_CRYPTO_CONFIG

The KEY_TYPE_ECC_KEY_PAIR and KEY_TYPE_ECC_PUBLIC_KEY were previously
being guarded by MBEDTLS_ECP_C in the PSA crypto library code. This change
moves it to the new MBEDTLS_PSA_BUILTIN_xxx and separates KEY_PAIR
and PUBLIC_KEY as needed. Tests have also been added to validate the new
settings.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/config_psa.h | 35 ++++++++++++++++++++++++++---------
 include/psa/crypto_config.h  |  2 ++
 library/psa_crypto.c         | 36 ++++++++++++++++++------------------
 tests/scripts/all.sh         | 24 ++++++++++++++++++++++++
 4 files changed, 70 insertions(+), 27 deletions(-)

diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 8f90630da..c5d284cc9 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -63,23 +63,35 @@ extern "C" {
 #define MBEDTLS_ECDH_C
 #define MBEDTLS_ECP_C
 #define MBEDTLS_BIGNUM_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) */
-#endif /* defined(PSA_WANT_ALG_ECDH) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */
+#endif /* PSA_WANT_ALG_ECDH */
+
+#if defined(PSA_WANT_ECC_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR                1
+#endif /* !MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR */
+#endif /* PSA_WANT_ECC_KEY_PAIR */
+
+#if defined(PSA_WANT_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY              1
+#endif /* !MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_ECC_PUBLIC_KEY */
 
 #if defined(PSA_WANT_ALG_HMAC)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
 #define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #define MBEDTLS_MD_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) */
-#endif /* defined(PSA_WANT_ALG_HMAC) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* PSA_WANT_ALG_HMAC */
 
 #if defined(PSA_WANT_ALG_HKDF)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
 #define MBEDTLS_HKDF_C
 #define MBEDTLS_MD_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) */
-#endif /* defined(PSA_WANT_ALG_HKDF) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
+#endif /* PSA_WANT_ALG_HKDF */
 
 #if defined(PSA_WANT_ALG_RSA)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA)
@@ -87,8 +99,8 @@ extern "C" {
 #define MBEDTLS_RSA_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
-#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_RSA) */
-#endif /* defined(PSA_WANT_ALG_RSA) */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA */
+#endif /* PSA_WANT_ALG_RSA */
 
 #else /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
@@ -110,6 +122,11 @@ extern "C" {
 #define MBEDTLS_PSA_BUILTIN_ALG_ECDH                    1
 #endif /* MBEDTLS_ECDH_C */
 
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR                1
+#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY              1
+#endif /* MBEDTLS_ECP_C */
+
 #if defined(MBEDTLS_MD_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #endif /* MBEDTLS_MD_C */
@@ -118,7 +135,7 @@ extern "C" {
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
 #endif /* MBEDTLS_HKDF_C */
 
-#ifdef MBEDTLS_RSA_C
+#if defined(MBEDTLS_RSA_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA                     1
 #endif /* MBEDTLS_RSA_C */
 
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 854981314..c7605aa2c 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -53,6 +53,8 @@
 #define PSA_WANT_ALG_ECDSA                      1
 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
 #define PSA_WANT_ALG_ECDH                       1
+#define PSA_WANT_ECC_KEY_PAIR                   1
+#define PSA_WANT_ECC_PUBLIC_KEY                 1
 #define PSA_WANT_ALG_HMAC                       1
 #define PSA_WANT_ALG_HKDF                       1
 #define PSA_WANT_ALG_RSA                        1
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f349ff5c1..c45d0ee60 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -370,7 +370,7 @@ static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
 }
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
                                                size_t byte_length )
 {
@@ -438,7 +438,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
             return( MBEDTLS_ECP_DP_NONE );
     }
 }
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
 
 static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
                                                         size_t bits )
@@ -711,7 +711,7 @@ exit:
 }
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
 /** Load the contents of a key buffer into an internal ECP representation
  *
  * \param[in] type          The type of key contained in \p data.
@@ -930,7 +930,7 @@ exit:
 
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
 
 /** Return the size of the key in the given slot, in bits.
  *
@@ -1069,12 +1069,12 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
 
         /* Key format is not supported by any accelerator, try software fallback
          * if present. */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
         if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
         {
             return( psa_import_ecp_key( slot, data, data_length ) );
         }
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
@@ -1647,7 +1647,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
         }
         else
         {
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
             mbedtls_ecp_keypair *ecp = NULL;
             psa_status_t status = psa_load_ecp_representation(
                                     slot->attr.type,
@@ -1671,7 +1671,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
 #else
             /* We don't know how to convert a private ECC key to public */
             return( PSA_ERROR_NOT_SUPPORTED );
-#endif
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
         }
     }
     else
@@ -3728,7 +3728,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
     }
     else
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
@@ -3762,7 +3762,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         }
     }
     else
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
     {
         status = PSA_ERROR_NOT_SUPPORTED;
     }
@@ -3829,7 +3829,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
     }
     else
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
@@ -3856,7 +3856,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         }
     }
     else
-#endif /* defined(MBEDTLS_ECP_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -5782,7 +5782,7 @@ psa_status_t psa_key_derivation_input_key(
 /* Key agreement */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
 static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
                                             size_t peer_key_length,
                                             const mbedtls_ecp_keypair *our_key,
@@ -5833,7 +5833,7 @@ exit:
 
     return( status );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
 
 #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
 
@@ -5847,7 +5847,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
 {
     switch( alg )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
         case PSA_ALG_ECDH:
             if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
                 return( PSA_ERROR_INVALID_ARGUMENT );
@@ -5866,7 +5866,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
             mbedtls_ecp_keypair_free( ecp );
             mbedtls_free( ecp );
             return( status );
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
         default:
             (void) private_key;
             (void) peer_key;
@@ -6144,7 +6144,7 @@ static psa_status_t psa_generate_key_internal(
     else
 #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
     if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
     {
         psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( type );
@@ -6189,7 +6189,7 @@ static psa_status_t psa_generate_key_internal(
         return( status );
     }
     else
-#endif /* MBEDTLS_ECP_C */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index a99dd4fe5..7ad4c497e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1354,6 +1354,30 @@ component_build_psa_want_ecdh_disabled_software() {
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
+# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
+component_build_psa_want_ecc_key_pair_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_KEY_PAIR
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_KEY_PAIR"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
+component_build_psa_want_ecc_public_key_disabled_software() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_PUBLIC_KEY
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_PUBLIC_KEY"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
 component_build_psa_want_hmac_disabled_software() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC

From 0e00519711c4e8ee8242e407c59801b71deb129d Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Sat, 31 Oct 2020 22:06:54 -0700
Subject: [PATCH 03/11] Add feature support for RSA for PSA crypto config

In the original attempt to add RSA support to PSA crypto config was too
generic. This set of changes adds support for the following RSA features:
PSA_WANT_ALG_RSA_PKCS1V15_CRYPT, PSA_WANT_ALG_RSA_PKCS1V15_SIGN,
PSA_WANT_ALG_RSA_OAEP, PSA_WANT_ALG_RSA_PSS, PSA_WANT_KEY_TYPE_RSA_KEY_PAIR,
and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY.

There were also some updates to ensure the proper inclusion of PSA crypto
library code when certain features are enabled. These updates were made to
address warnings and errors in builds from the new tests for these
features being added for PSA crypto configuration.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/config_psa.h       |  74 +++++++++++++---
 include/mbedtls/ssl.h              |   2 +-
 include/mbedtls/ssl_internal.h     |   4 +-
 include/psa/crypto_config.h        |  11 ++-
 library/psa_crypto.c               | 137 +++++++++++++++++------------
 tests/src/drivers/key_management.c |   7 +-
 6 files changed, 162 insertions(+), 73 deletions(-)

diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index c5d284cc9..545ab3cff 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -66,17 +66,18 @@ extern "C" {
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */
 #endif /* PSA_WANT_ALG_ECDH */
 
-#if defined(PSA_WANT_ECC_KEY_PAIR)
+#if defined(PSA_WANT_ECC_PUBLIC_KEY) || defined(PSA_WANT_ECC_KEY_PAIR)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR)
 #define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR                1
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
 #endif /* !MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR */
-#endif /* PSA_WANT_ECC_KEY_PAIR */
-
-#if defined(PSA_WANT_ECC_PUBLIC_KEY)
 #if !defined(MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY)
 #define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY              1
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
 #endif /* !MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY */
-#endif /* PSA_WANT_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_ECC_PUBLIC_KEY || PSA_WANT_ECC_KEY_PAIR */
 
 #if defined(PSA_WANT_ALG_HMAC)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
@@ -93,14 +94,56 @@ extern "C" {
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
 #endif /* PSA_WANT_ALG_HKDF */
 
-#if defined(PSA_WANT_ALG_RSA)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA)
-#define MBEDTLS_PSA_BUILTIN_ALG_RSA
+#if defined(PSA_WANT_ALG_RSA_OAEP) || defined(PSA_WANT_ALG_RSA_PSS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP                1
 #define MBEDTLS_RSA_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA */
-#endif /* PSA_WANT_ALG_RSA */
+#define MBEDTLS_PKCS1_V21_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS                 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
+#endif /* PSA_WANT_ALG_RSA_OAEP || PSA_WANT_ALG_RSA_PSS */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) || defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT      1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT */
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN       1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_CRYPT || PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR       1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_GENPRIME
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR */
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY     1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_GENPRIME
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR || PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
 
 #else /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
@@ -136,7 +179,16 @@ extern "C" {
 #endif /* MBEDTLS_HKDF_C */
 
 #if defined(MBEDTLS_RSA_C)
-#define MBEDTLS_PSA_BUILTIN_ALG_RSA                     1
+#if defined(MBEDTLS_PKCS1_V15)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT      1
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN       1
+#endif /* MBEDTLSS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP                1
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS                 1
+#endif /* MBEDTLS_PKCS1_V21 */
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR       1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY     1
 #endif /* MBEDTLS_RSA_C */
 
 #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 1b4e163f6..c35f65e90 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -42,7 +42,7 @@
 #include "mbedtls/dhm.h"
 #endif
 
-#if defined(MBEDTLS_ECDH_C)
+#if defined(MBEDTLS_ECDH_C) || defined(PSA_WANT_ALG_ECDH)
 #include "mbedtls/ecdh.h"
 #endif
 
