change(mbedtls): rename builtin to mbed-builtin

components/mbedtls/CMakeLists.txt

@@ -186,6 +186,9 @@ endif()
 # Core libraries from the mbedTLS project
 set(mbedtls_targets mbedtls mbedx509 tfpsacrypto builtin)
 
+add_library(mbed-builtin ALIAS builtin)
+set_target_properties(builtin PROPERTIES OUTPUT_NAME "mbed-builtin")
+
 target_include_directories(tfpsacrypto PUBLIC "port/include")
 
 message(STATUS "Setting up mbedtls configuration")

components/mbedtls/test_apps/main/test_ecp.c

@@ -3,7 +3,7 @@
  * Focus on testing functionality where we use ESP32 hardware
  * accelerated crypto features.
  *
- * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -308,9 +308,7 @@ static void test_ecp_mul(mbedtls_ecp_group_id id, const uint8_t *x_coord, const
     TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X))));
     TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y))));
 
-    if (id == MBEDTLS_ECP_DP_SECP192R1) {
-        TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P192_POINT_MULTIPLY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
-    } else if (id == MBEDTLS_ECP_DP_SECP256R1) {
+    if (id == MBEDTLS_ECP_DP_SECP256R1) {
         TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P256_POINT_MULTIPLY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
 #if SOC_ECC_SUPPORT_CURVE_P384
     } else if (id == MBEDTLS_ECP_DP_SECP384R1) {
@@ -326,15 +324,6 @@ static void test_ecp_mul(mbedtls_ecp_group_id id, const uint8_t *x_coord, const
     mbedtls_ecp_group_free(&grp);
 }
 
-TEST_CASE("mbedtls ECP point multiply with SECP192R1", "[mbedtls]")
-{
-    test_ecp_mul(MBEDTLS_ECP_DP_SECP192R1, ecc_p192_point_x, ecc_p192_point_y, ecc_p192_scalar,
-                 ecc_p192_mul_res_x, ecc_p192_mul_res_y);
-
-    test_ecp_mul(MBEDTLS_ECP_DP_SECP192R1, ecc_p192_point_x, ecc_p192_point_y, NULL,
-                 ecc_p192_small_mul_res_x, ecc_p192_small_mul_res_y);
-}
-
 TEST_CASE("mbedtls ECP point multiply with SECP256R1", "[mbedtls]")
 {
     test_ecp_mul(MBEDTLS_ECP_DP_SECP256R1, ecc_p256_point_x, ecc_p256_point_y, ecc_p256_scalar,
@@ -383,9 +372,7 @@ static void test_ecp_verify(mbedtls_ecp_group_id id, const uint8_t *x_coord, con
 
     TEST_ASSERT_EQUAL(0, ret);
 
-    if (id == MBEDTLS_ECP_DP_SECP192R1) {
-        TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P192_POINT_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
-    } else if (id == MBEDTLS_ECP_DP_SECP256R1) {
+    if (id == MBEDTLS_ECP_DP_SECP256R1) {
         TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P256_POINT_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
 #if SOC_ECC_SUPPORT_CURVE_P384
     } else if (id == MBEDTLS_ECP_DP_SECP384R1) {
@@ -399,11 +386,6 @@ static void test_ecp_verify(mbedtls_ecp_group_id id, const uint8_t *x_coord, con
     mbedtls_ecp_group_free(&grp);
 }
 
-TEST_CASE("mbedtls ECP point verify with SECP192R1", "[mbedtls]")
-{
-    test_ecp_verify(MBEDTLS_ECP_DP_SECP192R1, ecc_p192_mul_res_x, ecc_p192_mul_res_y);
-}
-
 TEST_CASE("mbedtls ECP point verify with SECP256R1", "[mbedtls]")
 {
     test_ecp_verify(MBEDTLS_ECP_DP_SECP256R1, ecc_p256_mul_res_x, ecc_p256_mul_res_y);

components/mbedtls/test_apps/main/test_psa_ecdsa.c

@@ -195,10 +195,6 @@ void test_ecdsa_verify(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8
     psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
 
     switch (curve) {
-        case ESP_ECDSA_CURVE_SECP192R1:
-            plen = 192;
-            hash_len = HASH_LEN;
-            break;
         case ESP_ECDSA_CURVE_SECP256R1:
             plen = 256;
             hash_len = HASH_LEN;
@@ -237,9 +233,7 @@ void test_ecdsa_verify(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
     elapsed_time = ccomp_timer_stop();
 
-    if (curve == ESP_ECDSA_CURVE_SECP192R1) {
-        TEST_PERFORMANCE_CCOMP_LESS_THAN(ECDSA_P192_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
-    } else if (curve == ESP_ECDSA_CURVE_SECP256R1) {
+    if (curve == ESP_ECDSA_CURVE_SECP256R1) {
         TEST_PERFORMANCE_CCOMP_LESS_THAN(ECDSA_P256_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
     }
 #if SOC_ECDSA_SUPPORT_CURVE_P384
@@ -251,16 +245,6 @@ void test_ecdsa_verify(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8
     psa_reset_key_attributes(&key_attr);
 }
 
-TEST_CASE("mbedtls ECDSA signature verification performance on SECP192R1", "[mbedtls]")
-{
-#if SOC_ECDSA_SUPPORTED
-    if (!ecdsa_ll_is_supported()) {
-        TEST_IGNORE_MESSAGE("ECDSA is not supported");
-    }
-#endif
-    test_ecdsa_verify(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_r, ecdsa192_s, ecdsa192_pub_x, ecdsa192_pub_y);
-}
-
 TEST_CASE("mbedtls ECDSA signature verification performance on SECP256R1", "[mbedtls]")
 {
 #if SOC_ECDSA_SUPPORTED
@@ -291,11 +275,9 @@ TEST_CASE("mbedtls ECDSA signature verification performance on SECP384R1", "[mbe
 /*
  * This test assumes that ECDSA private key has been burnt in efuse.
  *
- * ecdsa_key_p192.pem must be burnt in efuse block 4
  * ecdsa_key_p256.pem must be burnt in efuse block 5
  * ecdsa_key_p384.pem must be burnt in efuse block 6 and 7
  */
-#define SECP192R1_EFUSE_BLOCK             4         // EFUSE_BLK_KEY0
 #define SECP256R1_EFUSE_BLOCK             5         // EFUSE_BLK_KEY1
 #define SECP384R1_EFUSE_BLOCK_HIGH        6         // EFUSE_BLK_KEY2
 #define SECP384R1_EFUSE_BLOCK_LOW         7         // EFUSE_BLK_KEY3
@@ -327,11 +309,6 @@ void test_ecdsa_sign(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8_t
     psa_algorithm_t sha_alg = 0;
 
     switch (curve) {
-        case ESP_ECDSA_CURVE_SECP192R1:
-            hash_len = HASH_LEN;
-            plen = 192;
-            sha_alg = PSA_ALG_SHA_256;
-            break;
         case ESP_ECDSA_CURVE_SECP256R1:
             hash_len = HASH_LEN;
             plen = 256;
@@ -390,14 +367,6 @@ void test_ecdsa_sign(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8_t
     psa_reset_key_attributes(&priv_attr);
 }
 
-TEST_CASE("mbedtls ECDSA signature generation on SECP192R1", "[mbedtls][efuse_key]")
-{
-    if (!ecdsa_ll_is_supported()) {
-        TEST_IGNORE_MESSAGE("ECDSA is not supported");
-    }
-    test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, false, SECP192R1_EFUSE_BLOCK);
-}
-
 TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][efuse_key]")
 {
     if (!ecdsa_ll_is_supported()) {
@@ -442,17 +411,6 @@ static void deploy_key_in_key_manager(const uint8_t *k1_encrypted, esp_key_mgr_k
     free(key_config);
 }
 
-TEST_CASE("mbedtls ECDSA signature generation on SECP192R1", "[mbedtls][key_manager_key]")
-{
-    if (!key_mgr_ll_is_supported()) {
-        TEST_IGNORE_MESSAGE("Key manager is not supported");
-    }
-
-    deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192);
-    test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER);
-    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
-}
-
 TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_manager_key]")
 {
     if (!key_mgr_ll_is_supported()) {
@@ -466,14 +424,6 @@ TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_mana
 #endif /* SOC_KEY_MANAGER_SUPPORTED */
 