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 1dc9648b0..406d22463 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -437,7 +437,7 @@ struct mbedtls_ssl_handshake_params
 #if defined(MBEDTLS_DHM_C)
     mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
 #endif
-#if defined(MBEDTLS_ECDH_C)
+#if defined(MBEDTLS_ECDH_C) || defined(PSA_WANT_ALG_ECDH)
     mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -447,7 +447,7 @@ struct mbedtls_ssl_handshake_params
     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
     size_t ecdh_psa_peerkey_len;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_ECDH_C */
+#endif /* MBEDTLS_ECDH_C || PSA_WANT_ALG_ECDH */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index c7605aa2c..da92bdb89 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -53,10 +53,15 @@
 #define PSA_WANT_ALG_ECDSA                      1
 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
 #define PSA_WANT_ALG_ECDH                       1
-#define PSA_WANT_ECC_KEY_PAIR                   1
-#define PSA_WANT_ECC_PUBLIC_KEY                 1
 #define PSA_WANT_ALG_HMAC                       1
 #define PSA_WANT_ALG_HKDF                       1
-#define PSA_WANT_ALG_RSA                        1
+//#define PSA_WANT_ECC_KEY_PAIR                   1
+//#define PSA_WANT_ECC_PUBLIC_KEY                 1
+//#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
+//#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
+//#define PSA_WANT_ALG_RSA_OAEP                   1
+//#define PSA_WANT_ALG_RSA_PSS                    1
+//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1
+//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
 
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index c45d0ee60..e527ab72a 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -491,7 +491,10 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
 
 #if defined(MBEDTLS_PK_PARSE_C)
 /* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
@@ -709,7 +712,7 @@ exit:
 
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
 
 #if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
 /** Load the contents of a key buffer into an internal ECP representation
@@ -1075,12 +1078,13 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
             return( psa_import_ecp_key( slot, data, data_length ) );
         }
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
             return( psa_import_rsa_key( slot, data, data_length ) );
         }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
         /* Fell through the fallback as well, so have nothing else to try. */
         return( PSA_ERROR_NOT_SUPPORTED );
@@ -1426,7 +1430,8 @@ psa_status_t psa_get_key_domain_parameters(
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
 static psa_status_t psa_get_rsa_public_exponent(
     const mbedtls_rsa_context *rsa,
     psa_key_attributes_t *attributes )
@@ -1466,7 +1471,7 @@ exit:
         mbedtls_free( buffer );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
 /** Retrieve all the publicly-accessible attributes of a key.
  */
@@ -1493,7 +1498,8 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
 
     switch( slot->attr.type )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
         case PSA_KEY_TYPE_RSA_KEY_PAIR:
         case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
 #if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@@ -1520,7 +1526,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
                 mbedtls_free( rsa );
             }
             break;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         default:
             /* Nothing else to do. */
             break;
@@ -1620,7 +1626,8 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
          * so conversion is needed */
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
             mbedtls_rsa_context *rsa = NULL;
             psa_status_t status = psa_load_rsa_representation(
                                     slot->attr.type,
@@ -1643,7 +1650,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
 #else
             /* We don't know how to convert a private RSA key to public. */
             return( PSA_ERROR_NOT_SUPPORTED );
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         }
         else
         {
@@ -2059,7 +2066,8 @@ static psa_status_t psa_validate_optional_attributes(
 
     if( attributes->domain_parameters_size != 0 )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
             mbedtls_rsa_context *rsa = NULL;
@@ -2096,7 +2104,7 @@ static psa_status_t psa_validate_optional_attributes(
                 return( mbedtls_to_psa_error( ret ) );
         }
         else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         {
             return( PSA_ERROR_INVALID_ARGUMENT );
         }
@@ -2289,7 +2297,12 @@ exit:
 /* Message digests */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+    (defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && \
+     (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)))
 static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
 {
     switch( alg )
@@ -2332,7 +2345,7 @@ static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
             return( NULL );
     }
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || (defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY))) */
 
 psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
 {
@@ -3398,7 +3411,10 @@ cleanup:
 /* Asymmetric cryptography */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
 /* Decode the hash algorithm from alg and store the mbedtls encoding in
  * md_alg. Verify that the hash length is acceptable. */
 static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
@@ -3417,7 +3433,7 @@ static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
         return( PSA_ERROR_INVALID_ARGUMENT );
 #endif
 
-#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
     /* For PKCS#1 v1.5 signature, if using a hash, the hash length
      * must be correct. */
     if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) &&
@@ -3428,20 +3444,21 @@ static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
         if( mbedtls_md_get_size( md_info ) != hash_length )
             return( PSA_ERROR_INVALID_ARGUMENT );
     }
-#endif /* MBEDTLS_PKCS1_V15 */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
 
-#if defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
     /* PSS requires a hash internally. */
     if( PSA_ALG_IS_RSA_PSS( alg ) )
     {
         if( md_info == NULL )
             return( PSA_ERROR_NOT_SUPPORTED );
     }
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
 
     return( PSA_SUCCESS );
 }
 
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
 static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
                                   psa_algorithm_t alg,
                                   const uint8_t *hash,
@@ -3453,6 +3470,10 @@ static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
     psa_status_t status;
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_md_type_t md_alg;
+#if !defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+    (void)hash;
+    (void)signature;
+#endif /* !MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
 
     status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
     if( status != PSA_SUCCESS )
@@ -3461,7 +3482,7 @@ static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
     if( signature_size < mbedtls_rsa_get_len( rsa ) )
         return( PSA_ERROR_BUFFER_TOO_SMALL );
 
-#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
     if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
     {
         mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
@@ -3476,8 +3497,8 @@ static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
                                       signature );
     }
     else
-#endif /* MBEDTLS_PKCS1_V15 */
-#if defined(MBEDTLS_PKCS1_V21)
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
     if( PSA_ALG_IS_RSA_PSS( alg ) )
     {
         mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
@@ -3491,7 +3512,7 @@ static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
                                            signature );
     }
     else
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
     {
         return( PSA_ERROR_INVALID_ARGUMENT );
     }
@@ -3500,6 +3521,7 @@ static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
         *signature_length = mbedtls_rsa_get_len( rsa );
     return( mbedtls_to_psa_error( ret ) );
 }
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR */
 
 static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
                                     psa_algorithm_t alg,
@@ -3511,6 +3533,10 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
     psa_status_t status;
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_md_type_t md_alg;
+#if !defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
+    (void)hash;
+    (void)signature;
+#endif /* !MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
 
     status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
     if( status != PSA_SUCCESS )
@@ -3519,7 +3545,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
     if( signature_length != mbedtls_rsa_get_len( rsa ) )
         return( PSA_ERROR_INVALID_SIGNATURE );
 
-#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
     if( PSA_ALG_IS_RSA_PKCS1V15_SIGN( alg ) )
     {
         mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15,
@@ -3534,8 +3560,8 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
                                         signature );
     }
     else
-#endif /* MBEDTLS_PKCS1_V15 */
-#if defined(MBEDTLS_PKCS1_V21)
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
     if( PSA_ALG_IS_RSA_PSS( alg ) )
     {
         mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
@@ -3549,7 +3575,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
                                              signature );
     }
     else
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS */
     {
         return( PSA_ERROR_INVALID_ARGUMENT );
     }
@@ -3561,9 +3587,10 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
         return( PSA_ERROR_INVALID_SIGNATURE );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+    (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY))
 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
  * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
  * (even though these functions don't modify it). */
@@ -3662,7 +3689,7 @@ cleanup:
     mbedtls_mpi_free( &s );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
+#endif /* (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA))  && (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)) */
 
 psa_status_t psa_sign_hash( psa_key_handle_t handle,
                             psa_algorithm_t alg,
@@ -3705,7 +3732,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         goto exit;
 
     /* If the operation was not supported by any accelerator, try fallback. */
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
     if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3727,11 +3754,11 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         mbedtls_free( rsa );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
 #if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
         if(
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
             PSA_ALG_IS_ECDSA( alg )
@@ -3756,7 +3783,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
             mbedtls_free( ecp );
         }
         else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
         {
             status = PSA_ERROR_INVALID_ARGUMENT;
         }
@@ -3807,7 +3834,8 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         psa_key_lifetime_is_external( slot->attr.lifetime ) )
         return status;
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3828,7 +3856,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 #if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
@@ -3862,7 +3890,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
     }
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
 static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
                                            mbedtls_rsa_context *rsa )
 {
@@ -3871,7 +3899,7 @@ static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
     mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
     mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_PKCS1_V21) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
 
 psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
                                      psa_algorithm_t alg,
@@ -3904,7 +3932,8 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
             PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3920,7 +3949,7 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
             status = PSA_ERROR_BUFFER_TOO_SMALL;
             goto rsa_exit;
         }
-#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
         if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
         {
             status = mbedtls_to_psa_error(
@@ -3933,8 +3962,8 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
                                                output ) );
         }
         else
-#endif /* MBEDTLS_PKCS1_V15 */
-#if defined(MBEDTLS_PKCS1_V21)
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
         if( PSA_ALG_IS_RSA_OAEP( alg ) )
         {
             psa_rsa_oaep_set_padding_mode( alg, rsa );
@@ -3949,7 +3978,7 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
                                                 output ) );
         }
         else
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
         {
             status = PSA_ERROR_INVALID_ARGUMENT;
             goto rsa_exit;
@@ -3963,7 +3992,7 @@ rsa_exit:
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -3999,7 +4028,7 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
     if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
     if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -4016,7 +4045,7 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
             goto rsa_exit;
         }
 
-#if defined(MBEDTLS_PKCS1_V15)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT)
         if( alg == PSA_ALG_RSA_PKCS1V15_CRYPT )
         {
             status = mbedtls_to_psa_error(
@@ -4030,8 +4059,8 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
                                            output_size ) );
         }
         else
-#endif /* MBEDTLS_PKCS1_V15 */
-#if defined(MBEDTLS_PKCS1_V21)
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
         if( PSA_ALG_IS_RSA_OAEP( alg ) )
         {
             psa_rsa_oaep_set_padding_mode( alg, rsa );
@@ -4047,7 +4076,7 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
                                                 output_size ) );
         }
         else
-#endif /* MBEDTLS_PKCS1_V21 */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP */
         {
             status = PSA_ERROR_INVALID_ARGUMENT;
         }
@@ -4058,7 +4087,7 @@ rsa_exit:
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -6030,7 +6059,7 @@ psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
 }
 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME)
 static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
                                            size_t domain_parameters_size,
                                            int *exponent )
@@ -6056,7 +6085,7 @@ static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
     *exponent = acc;
     return( PSA_SUCCESS );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME) */
 
 static psa_status_t psa_generate_key_internal(
     psa_key_slot_t *slot, size_t bits,
@@ -6094,7 +6123,7 @@ static psa_status_t psa_generate_key_internal(
     }
     else
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME)
     if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context rsa;
@@ -6142,7 +6171,7 @@ static psa_status_t psa_generate_key_internal(
         return( status );
     }
     else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME) */
 
 #if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
     if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
diff --git a/tests/src/drivers/key_management.c b/tests/src/drivers/key_management.c
index 9bef4b678..34eb614f9 100644
--- a/tests/src/drivers/key_management.c
+++ b/tests/src/drivers/key_management.c
@@ -43,6 +43,9 @@ psa_status_t test_transparent_generate_key(
     const psa_key_attributes_t *attributes,
     uint8_t *key, size_t key_size, size_t *key_length )
 {
+#if !defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) && !defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+    (void)attributes;
+#endif /* !MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR && !MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY */
     ++test_driver_key_management_hooks.hits;
 
     if( test_driver_key_management_hooks.forced_status != PSA_SUCCESS )
@@ -59,7 +62,7 @@ psa_status_t test_transparent_generate_key(
     }
 
     /* Copied from psa_crypto.c */
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
     if ( PSA_KEY_TYPE_IS_ECC( psa_get_key_type( attributes ) )
          && PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) )
     {
@@ -115,7 +118,7 @@ psa_status_t test_transparent_generate_key(
         return( status );
     }
     else
-#endif /* MBEDTLS_ECP_C */
+#endif /* MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR || MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY */
     return( PSA_ERROR_NOT_SUPPORTED );
 }
 

From bd069d32e8ef61b7ca500a6da2bc464194ade0c6 Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Sat, 31 Oct 2020 22:14:03 -0700
Subject: [PATCH 04/11] Enhanced testing for PSA crypto config features

Updated some of the test names to better reflect what they are testing.
Expanded the testing around RSA feature for PSA crypto config. Updated
the test script to support backing up and restoring the
include/psa/crypto_config.h file so that features can be individually
setup for each unique feature test.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 tests/scripts/all.sh | 98 ++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 91 insertions(+), 7 deletions(-)

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 7ad4c497e..95e0e4c1b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -127,6 +127,8 @@ pre_check_environment () {
 pre_initialize_variables () {
     CONFIG_H='include/mbedtls/config.h'
     CONFIG_BAK="$CONFIG_H.bak"
+    CRYPTO_CONFIG_H='include/psa/crypto_config.h'
+    CRYPTO_CONFIG_BAK="$CRYPTO_CONFIG_H.bak"
 
     append_outcome=0
     MEMORY=0
@@ -285,6 +287,10 @@ cleanup()
     if [ -f "$CONFIG_BAK" ]; then
         mv "$CONFIG_BAK" "$CONFIG_H"
     fi
+
+    if [ -f "$CRYPTO_CONFIG_BAK" ]; then
+        mv "$CRYPTO_CONFIG_BAK" "$CRYPTO_CONFIG_H"
+    fi
 }
 
 # Executed on exit. May be redefined depending on command line options.
@@ -1355,31 +1361,34 @@ component_build_psa_want_ecdh_disabled_software() {
 }
 
 # This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
-component_build_psa_want_ecc_key_pair_disabled_software() {
+component_build_psa_want_ecc_key_pair() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_KEY_PAIR
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_KEY_PAIR"
     scripts/config.py full
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ECC_KEY_PAIR 1
+    #scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ECC_PUBLIC_KEY
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
-component_build_psa_want_ecc_public_key_disabled_software() {
+component_build_psa_want_ecc_public_key() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_PUBLIC_KEY
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_PUBLIC_KEY"
     scripts/config.py full
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ECC_PUBLIC_KEY 1
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
-component_build_psa_want_hmac_disabled_software() {
+component_build_psa_want_hmac() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC"
     scripts/config.py full
@@ -1400,20 +1409,94 @@ component_build_psa_want_hkdf_disabled_software() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_HKDF_C
+    # Make sure to unset TLS1_3_EXPERIMENTAL since it requires HKDF_C and will not build properly without it.
+    scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_want_rsa_disabled_software() {
-    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA
-    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA"
+component_build_psa_want_rsa_pkcs1v15_crypt() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
     scripts/config.py full
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
+component_build_psa_want_rsa_pkcs1v15_sign() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_SIGN and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
+component_build_psa_want_rsa_oaep() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_OAEP and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_OAEP 1
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
+component_build_psa_want_rsa_pss() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PSS and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
+component_build_psa_want_rsa_key_pair() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR and PSA_WANT_ALG_RSA_PSS
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
+# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
+component_build_psa_want_rsa_public_key() {
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY and PSA_WANT_ALG_RSA_PSS
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS"
+    scripts/config.py full
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+    scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+    scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
 component_test_check_params_functionality () {
@@ -2246,6 +2329,7 @@ run_component () {
     # Back up the configuration in case the component modifies it.
     # The cleanup function will restore it.
     cp -p "$CONFIG_H" "$CONFIG_BAK"
+    cp -p "$CRYPTO_CONFIG_H" "$CRYPTO_CONFIG_BAK"
     current_component="$1"
     export MBEDTLS_TEST_CONFIGURATION="$current_component"
 

From d8b83eaf0710e041569ef47bcc7edc6cdb42c32d Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Sat, 31 Oct 2020 23:32:07 -0700
Subject: [PATCH 05/11] Update symmetric only reference config to include
 config_psa.h

Since the symmetric only reference config is utilizing PSA
crypto library builds, the config file needs to included the
new config_psa.h so that all the PSA feature macros are setup
properly for the test.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 configs/config-symmetric-only.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h
index 054cb9e15..f05a0d7cb 100644
--- a/configs/config-symmetric-only.h
+++ b/configs/config-symmetric-only.h
@@ -92,6 +92,8 @@
 #define MBEDTLS_VERSION_C
 #define MBEDTLS_XTEA_C
 
+#include "mbedtls/config_psa.h"
+
 #include "check_config.h"
 
 #endif /* MBEDTLS_CONFIG_H */

From 7fc75eac213f292b1b6755f98c365251f40bd45d Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Tue, 3 Nov 2020 19:05:36 -0800
Subject: [PATCH 06/11] Enable all features in crypto_config.h

In order to pass existing tests like test_psa_crypto_config_basic
and test_psa_crypto_config_no_driver, all the new features need
to be enabled in the default crypto_config.h file. This change
enables those features by default and updates the other new
tests to compensate for everything being enabled by disabling
some features for some of the tests as needed.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/psa/crypto_config.h | 16 ++++++++--------
 tests/scripts/all.sh        | 19 ++++++++++++++-----
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index da92bdb89..f23189edc 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -55,13 +55,13 @@
 #define PSA_WANT_ALG_ECDH                       1
 #define PSA_WANT_ALG_HMAC                       1
 #define PSA_WANT_ALG_HKDF                       1
-//#define PSA_WANT_ECC_KEY_PAIR                   1
-//#define PSA_WANT_ECC_PUBLIC_KEY                 1
-//#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
-//#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
-//#define PSA_WANT_ALG_RSA_OAEP                   1
-//#define PSA_WANT_ALG_RSA_PSS                    1
-//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1
-//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
+#define PSA_WANT_ECC_KEY_PAIR                   1
+#define PSA_WANT_ECC_PUBLIC_KEY                 1
+#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
+#define PSA_WANT_ALG_RSA_OAEP                   1
+#define PSA_WANT_ALG_RSA_PSS                    1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1
+#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
 
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 95e0e4c1b..b68cfe3d4 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1369,7 +1369,7 @@ component_build_psa_want_ecc_key_pair() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ECC_KEY_PAIR 1
-    #scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ECC_PUBLIC_KEY
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ECC_PUBLIC_KEY
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
@@ -1383,6 +1383,7 @@ component_build_psa_want_ecc_public_key() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ECC_PUBLIC_KEY 1
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ECC_KEY_PAIR
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
@@ -1424,7 +1425,9 @@ component_build_psa_want_rsa_pkcs1v15_crypt() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
-    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PSS
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
@@ -1438,7 +1441,9 @@ component_build_psa_want_rsa_pkcs1v15_sign() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
-    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PSS
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
@@ -1452,7 +1457,9 @@ component_build_psa_want_rsa_oaep() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_OAEP 1
-    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PSS
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
@@ -1466,7 +1473,9 @@ component_build_psa_want_rsa_pss() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1
-    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RSA_OAEP
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }

From 9814fa2b08bfa8d1fff6158885cfe39347a99d12 Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Wed, 4 Nov 2020 12:28:15 -0800
Subject: [PATCH 07/11] Minor updates from review comments

Updated macros in config_psa.h that used ECC_xxx to use KEY_TYPE_ECC_xxx
per comments from review. Implemented a check_config_psa.h to help with
dependency checking of features enabled in config_psa.h. Added
check_config_psa.h to visual studio project.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/check_config_psa.h |  39 +++++++++
 include/mbedtls/config_psa.h       |  50 +++++++-----
 include/psa/crypto_config.h        |   4 +-
 library/psa_crypto.c               | 124 ++++++++++++++++++++---------
 tests/scripts/all.sh               |  20 ++---
 tests/src/drivers/key_management.c |  14 ++--
 visualc/VS2010/mbedTLS.vcxproj     |   1 +
 7 files changed, 178 insertions(+), 74 deletions(-)
 create mode 100644 include/mbedtls/check_config_psa.h

diff --git a/include/mbedtls/check_config_psa.h b/include/mbedtls/check_config_psa.h
new file mode 100644
index 000000000..3fb5850c6
--- /dev/null
+++ b/include/mbedtls/check_config_psa.h
@@ -0,0 +1,39 @@
+/**
+ * \file check_config_psa.h
+ *
+ * \brief Consistency checks for PSA configuration options
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * It is recommended to include this file from your config_psa.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CONFIG_PSA_H
+#define MBEDTLS_CHECK_CONFIG_PSA_H
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && \
+    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
+#endif
+
+#endif /* MBEDTLS_CHECK_CONFIG_PSA_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 545ab3cff..48046e07b 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -66,18 +66,21 @@ extern "C" {
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */
 #endif /* PSA_WANT_ALG_ECDH */
 
-#if defined(PSA_WANT_ECC_PUBLIC_KEY) || defined(PSA_WANT_ECC_KEY_PAIR)
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR)
-#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR                1
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY              1
 #define MBEDTLS_ECP_C
 #define MBEDTLS_BIGNUM_C
-#endif /* !MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR */
-#if !defined(MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY)
-#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY              1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR                1
 #define MBEDTLS_ECP_C
 #define MBEDTLS_BIGNUM_C
-#endif /* !MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY */
-#endif /* PSA_WANT_ECC_PUBLIC_KEY || PSA_WANT_ECC_KEY_PAIR */
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
 
 #if defined(PSA_WANT_ALG_HMAC)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
@@ -94,24 +97,27 @@ extern "C" {
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
 #endif /* PSA_WANT_ALG_HKDF */
 
-#if defined(PSA_WANT_ALG_RSA_OAEP) || defined(PSA_WANT_ALG_RSA_PSS)
+#if defined(PSA_WANT_ALG_RSA_OAEP)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP                1
 #define MBEDTLS_RSA_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
-#define MBEDTLS_PKCS1_V21_C
+#define MBEDTLS_PKCS1_V21
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */
+#endif /* PSA_WANT_ALG_RSA_OAEP */
+
+#if defined(PSA_WANT_ALG_RSA_PSS)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS                 1
 #define MBEDTLS_RSA_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
-#define MBEDTLS_PKCS1_V21_C
+#define MBEDTLS_PKCS1_V21
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
-#endif /* PSA_WANT_ALG_RSA_OAEP || PSA_WANT_ALG_RSA_PSS */
+#endif /* PSA_WANT_ALG_RSA_PSS */
 
-#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) || defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT      1
 #define MBEDTLS_RSA_C
@@ -119,6 +125,9 @@ extern "C" {
 #define MBEDTLS_OID_C
 #define MBEDTLS_PKCS1_V15
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_CRYPT */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN       1
 #define MBEDTLS_RSA_C
@@ -126,9 +135,9 @@ extern "C" {
 #define MBEDTLS_OID_C
 #define MBEDTLS_PKCS1_V15
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */
-#endif /* PSA_WANT_ALG_RSA_PKCS1V15_CRYPT || PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
 
-#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
 #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR       1
 #define MBEDTLS_RSA_C
@@ -136,6 +145,9 @@ extern "C" {
 #define MBEDTLS_OID_C
 #define MBEDTLS_GENPRIME
 #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
 #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY     1
 #define MBEDTLS_RSA_C
@@ -143,7 +155,7 @@ extern "C" {
 #define MBEDTLS_OID_C
 #define MBEDTLS_GENPRIME
 #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
-#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR || PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
 
 #else /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
@@ -166,8 +178,8 @@ extern "C" {
 #endif /* MBEDTLS_ECDH_C */
 
 #if defined(MBEDTLS_ECP_C)
-#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR                1
-#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY              1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR       1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY     1
 #endif /* MBEDTLS_ECP_C */
 
 #if defined(MBEDTLS_MD_C)
@@ -193,6 +205,8 @@ extern "C" {
 
 #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
+#include "mbedtls/check_config_psa.h"
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index f23189edc..3fd137465 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -55,8 +55,8 @@
 #define PSA_WANT_ALG_ECDH                       1
 #define PSA_WANT_ALG_HMAC                       1
 #define PSA_WANT_ALG_HKDF                       1
-#define PSA_WANT_ECC_KEY_PAIR                   1
-#define PSA_WANT_ECC_PUBLIC_KEY                 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR          1
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
 #define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
 #define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
 #define PSA_WANT_ALG_RSA_OAEP                   1
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index e527ab72a..31506ef3b 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -370,7 +370,8 @@ static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
 }
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
                                                size_t byte_length )
 {
@@ -438,7 +439,8 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
             return( MBEDTLS_ECP_DP_NONE );
     }
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
 
 static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
                                                         size_t bits )
@@ -494,7 +496,9 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
 
 #if defined(MBEDTLS_PK_PARSE_C)
 /* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
@@ -712,9 +716,15 @@ exit:
 
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
 /** Load the contents of a key buffer into an internal ECP representation
  *
  * \param[in] type          The type of key contained in \p data.
@@ -933,7 +943,8 @@ exit:
 
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
 
 /** Return the size of the key in the given slot, in bits.
  *
@@ -1072,19 +1083,22 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
 
         /* Key format is not supported by any accelerator, try software fallback
          * if present. */
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
         if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
         {
             return( psa_import_ecp_key( slot, data, data_length ) );
         }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
         if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
         {
             return( psa_import_rsa_key( slot, data, data_length ) );
         }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
         /* Fell through the fallback as well, so have nothing else to try. */
         return( PSA_ERROR_NOT_SUPPORTED );
@@ -1471,7 +1485,8 @@ exit:
         mbedtls_free( buffer );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
 /** Retrieve all the publicly-accessible attributes of a key.
  */
@@ -1526,7 +1541,8 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
                 mbedtls_free( rsa );
             }
             break;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         default:
             /* Nothing else to do. */
             break;
@@ -1650,11 +1666,12 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
 #else
             /* We don't know how to convert a private RSA key to public. */
             return( PSA_ERROR_NOT_SUPPORTED );
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         }
         else
         {
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
             mbedtls_ecp_keypair *ecp = NULL;
             psa_status_t status = psa_load_ecp_representation(
                                     slot->attr.type,
@@ -1678,7 +1695,8 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
 #else
             /* We don't know how to convert a private ECC key to public */
             return( PSA_ERROR_NOT_SUPPORTED );
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
         }
     }
     else
@@ -2104,7 +2122,8 @@ static psa_status_t psa_validate_optional_attributes(
                 return( mbedtls_to_psa_error( ret ) );
         }
         else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         {
             return( PSA_ERROR_INVALID_ARGUMENT );
         }
@@ -2301,8 +2320,7 @@ exit:
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
-    (defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && \
-     (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)))
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
 static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
 {
     switch( alg )
@@ -2345,7 +2363,11 @@ static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
             return( NULL );
     }
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || (defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY))) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
 
 psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
 {
@@ -3414,7 +3436,8 @@ cleanup:
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
 /* Decode the hash algorithm from alg and store the mbedtls encoding in
  * md_alg. Verify that the hash length is acceptable. */
 static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
@@ -3587,10 +3610,16 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
         return( PSA_ERROR_INVALID_SIGNATURE );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
 
-#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
-    (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY))
+#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+      defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ) && \
+    ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+      defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) )
 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
  * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
  * (even though these functions don't modify it). */
@@ -3689,7 +3718,10 @@ cleanup:
     mbedtls_mpi_free( &s );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA))  && (defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)) */
+#endif /* ( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        *   defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ) &&
+          ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+            defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ) */
 
 psa_status_t psa_sign_hash( psa_key_handle_t handle,
                             psa_algorithm_t alg,
@@ -3755,10 +3787,12 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
     }
     else
 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
         if(
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
             PSA_ALG_IS_ECDSA( alg )
@@ -3783,13 +3817,15 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
             mbedtls_free( ecp );
         }
         else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
         {
             status = PSA_ERROR_INVALID_ARGUMENT;
         }
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
     {
         status = PSA_ERROR_NOT_SUPPORTED;
     }
@@ -3856,11 +3892,14 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
         if( PSA_ALG_IS_ECDSA( alg ) )
         {
             mbedtls_ecp_keypair *ecp = NULL;
@@ -3878,13 +3917,15 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
             return( status );
         }
         else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
         {
             return( PSA_ERROR_INVALID_ARGUMENT );
         }
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -3992,7 +4033,10 @@ rsa_exit:
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -5811,7 +5855,8 @@ psa_status_t psa_key_derivation_input_key(
 /* Key agreement */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
 static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
                                             size_t peer_key_length,
                                             const mbedtls_ecp_keypair *our_key,
@@ -5862,7 +5907,7 @@ exit:
 
     return( status );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR */
 
 #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
 
@@ -5876,7 +5921,8 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
 {
     switch( alg )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
         case PSA_ALG_ECDH:
             if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
                 return( PSA_ERROR_INVALID_ARGUMENT );
@@ -5895,7 +5941,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
             mbedtls_ecp_keypair_free( ecp );
             mbedtls_free( ecp );
             return( status );
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR */
         default:
             (void) private_key;
             (void) peer_key;
@@ -6173,7 +6219,7 @@ static psa_status_t psa_generate_key_internal(
     else
 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME) */
 
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
     if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
     {
         psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( type );
@@ -6218,7 +6264,7 @@ static psa_status_t psa_generate_key_internal(
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index b68cfe3d4..138849c54 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1362,30 +1362,30 @@ component_build_psa_want_ecdh_disabled_software() {
 
 # This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
 component_build_psa_want_ecc_key_pair() {
-    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_KEY_PAIR
-    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_KEY_PAIR"
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR"
     scripts/config.py full
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ECC_KEY_PAIR 1
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ECC_PUBLIC_KEY
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
 component_build_psa_want_ecc_public_key() {
-    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_PUBLIC_KEY
-    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_PUBLIC_KEY"
+    # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+    msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY"
     scripts/config.py full
     scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
-    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ECC_PUBLIC_KEY 1
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ECC_KEY_PAIR
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
diff --git a/tests/src/drivers/key_management.c b/tests/src/drivers/key_management.c
index 34eb614f9..a788934fa 100644
--- a/tests/src/drivers/key_management.c
+++ b/tests/src/drivers/key_management.c
@@ -43,7 +43,8 @@ psa_status_t test_transparent_generate_key(
     const psa_key_attributes_t *attributes,
     uint8_t *key, size_t key_size, size_t *key_length )
 {
-#if !defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) && !defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) && \
+    !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
     (void)attributes;
 #endif /* !MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR && !MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY */
     ++test_driver_key_management_hooks.hits;
@@ -62,7 +63,8 @@ psa_status_t test_transparent_generate_key(
     }
 
     /* Copied from psa_crypto.c */
-#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
     if ( PSA_KEY_TYPE_IS_ECC( psa_get_key_type( attributes ) )
          && PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) )
     {
@@ -118,7 +120,7 @@ psa_status_t test_transparent_generate_key(
         return( status );
     }
     else
-#endif /* MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR || MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY */
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR || MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY */
     return( PSA_ERROR_NOT_SUPPORTED );
 }
 
@@ -143,7 +145,8 @@ psa_status_t test_transparent_validate_key(const psa_key_attributes_t *attribute
     if( test_driver_key_management_hooks.forced_status != PSA_SUCCESS )
         return( test_driver_key_management_hooks.forced_status );
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
     psa_key_type_t type = psa_get_key_type( attributes );
     if ( PSA_KEY_TYPE_IS_ECC( type ) )
     {
@@ -234,11 +237,12 @@ ecp_exit:
     }
     return( PSA_ERROR_NOT_SUPPORTED );
 #else
+    (void) attributes;
     (void) data;
     (void) data_length;
     (void) bits;
     return( PSA_ERROR_NOT_SUPPORTED );
-#endif /* MBEDTLS_ECP_C */
+#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR || MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY */
 }
 
 #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 801f17c3e..cf9f21248 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -157,6 +157,7 @@
     <ClInclude Include="..\..\include\mbedtls\chacha20.h" />
     <ClInclude Include="..\..\include\mbedtls\chachapoly.h" />
     <ClInclude Include="..\..\include\mbedtls\check_config.h" />
+    <ClInclude Include="..\..\include\mbedtls\check_config_psa.h" />
     <ClInclude Include="..\..\include\mbedtls\cipher.h" />
     <ClInclude Include="..\..\include\mbedtls\cipher_internal.h" />
     <ClInclude Include="..\..\include\mbedtls\cmac.h" />

From 6ba40d1faace828c4ae945672c05fe36943089c9 Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Tue, 10 Nov 2020 08:50:04 -0800
Subject: [PATCH 08/11] Corrected guards in PSA library based on review
 comments

Revised the placement of various new MBEDTLS_PSA_BUILTIN_xxx
guards based on review comments. Corrected guards in psa
test driver to use _ACCEL version instead of _BUILTIN version.
Updated check_config_psa.h to include additional dependency checks
for more algorithms. Renamed some of the new tests to be a little
more clear on the purpose.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/check_config_psa.h |  48 +++++++++
 include/mbedtls/config_psa.h       |   2 +
 library/psa_crypto.c               | 166 ++++++++++++++++-------------
 tests/scripts/all.sh               |  24 ++---
 tests/src/drivers/key_management.c |  21 ++--
 5 files changed, 168 insertions(+), 93 deletions(-)

diff --git a/include/mbedtls/check_config_psa.h b/include/mbedtls/check_config_psa.h
index 3fb5850c6..483aa0e06 100644
--- a/include/mbedtls/check_config_psa.h
+++ b/include/mbedtls/check_config_psa.h
@@ -36,4 +36,52 @@
 #error "MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) && \
+    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "MBEDTLS_PSA_BUILTIN_ALG_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && \
+    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "MBEDTLS_PSA_BUILTIN_ALG_ECDH defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) && \
+    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) && \
+    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) && \
+    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) && \
+    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS defined, but not all prerequisites"
+#endif
+
 #endif /* MBEDTLS_CHECK_CONFIG_PSA_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 48046e07b..0690ee719 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -91,6 +91,7 @@ extern "C" {
 
 #if defined(PSA_WANT_ALG_HKDF)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
 #define MBEDTLS_HKDF_C
 #define MBEDTLS_MD_C
@@ -187,6 +188,7 @@ extern "C" {
 #endif /* MBEDTLS_MD_C */
 
 #if defined(MBEDTLS_HKDF_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
 #endif /* MBEDTLS_HKDF_C */
 
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 31506ef3b..78d0b9a3f 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -371,7 +371,9 @@ static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
 mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
                                                size_t byte_length )
 {
@@ -440,7 +442,9 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
     }
 }
 #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
+        * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) */
 
 static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
                                                         size_t bits )
@@ -593,6 +597,16 @@ exit:
 #endif /* MBEDTLS_PK_PARSE_C */
 }
 
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+
 /** Export an RSA key to export representation
  *
  * \param[in] type          The type of key (public/private) to export
@@ -716,15 +730,15 @@ exit:
 
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
         * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
 /** Load the contents of a key buffer into an internal ECP representation
  *
  * \param[in] type          The type of key contained in \p data.
@@ -824,7 +838,14 @@ exit:
 
     return( status );
 }
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
 
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
 /** Export an ECP key to export representation
  *
  * \param[in] type          The type of key (public/private) to export
@@ -1444,7 +1465,11 @@ psa_status_t psa_get_key_domain_parameters(
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
 static psa_status_t psa_get_rsa_public_exponent(
     const mbedtls_rsa_context *rsa,
@@ -1485,7 +1510,11 @@ exit:
         mbedtls_free( buffer );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
         * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
 /** Retrieve all the publicly-accessible attributes of a key.
@@ -1513,7 +1542,11 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
 
     switch( slot->attr.type )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
         case PSA_KEY_TYPE_RSA_KEY_PAIR:
         case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
@@ -1541,7 +1574,11 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
                 mbedtls_free( rsa );
             }
             break;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
+        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
         * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         default:
             /* Nothing else to do. */
@@ -1671,7 +1708,8 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
         }
         else
         {
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
             mbedtls_ecp_keypair *ecp = NULL;
             psa_status_t status = psa_load_ecp_representation(
                                     slot->attr.type,
@@ -2884,7 +2922,7 @@ static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
                                              (int) key_bits, mode ) );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
 static size_t psa_get_hash_block_size( psa_algorithm_t alg )
 {
     switch( alg )
@@ -2911,7 +2949,7 @@ static size_t psa_get_hash_block_size( psa_algorithm_t alg )
             return( 0 );
     }
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
 
 /* Initialize the MAC operation structure. Once this function has been
  * called, psa_mac_abort can run and will do the right thing. */
@@ -2955,13 +2993,13 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
     return( status );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
 static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
 {
     mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
     return( psa_hash_abort( &hmac->hash_ctx ) );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
 
 psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
 {
@@ -3032,7 +3070,7 @@ static int psa_cmac_setup( psa_mac_operation_t *operation,
 }
 #endif /* MBEDTLS_CMAC_C */
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
 static psa_status_t psa_hmac_setup_internal( psa_hmac_internal_data *hmac,
                                              const uint8_t *key,
                                              size_t key_length,
@@ -3094,7 +3132,7 @@ cleanup:
 
     return( status );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
 
 static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
                                    psa_key_handle_t handle,
@@ -3266,7 +3304,7 @@ psa_status_t psa_mac_update( psa_mac_operation_t *operation,
     return( status );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
 static psa_status_t psa_hmac_finish_internal( psa_hmac_internal_data *hmac,
                                               uint8_t *mac,
                                               size_t mac_size )
@@ -3304,7 +3342,7 @@ exit:
     mbedtls_platform_zeroize( tmp, hash_size );
     return( status );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
 
 static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
                                              uint8_t *mac,
@@ -3433,11 +3471,8 @@ cleanup:
 /* Asymmetric cryptography */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
 /* Decode the hash algorithm from alg and store the mbedtls encoding in
  * md_alg. Verify that the hash length is acceptable. */
 static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
@@ -3481,7 +3516,6 @@ static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
 static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
                                   psa_algorithm_t alg,
                                   const uint8_t *hash,
@@ -3544,7 +3578,6 @@ static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
         *signature_length = mbedtls_rsa_get_len( rsa );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR */
 
 static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
                                     psa_algorithm_t alg,
@@ -3610,16 +3643,11 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
         return( PSA_ERROR_INVALID_SIGNATURE );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
 
-#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
-      defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ) && \
-    ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-      defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) )
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
  * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
  * (even though these functions don't modify it). */
@@ -3718,10 +3746,8 @@ cleanup:
     mbedtls_mpi_free( &s );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* ( defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
-        *   defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ) &&
-          ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
-            defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
 
 psa_status_t psa_sign_hash( psa_key_handle_t handle,
                             psa_algorithm_t alg,
@@ -3764,7 +3790,8 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         goto exit;
 
     /* If the operation was not supported by any accelerator, try fallback. */
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
     if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3786,9 +3813,8 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         mbedtls_free( rsa );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
@@ -3824,8 +3850,6 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
         }
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
     {
         status = PSA_ERROR_NOT_SUPPORTED;
     }
@@ -3870,8 +3894,8 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         psa_key_lifetime_is_external( slot->attr.lifetime ) )
         return status;
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS)
     if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -3892,10 +3916,8 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
     if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
     {
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
@@ -3924,8 +3946,6 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
         }
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -3973,8 +3993,8 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
             PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
     if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -4034,9 +4054,7 @@ rsa_exit:
     }
     else
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) */
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -4072,7 +4090,8 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
     if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP)
     if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context *rsa = NULL;
@@ -4131,7 +4150,8 @@ rsa_exit:
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) */
     {
         return( PSA_ERROR_NOT_SUPPORTED );
     }
@@ -5855,8 +5875,7 @@ psa_status_t psa_key_derivation_input_key(
 /* Key agreement */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
 static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
                                             size_t peer_key_length,
                                             const mbedtls_ecp_keypair *our_key,
@@ -5907,7 +5926,7 @@ exit:
 
     return( status );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
 
 #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
 
@@ -5921,8 +5940,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
 {
     switch( alg )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
         case PSA_ALG_ECDH:
             if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
                 return( PSA_ERROR_INVALID_ARGUMENT );
@@ -5941,7 +5959,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
             mbedtls_ecp_keypair_free( ecp );
             mbedtls_free( ecp );
             return( status );
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
         default:
             (void) private_key;
             (void) peer_key;
@@ -6105,7 +6123,8 @@ psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
 }
 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
+    defined(MBEDTLS_GENPRIME)
 static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
                                            size_t domain_parameters_size,
                                            int *exponent )
@@ -6131,7 +6150,8 @@ static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
     *exponent = acc;
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) &&
+        * defined(MBEDTLS_GENPRIME) */
 
 static psa_status_t psa_generate_key_internal(
     psa_key_slot_t *slot, size_t bits,
@@ -6169,7 +6189,8 @@ static psa_status_t psa_generate_key_internal(
     }
     else
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
+    defined(MBEDTLS_GENPRIME)
     if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context rsa;
@@ -6217,7 +6238,8 @@ static psa_status_t psa_generate_key_internal(
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && defined(MBEDTLS_GENPRIME) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) &&
+        * defined(MBEDTLS_GENPRIME) */
 
 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
     if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 138849c54..592d878a3 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1324,7 +1324,7 @@ component_test_psa_crypto_config_no_driver() {
 }
 
 # This should be renamed to test and updated once the accelerator ECDSA code is in place and ready to test.
-component_build_psa_want_ecdsa_disabled_software() {
+component_build_psa_accel_alg_ecdsa() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDSA
     # without MBEDTLS_ECDSA_C
     # PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_DETERMINISTIC_ECDSA are already
@@ -1342,7 +1342,7 @@ component_build_psa_want_ecdsa_disabled_software() {
 }
 
 # This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test.
-component_build_psa_want_ecdh_disabled_software() {
+component_build_psa_accel_alg_ecdh() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDH
     # without MBEDTLS_ECDH_C
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C"
@@ -1361,7 +1361,7 @@ component_build_psa_want_ecdh_disabled_software() {
 }
 
 # This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test.
-component_build_psa_want_ecc_key_pair() {
+component_build_psa_accel_key_type_ecc_key_pair() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR"
     scripts/config.py full
@@ -1375,7 +1375,7 @@ component_build_psa_want_ecc_key_pair() {
 }
 
 # This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test.
-component_build_psa_want_ecc_public_key() {
+component_build_psa_accel_key_type_ecc_public_key() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY"
     scripts/config.py full
@@ -1389,7 +1389,7 @@ component_build_psa_want_ecc_public_key() {
 }
 
 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
-component_build_psa_want_hmac() {
+component_build_psa_accel_alg_hmac() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC"
     scripts/config.py full
@@ -1401,7 +1401,7 @@ component_build_psa_want_hmac() {
 }
 
 # This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
-component_build_psa_want_hkdf_disabled_software() {
+component_build_psa_accel_alg_hkdf() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HKDF
     # without MBEDTLS_HKDF_C
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
@@ -1417,7 +1417,7 @@ component_build_psa_want_hkdf_disabled_software() {
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_want_rsa_pkcs1v15_crypt() {
+component_build_psa_accel_alg_rsa_pkcs1v15_crypt() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_CRYPT
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
     scripts/config.py full
@@ -1433,7 +1433,7 @@ component_build_psa_want_rsa_pkcs1v15_crypt() {
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_want_rsa_pkcs1v15_sign() {
+component_build_psa_accel_alg_rsa_pkcs1v15_sign() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PKCS1V15_SIGN and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
     scripts/config.py full
@@ -1449,7 +1449,7 @@ component_build_psa_want_rsa_pkcs1v15_sign() {
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_want_rsa_oaep() {
+component_build_psa_accel_alg_rsa_oaep() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_OAEP and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
     scripts/config.py full
@@ -1465,7 +1465,7 @@ component_build_psa_want_rsa_oaep() {
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_want_rsa_pss() {
+component_build_psa_accel_alg_rsa_pss() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA_PSS and PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY"
     scripts/config.py full
@@ -1481,7 +1481,7 @@ component_build_psa_want_rsa_pss() {
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_want_rsa_key_pair() {
+component_build_psa_accel_key_type_rsa_key_pair() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR and PSA_WANT_ALG_RSA_PSS
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS"
     scripts/config.py full
@@ -1495,7 +1495,7 @@ component_build_psa_want_rsa_key_pair() {
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
-component_build_psa_want_rsa_public_key() {
+component_build_psa_accel_key_type_rsa_public_key() {
     # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY and PSA_WANT_ALG_RSA_PSS
     msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS"
     scripts/config.py full
diff --git a/tests/src/drivers/key_management.c b/tests/src/drivers/key_management.c
index a788934fa..d6d75b3ed 100644
--- a/tests/src/drivers/key_management.c
+++ b/tests/src/drivers/key_management.c
@@ -43,10 +43,11 @@ psa_status_t test_transparent_generate_key(
     const psa_key_attributes_t *attributes,
     uint8_t *key, size_t key_size, size_t *key_length )
 {
-#if !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) && \
-    !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
     (void)attributes;
-#endif /* !MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR && !MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY */
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR &&
+        * !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
     ++test_driver_key_management_hooks.hits;
 
     if( test_driver_key_management_hooks.forced_status != PSA_SUCCESS )
@@ -63,8 +64,8 @@ psa_status_t test_transparent_generate_key(
     }
 
     /* Copied from psa_crypto.c */
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
     if ( PSA_KEY_TYPE_IS_ECC( psa_get_key_type( attributes ) )
          && PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) )
     {
@@ -120,7 +121,8 @@ psa_status_t test_transparent_generate_key(
         return( status );
     }
     else
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR || MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY */
+#endif /* MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR ||
+        * MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
     return( PSA_ERROR_NOT_SUPPORTED );
 }
 
@@ -145,8 +147,8 @@ psa_status_t test_transparent_validate_key(const psa_key_attributes_t *attribute
     if( test_driver_key_management_hooks.forced_status != PSA_SUCCESS )
         return( test_driver_key_management_hooks.forced_status );
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
     psa_key_type_t type = psa_get_key_type( attributes );
     if ( PSA_KEY_TYPE_IS_ECC( type ) )
     {
@@ -242,7 +244,8 @@ ecp_exit:
     (void) data_length;
     (void) bits;
     return( PSA_ERROR_NOT_SUPPORTED );
-#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR || MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY */
+#endif /* MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR ||
+        * MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
 }
 
 #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */

From b6f7afcb5cd24a08dd95f2055028b14beb99317c Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Thu, 12 Nov 2020 11:36:06 -0800
Subject: [PATCH 09/11] Move check config feature for PSA_WANT

Moved from doing the dependency checks for MBEDTLS_PSA_BUILTIN to
checking the PSA_WANT macros for the dependency checks. This required
moving the file into the include/psa directory and having the file be
included by crypto_config.h instead of config_psa.h.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/check_config_psa.h | 87 ------------------------------
 include/mbedtls/config_psa.h       |  2 -
 include/psa/check_crypto_config.h  | 67 +++++++++++++++++++++++
 include/psa/crypto_config.h        |  2 +
 visualc/VS2010/mbedTLS.vcxproj     |  2 +-
 5 files changed, 70 insertions(+), 90 deletions(-)
 delete mode 100644 include/mbedtls/check_config_psa.h
 create mode 100644 include/psa/check_crypto_config.h

diff --git a/include/mbedtls/check_config_psa.h b/include/mbedtls/check_config_psa.h
deleted file mode 100644
index 483aa0e06..000000000
--- a/include/mbedtls/check_config_psa.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/**
- * \file check_config_psa.h
- *
- * \brief Consistency checks for PSA configuration options
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * It is recommended to include this file from your config_psa.h
- * in order to catch dependency issues early.
- */
-
-#ifndef MBEDTLS_CHECK_CONFIG_PSA_H
-#define MBEDTLS_CHECK_CONFIG_PSA_H
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && \
-    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) )
-#error "MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) && \
-    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) )
-#error "MBEDTLS_PSA_BUILTIN_ALG_ECDSA defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) && \
-    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) )
-#error "MBEDTLS_PSA_BUILTIN_ALG_ECDH defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) && \
-    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
-#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) && \
-    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
-#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) && \
-    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
-#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) && \
-    !( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR) || \
-       defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY) )
-#error "MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS defined, but not all prerequisites"
-#endif
-
-#endif /* MBEDTLS_CHECK_CONFIG_PSA_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 0690ee719..a64710647 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -207,8 +207,6 @@ extern "C" {
 
 #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
 
-#include "mbedtls/check_config_psa.h"
-
 #ifdef __cplusplus
 }
 #endif
diff --git a/include/psa/check_crypto_config.h b/include/psa/check_crypto_config.h
new file mode 100644
index 000000000..dc9c7257a
--- /dev/null
+++ b/include/psa/check_crypto_config.h
@@ -0,0 +1,67 @@
+/**
+ * \file check_crypto_config.h
+ *
+ * \brief Consistency checks for PSA configuration options
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * It is recommended to include this file from your crypto_config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CRYPTO_CONFIG_H
+#define MBEDTLS_CHECK_CRYPTO_CONFIG_H
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+    !( defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_ECDSA) && \
+    !( defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_OAEP defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PSS) && \
+    !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+       defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
+#endif
+
+#endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 3fd137465..8deb3ada4 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -64,4 +64,6 @@
 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1
 #define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
 
+#include "psa/check_crypto_config.h"
+
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index cf9f21248..e66b37800 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -157,7 +157,6 @@
     <ClInclude Include="..\..\include\mbedtls\chacha20.h" />
     <ClInclude Include="..\..\include\mbedtls\chachapoly.h" />
     <ClInclude Include="..\..\include\mbedtls\check_config.h" />
-    <ClInclude Include="..\..\include\mbedtls\check_config_psa.h" />
     <ClInclude Include="..\..\include\mbedtls\cipher.h" />
     <ClInclude Include="..\..\include\mbedtls\cipher_internal.h" />
     <ClInclude Include="..\..\include\mbedtls\cmac.h" />
@@ -222,6 +221,7 @@
     <ClInclude Include="..\..\include\mbedtls\x509_crt.h" />
     <ClInclude Include="..\..\include\mbedtls\x509_csr.h" />
     <ClInclude Include="..\..\include\mbedtls\xtea.h" />
+    <ClInclude Include="..\..\include\psa\check_crypto_config.h" />
     <ClInclude Include="..\..\include\psa\crypto.h" />
     <ClInclude Include="..\..\include\psa\crypto_accel_driver.h" />
     <ClInclude Include="..\..\include\psa\crypto_compat.h" />

From 5cc8dfb40489b2eeb0180a746d89d099caf1f813 Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Fri, 13 Nov 2020 04:54:15 -0800
Subject: [PATCH 10/11] Removed final MBEDLTS_MD_C guard in PSA crypto library

There was one lingering MBEDTLS_MD_C that needed to be removed since
it is no longer needed.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 library/psa_crypto.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 78d0b9a3f..42d141c19 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -453,9 +453,7 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
     switch( type )
     {
         case PSA_KEY_TYPE_RAW_DATA:
-#if defined(MBEDTLS_MD_C)
         case PSA_KEY_TYPE_HMAC:
-#endif
         case PSA_KEY_TYPE_DERIVE:
             break;
 #if defined(MBEDTLS_AES_C)

From 07cc04a8adea51419626dbf521ca0b1e64253f7c Mon Sep 17 00:00:00 2001
From: John Durkop <john.durkop@fermatsoftware.com>
Date: Mon, 16 Nov 2020 22:08:34 -0800
Subject: [PATCH 11/11] Updates to PSA crypto library based on review comments

Moved new check_crypto_config.h file from include/psa to library
directory and the file is now included from *.c instead of the
crypto_config.h file. Fixed guards in PSA crypto library based
on review comments for new PSA crypto config features.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
---
 include/mbedtls/config_psa.h                  | 119 +++++----
 include/mbedtls/ssl.h                         |   7 +-
 include/mbedtls/ssl_internal.h                |   9 +-
 include/psa/crypto_config.h                   |  14 +-
 .../psa => library}/check_crypto_config.h     |   5 +
 library/psa_crypto.c                          | 232 +++++++++---------
 tests/scripts/all.sh                          |   2 +-
 visualc/VS2010/mbedTLS.vcxproj                |   2 +-
 8 files changed, 216 insertions(+), 174 deletions(-)
 rename {include/psa => library}/check_crypto_config.h (92%)

diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index a64710647..5cf1aa77d 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -40,13 +40,6 @@ extern "C" {
 
 #if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
 
-#if defined(PSA_WANT_ALG_ECDSA)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
-#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA                   1
-#define MBEDTLS_ECDSA_C
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */
-#endif /* PSA_WANT_ALG_ECDSA */
-
 #if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
 #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA     1
@@ -66,38 +59,26 @@ extern "C" {
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */
 #endif /* PSA_WANT_ALG_ECDH */
 
-#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY              1
-#define MBEDTLS_ECP_C
-#define MBEDTLS_BIGNUM_C
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
-#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
-
-#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
-#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR)
-#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR                1
-#define MBEDTLS_ECP_C
-#define MBEDTLS_BIGNUM_C
-#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR */
-#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
-
-#if defined(PSA_WANT_ALG_HMAC)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
-#define MBEDTLS_MD_C
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
-#endif /* PSA_WANT_ALG_HMAC */
+#if defined(PSA_WANT_ALG_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA                   1
+#define MBEDTLS_ECDSA_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */
+#endif /* PSA_WANT_ALG_ECDSA */
 
 #if defined(PSA_WANT_ALG_HKDF)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
 #define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
-#define MBEDTLS_HKDF_C
-#define MBEDTLS_MD_C
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
 #endif /* PSA_WANT_ALG_HKDF */
 
+#if defined(PSA_WANT_ALG_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* PSA_WANT_ALG_HMAC */
+
 #if defined(PSA_WANT_ALG_RSA_OAEP)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP                1
@@ -105,19 +86,10 @@ extern "C" {
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PKCS1_V21
+#define MBEDTLS_MD_C
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */
 #endif /* PSA_WANT_ALG_RSA_OAEP */
 
-#if defined(PSA_WANT_ALG_RSA_PSS)
-#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
-#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS                 1
-#define MBEDTLS_RSA_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PKCS1_V21
-#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
-#endif /* PSA_WANT_ALG_RSA_PSS */
-
 #if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
 #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT      1
@@ -135,9 +107,49 @@ extern "C" {
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_PKCS1_V15
+#define MBEDTLS_MD_C
 #endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */
 #endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
 
+#if defined(PSA_WANT_ALG_RSA_PSS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS                 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21
+#define MBEDTLS_MD_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
+#endif /* PSA_WANT_ALG_RSA_PSS */
+
+#if defined(PSA_WANT_ALG_TLS12_PRF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF               1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF */
+#endif /* PSA_WANT_ALG_TLS12_PRF */
+
+#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS         1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */
+#endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR       1
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY     1
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
 #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
 #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR       1
@@ -145,6 +157,9 @@ extern "C" {
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
 #define MBEDTLS_GENPRIME
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_C
 #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR */
 #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
 
@@ -154,7 +169,9 @@ extern "C" {
 #define MBEDTLS_RSA_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_OID_C
-#define MBEDTLS_GENPRIME
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_C
 #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
 #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
 
@@ -164,6 +181,10 @@ extern "C" {
  * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG
  * is not defined
  */
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH                    1
+#endif /* MBEDTLS_ECDH_C */
+
 #if defined(MBEDTLS_ECDSA_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_ECDSA                   1
 
@@ -174,24 +195,22 @@ extern "C" {
 
 #endif /* MBEDTLS_ECDSA_C */
 
-#if defined(MBEDTLS_ECDH_C)
-#define MBEDTLS_PSA_BUILTIN_ALG_ECDH                    1
-#endif /* MBEDTLS_ECDH_C */
-
 #if defined(MBEDTLS_ECP_C)
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR       1
 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY     1
 #endif /* MBEDTLS_ECP_C */
 
-#if defined(MBEDTLS_MD_C)
-#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
-#endif /* MBEDTLS_MD_C */
-
 #if defined(MBEDTLS_HKDF_C)
 #define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF                    1
 #endif /* MBEDTLS_HKDF_C */
 
+#if defined(MBEDTLS_MD_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC                    1
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF               1
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS         1
+#endif /* MBEDTLS_MD_C */
+
 #if defined(MBEDTLS_RSA_C)
 #if defined(MBEDTLS_PKCS1_V15)
 #define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT      1
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index c35f65e90..03c587740 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -42,7 +42,12 @@
 #include "mbedtls/dhm.h"
 #endif
 
-#if defined(MBEDTLS_ECDH_C) || defined(PSA_WANT_ALG_ECDH)
+/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
+ * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
+ * in functionality that access to ecdh_ctx structure is needed for
+ * MBEDTLS_ECDSA_C which does not seem correct.
+ */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
 #include "mbedtls/ecdh.h"
 #endif
 
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 406d22463..f41d1946c 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -437,7 +437,12 @@ struct mbedtls_ssl_handshake_params
 #if defined(MBEDTLS_DHM_C)
     mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
 #endif
-#if defined(MBEDTLS_ECDH_C) || defined(PSA_WANT_ALG_ECDH)
+/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
+ * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
+ * in functionality that access to ecdh_ctx structure is needed for
+ * MBEDTLS_ECDSA_C which does not seem correct.
+ */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
     mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -447,7 +452,7 @@ struct mbedtls_ssl_handshake_params
     unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
     size_t ecdh_psa_peerkey_len;
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_ECDH_C || PSA_WANT_ALG_ECDH */
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index 8deb3ada4..c12a52200 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -50,20 +50,20 @@
 #ifndef PSA_CRYPTO_CONFIG_H
 #define PSA_CRYPTO_CONFIG_H
 
-#define PSA_WANT_ALG_ECDSA                      1
 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
 #define PSA_WANT_ALG_ECDH                       1
-#define PSA_WANT_ALG_HMAC                       1
+#define PSA_WANT_ALG_ECDSA                      1
 #define PSA_WANT_ALG_HKDF                       1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR          1
-#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
+#define PSA_WANT_ALG_HMAC                       1
+#define PSA_WANT_ALG_RSA_OAEP                   1
 #define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
 #define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
-#define PSA_WANT_ALG_RSA_OAEP                   1
 #define PSA_WANT_ALG_RSA_PSS                    1
+#define PSA_WANT_ALG_TLS12_PRF                  1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR          1
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR          1
 #define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
 
-#include "psa/check_crypto_config.h"
-
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/include/psa/check_crypto_config.h b/library/check_crypto_config.h
similarity index 92%
rename from include/psa/check_crypto_config.h
rename to library/check_crypto_config.h
index dc9c7257a..cac90a0df 100644
--- a/include/psa/check_crypto_config.h
+++ b/library/check_crypto_config.h
@@ -64,4 +64,9 @@
 #error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
 #endif
 
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \
+    !defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR defined, but not all prerequisites"
+#endif
+
 #endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 42d141c19..97b522dd5 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -22,6 +22,10 @@
 
 #if defined(MBEDTLS_PSA_CRYPTO_C)
 
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#include "check_crypto_config.h"
+#endif
+
 #include "psa_crypto_service_integration.h"
 #include "psa/crypto.h"
 
@@ -370,6 +374,11 @@ static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
 }
 #endif /* MBEDTLS_PSA_CRYPTO_SE_C */
 
+/* For now the MBEDTLS_PSA_ACCEL_ guards are also used here since the
+ * current test driver in key_management.c is using this function
+ * when accelerators are used for ECC key pair and public key.
+ * Once that dependency is resolved these guards can be removed.
+ */
 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
     defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR) || \
@@ -502,7 +511,6 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
 
-#if defined(MBEDTLS_PK_PARSE_C)
 /* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
  * that are not a multiple of 8) well. For example, there is only
  * mbedtls_rsa_get_len(), which returns a number of bytes, and no
@@ -524,7 +532,6 @@ static psa_status_t psa_check_rsa_key_byte_aligned(
     mbedtls_mpi_free( &n );
     return( status );
 }
-#endif /* MBEDTLS_PK_PARSE_C */
 
 /** Load the contents of a key buffer into an internal RSA representation
  *
@@ -541,7 +548,6 @@ static psa_status_t psa_load_rsa_representation( psa_key_type_t type,
                                                  size_t data_length,
                                                  mbedtls_rsa_context **p_rsa )
 {
-#if defined(MBEDTLS_PK_PARSE_C)
     psa_status_t status;
     mbedtls_pk_context ctx;
     size_t bits;
@@ -586,13 +592,6 @@ static psa_status_t psa_load_rsa_representation( psa_key_type_t type,
 exit:
     mbedtls_pk_free( &ctx );
     return( status );
-#else
-    (void) data;
-    (void) data_length;
-    (void) type;
-    (void) rsa;
-    return( PSA_ERROR_NOT_SUPPORTED );
-#endif /* MBEDTLS_PK_PARSE_C */
 }
 
 #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
@@ -1463,11 +1462,7 @@ psa_status_t psa_get_key_domain_parameters(
     return( PSA_SUCCESS );
 }
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
 static psa_status_t psa_get_rsa_public_exponent(
     const mbedtls_rsa_context *rsa,
@@ -1508,11 +1503,7 @@ exit:
         mbedtls_free( buffer );
     return( mbedtls_to_psa_error( ret ) );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
         * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
 
 /** Retrieve all the publicly-accessible attributes of a key.
@@ -1540,11 +1531,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
 
     switch( slot->attr.type )
     {
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
-    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
     defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
         case PSA_KEY_TYPE_RSA_KEY_PAIR:
         case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
@@ -1572,11 +1559,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
                 mbedtls_free( rsa );
             }
             break;
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
-        * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
         * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
         default:
             /* Nothing else to do. */
@@ -2352,8 +2335,7 @@ exit:
 /* Message digests */
 /****************************************************************/
 
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
-    defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
@@ -2399,8 +2381,7 @@ static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
             return( NULL );
     }
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) ||
-        * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
         * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
         * defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
         * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
@@ -2947,7 +2928,7 @@ static size_t psa_get_hash_block_size( psa_algorithm_t alg )
             return( 0 );
     }
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) */
 
 /* Initialize the MAC operation structure. Once this function has been
  * called, psa_mac_abort can run and will do the right thing. */
@@ -3525,10 +3506,6 @@ static psa_status_t psa_rsa_sign( mbedtls_rsa_context *rsa,
     psa_status_t status;
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_md_type_t md_alg;
-#if !defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
-    (void)hash;
-    (void)signature;
-#endif /* !MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
 
     status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
     if( status != PSA_SUCCESS )
@@ -3587,10 +3564,6 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
     psa_status_t status;
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_md_type_t md_alg;
-#if !defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN)
-    (void)hash;
-    (void)signature;
-#endif /* !MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN */
 
     status = psa_rsa_decode_md_type( alg, hash_length, &md_alg );
     if( status != PSA_SUCCESS )
@@ -5014,6 +4987,12 @@ exit:
 /* Generators */
 /****************************************************************/
 
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+#define AT_LEAST_ONE_BUILTIN_KDF
+#endif
+
 #define HKDF_STATE_INIT 0 /* no input yet */
 #define HKDF_STATE_STARTED 1 /* got salt */
 #define HKDF_STATE_KEYED 2 /* got key */
@@ -5028,7 +5007,6 @@ static psa_algorithm_t psa_key_derivation_get_kdf_alg(
         return( operation->alg );
 }
 
-
 psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation )
 {
     psa_status_t status = PSA_SUCCESS;
@@ -5046,7 +5024,11 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation
         mbedtls_free( operation->ctx.hkdf.info );
         status = psa_hmac_abort_internal( &operation->ctx.hkdf.hmac );
     }
-    else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
+    else
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
              /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
              PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
     {
@@ -5070,7 +5052,8 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation
          * mbedtls_platform_zeroize() in the end of this function. */
     }
     else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+        * defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) */
     {
         status = PSA_ERROR_BAD_STATE;
     }
@@ -5171,7 +5154,10 @@ static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkd
 
     return( PSA_SUCCESS );
 }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
 static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
     psa_tls12_prf_key_derivation_t *tls12_prf,
     psa_algorithm_t alg )
@@ -5318,7 +5304,8 @@ static psa_status_t psa_key_derivation_tls12_prf_read(
 
     return( PSA_SUCCESS );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
 
 psa_status_t psa_key_derivation_output_bytes(
     psa_key_derivation_operation_t *operation,
@@ -5326,9 +5313,7 @@ psa_status_t psa_key_derivation_output_bytes(
     size_t output_length )
 {
     psa_status_t status;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
-#endif
 
     if( operation->alg == 0 )
     {
@@ -5364,15 +5349,19 @@ psa_status_t psa_key_derivation_output_bytes(
                                           output, output_length );
     }
     else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
     if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
-             PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
+        PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
     {
         status = psa_key_derivation_tls12_prf_read( &operation->ctx.tls12_prf,
                                                kdf_alg, output,
                                                output_length );
     }
     else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
     {
         return( PSA_ERROR_BAD_STATE );
     }
@@ -5482,22 +5471,36 @@ psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attribut
 /* Key derivation */
 /****************************************************************/
 
+#ifdef AT_LEAST_ONE_BUILTIN_KDF
 static psa_status_t psa_key_derivation_setup_kdf(
     psa_key_derivation_operation_t *operation,
     psa_algorithm_t kdf_alg )
 {
-#if !defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
-    (void)kdf_alg;
-#endif
+    int is_kdf_alg_supported;
+
     /* Make sure that operation->ctx is properly zero-initialised. (Macro
      * initialisers for this union leave some bytes unspecified.) */
     memset( &operation->ctx, 0, sizeof( operation->ctx ) );
 
     /* Make sure that kdf_alg is a supported key derivation algorithm. */
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
-    if( PSA_ALG_IS_HKDF( kdf_alg ) ||
-        PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
-        PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
+    if( PSA_ALG_IS_HKDF( kdf_alg ) )
+        is_kdf_alg_supported = 1;
+    else
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+    if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
+        is_kdf_alg_supported = 1;
+    else
+#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
+        is_kdf_alg_supported = 1;
+    else
+#endif
+    is_kdf_alg_supported = 0;
+
+    if( is_kdf_alg_supported )
     {
         psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
         size_t hash_size = PSA_HASH_SIZE( hash_alg );
@@ -5512,10 +5515,10 @@ static psa_status_t psa_key_derivation_setup_kdf(
         operation->capacity = 255 * hash_size;
         return( PSA_SUCCESS );
     }
-    else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
-        return( PSA_ERROR_NOT_SUPPORTED );
+
+    return( PSA_ERROR_NOT_SUPPORTED );
 }
+#endif /* AT_LEAST_ONE_BUILTIN_KDF */
 
 psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation,
                                        psa_algorithm_t alg )
@@ -5527,6 +5530,7 @@ psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation
 
     if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) )
         return( PSA_ERROR_INVALID_ARGUMENT );
+#ifdef AT_LEAST_ONE_BUILTIN_KDF
     else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) )
     {
         psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg );
@@ -5536,6 +5540,7 @@ psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation
     {
         status = psa_key_derivation_setup_kdf( operation, alg );
     }
+#endif
     else
         return( PSA_ERROR_INVALID_ARGUMENT );
 
@@ -5609,7 +5614,10 @@ static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
             return( PSA_ERROR_INVALID_ARGUMENT );
     }
 }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
 static psa_status_t psa_tls12_prf_set_seed( psa_tls12_prf_key_derivation_t *prf,
                                             const uint8_t *data,
                                             size_t data_length )
@@ -5650,41 +5658,6 @@ static psa_status_t psa_tls12_prf_set_key( psa_tls12_prf_key_derivation_t *prf,
     return( PSA_SUCCESS );
 }
 
-static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
-    psa_tls12_prf_key_derivation_t *prf,
-    psa_algorithm_t hash_alg,
-    const uint8_t *data,
-    size_t data_length )
-{
-    psa_status_t status;
-    uint8_t pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ];
-    uint8_t *cur = pms;
-
-    if( data_length > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN )
-        return( PSA_ERROR_INVALID_ARGUMENT );
-
-    /* Quoting RFC 4279, Section 2:
-     *
-     * The premaster secret is formed as follows: if the PSK is N octets
-     * long, concatenate a uint16 with the value N, N zero octets, a second
-     * uint16 with the value N, and the PSK itself.
-     */
-
-    *cur++ = ( data_length >> 8 ) & 0xff;
-    *cur++ = ( data_length >> 0 ) & 0xff;
-    memset( cur, 0, data_length );
-    cur += data_length;
-    *cur++ = pms[0];
-    *cur++ = pms[1];
-    memcpy( cur, data, data_length );
-    cur += data_length;
-
-    status = psa_tls12_prf_set_key( prf, hash_alg, pms, cur - pms );
-
-    mbedtls_platform_zeroize( pms, sizeof( pms ) );
-    return( status );
-}
-
 static psa_status_t psa_tls12_prf_set_label( psa_tls12_prf_key_derivation_t *prf,
                                              const uint8_t *data,
                                              size_t data_length )
@@ -5725,6 +5698,44 @@ static psa_status_t psa_tls12_prf_input( psa_tls12_prf_key_derivation_t *prf,
             return( PSA_ERROR_INVALID_ARGUMENT );
     }
 }
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
+        * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+static psa_status_t psa_tls12_prf_psk_to_ms_set_key(
+    psa_tls12_prf_key_derivation_t *prf,
+    psa_algorithm_t hash_alg,
+    const uint8_t *data,
+    size_t data_length )
+{
+    psa_status_t status;
+    uint8_t pms[ 4 + 2 * PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN ];
+    uint8_t *cur = pms;
+
+    if( data_length > PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN )
+        return( PSA_ERROR_INVALID_ARGUMENT );
+
+    /* Quoting RFC 4279, Section 2:
+     *
+     * The premaster secret is formed as follows: if the PSK is N octets
+     * long, concatenate a uint16 with the value N, N zero octets, a second
+     * uint16 with the value N, and the PSK itself.
+     */
+
+    *cur++ = ( data_length >> 8 ) & 0xff;
+    *cur++ = ( data_length >> 0 ) & 0xff;
+    memset( cur, 0, data_length );
+    cur += data_length;
+    *cur++ = pms[0];
+    *cur++ = pms[1];
+    memcpy( cur, data, data_length );
+    cur += data_length;
+
+    status = psa_tls12_prf_set_key( prf, hash_alg, pms, cur - pms );
+
+    mbedtls_platform_zeroize( pms, sizeof( pms ) );
+    return( status );
+}
 
 static psa_status_t psa_tls12_prf_psk_to_ms_input(
     psa_tls12_prf_key_derivation_t *prf,
@@ -5741,7 +5752,7 @@ static psa_status_t psa_tls12_prf_psk_to_ms_input(
 
     return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) );
 }
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
 
 /** Check whether the given key type is acceptable for the given
  * input step of a key derivation.
@@ -5785,12 +5796,7 @@ static psa_status_t psa_key_derivation_input_internal(
     size_t data_length )
 {
     psa_status_t status;
-#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
     psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
-#else
-    (void)data;
-    (void)data_length;
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
 
     status = psa_key_derivation_check_input_type( step, key_type );
     if( status != PSA_SUCCESS )
@@ -5803,20 +5809,26 @@ static psa_status_t psa_key_derivation_input_internal(
                                  PSA_ALG_HKDF_GET_HASH( kdf_alg ),
                                  step, data, data_length );
     }
-    else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
+    else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF)
+    if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) )
     {
         status = psa_tls12_prf_input( &operation->ctx.tls12_prf,
                                       PSA_ALG_HKDF_GET_HASH( kdf_alg ),
                                       step, data, data_length );
     }
-    else if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
+    else
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS)
+    if( PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
     {
         status = psa_tls12_prf_psk_to_ms_input( &operation->ctx.tls12_prf,
                                                 PSA_ALG_HKDF_GET_HASH( kdf_alg ),
                                                 step, data, data_length );
     }
     else
-#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
     {
         /* This can't happen unless the operation object was not initialized */
         return( PSA_ERROR_BAD_STATE );
@@ -6121,8 +6133,7 @@ psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
 }
 #endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
-    defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
 static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
                                            size_t domain_parameters_size,
                                            int *exponent )
@@ -6148,8 +6159,7 @@ static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
     *exponent = acc;
     return( PSA_SUCCESS );
 }
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) &&
-        * defined(MBEDTLS_GENPRIME) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
 
 static psa_status_t psa_generate_key_internal(
     psa_key_slot_t *slot, size_t bits,
@@ -6187,8 +6197,7 @@ static psa_status_t psa_generate_key_internal(
     }
     else
 
-#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
-    defined(MBEDTLS_GENPRIME)
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
     if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
     {
         mbedtls_rsa_context rsa;
@@ -6236,8 +6245,7 @@ static psa_status_t psa_generate_key_internal(
         return( status );
     }
     else
-#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) &&
-        * defined(MBEDTLS_GENPRIME) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */
 
 #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
     if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 592d878a3..a7f4d948e 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1369,7 +1369,7 @@ component_build_psa_accel_key_type_ecc_key_pair() {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
-    scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+    scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
     make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
 }
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index e66b37800..0af414517 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -221,7 +221,6 @@
     <ClInclude Include="..\..\include\mbedtls\x509_crt.h" />
     <ClInclude Include="..\..\include\mbedtls\x509_csr.h" />
     <ClInclude Include="..\..\include\mbedtls\xtea.h" />
-    <ClInclude Include="..\..\include\psa\check_crypto_config.h" />
     <ClInclude Include="..\..\include\psa\crypto.h" />
     <ClInclude Include="..\..\include\psa\crypto_accel_driver.h" />
     <ClInclude Include="..\..\include\psa\crypto_compat.h" />
@@ -246,6 +245,7 @@
     <ClInclude Include="..\..\tests\include\test\drivers\signature.h" />
     <ClInclude Include="..\..\tests\include\test\drivers\size.h" />
     <ClInclude Include="..\..\tests\include\test\drivers\test_driver.h" />
+    <ClInclude Include="..\..\library\check_crypto_config.h" />
     <ClInclude Include="..\..\library\common.h" />
     <ClInclude Include="..\..\library\psa_crypto_core.h" />
     <ClInclude Include="..\..\library\psa_crypto_driver_wrappers.h" />