 #ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE
-TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP192R1", "[mbedtls][efuse_key]")
-{
-    if (!ecdsa_ll_is_deterministic_mode_supported()) {
-        ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported.");
-    } else {
-        test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, true, SECP192R1_EFUSE_BLOCK);
-    }
-}
 
 TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP256R1", "[mbedtls][efuse_key]")
 {
@@ -493,20 +443,6 @@ TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP384R1", "[mbe
 #endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */
 
 #if SOC_KEY_MANAGER_SUPPORTED
-TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP192R1", "[mbedtls][key_manager_key]")
-{
-    if (!key_mgr_ll_is_supported()) {
-        TEST_IGNORE_MESSAGE("Key manager is not supported");
-    }
-
-    if (!ecdsa_ll_is_deterministic_mode_supported()) {
-        ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported.");
-    } else {
-        deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192);
-        test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, true, USE_ECDSA_KEY_FROM_KEY_MANAGER);
-        esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
-    }
-}
 
 TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP256R1", "[mbedtls][key_manager_key]")
 {
@@ -538,10 +474,6 @@ void test_ecdsa_export_pubkey(esp_ecdsa_curve_t curve, const uint8_t *pub_x, con
     psa_algorithm_t sha_alg = 0;
 
     switch (curve) {
-        case ESP_ECDSA_CURVE_SECP192R1:
-            plen = 192;
-            sha_alg = PSA_ALG_SHA_256;
-            break;
         case ESP_ECDSA_CURVE_SECP256R1:
             plen = 256;
             sha_alg = PSA_ALG_SHA_256;
@@ -588,14 +520,6 @@ void test_ecdsa_export_pubkey(esp_ecdsa_curve_t curve, const uint8_t *pub_x, con
     psa_reset_key_attributes(&key_attr);
 }
 
-TEST_CASE("mbedtls ECDSA export public key on SECP192R1", "[mbedtls][efuse_key]")
-{
-    if (!ecdsa_ll_is_supported()) {
-        TEST_IGNORE_MESSAGE("ECDSA is not supported");
-    }
-    test_ecdsa_export_pubkey(ESP_ECDSA_CURVE_SECP192R1, ecdsa192_pub_x, ecdsa192_pub_y, SECP192R1_EFUSE_BLOCK);
-}
-
 TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][efuse_key]")
 {
     if (!ecdsa_ll_is_supported()) {
@@ -613,16 +537,6 @@ TEST_CASE("mbedtls ECDSA export public key on SECP384R1", "[mbedtls][efuse_key]"
 #endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */
 
 #if SOC_KEY_MANAGER_SUPPORTED
-TEST_CASE("mbedtls ECDSA export public key on SECP192R1", "[mbedtls][key_manager_key]")
-{
-    if (!key_mgr_ll_is_supported()) {
-        TEST_IGNORE_MESSAGE("Key manager is not supported");
-    }
-
-    deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192);
-    test_ecdsa_export_pubkey(ESP_ECDSA_CURVE_SECP192R1, ecdsa192_pub_x, ecdsa192_pub_y, USE_ECDSA_KEY_FROM_KEY_MANAGER);
-    esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
-}
 
 TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][key_manager_key]")
 {
@@ -644,11 +558,6 @@ void test_ecdsa_sign_verify_import_export_error_codes(esp_ecdsa_curve_t curve, c
     psa_algorithm_t sha_alg = 0;
 
     switch (curve) {
-        case ESP_ECDSA_CURVE_SECP192R1:
-            hash_len = HASH_LEN;
-            plen = 192;
-            sha_alg = PSA_ALG_SHA_256;
-            break;
         case ESP_ECDSA_CURVE_SECP256R1:
             hash_len = HASH_LEN;
             plen = 256;

components/mbedtls/test_apps/main/test_psa_gcm.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -13,8 +13,7 @@
 #include "unity.h"
 #include "sdkconfig.h"
 
-#if CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER
-
+#ifdef CONFIG_MBEDTLS_ARIA_C
 static const uint8_t key_256[] = {
     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -22,10 +21,8 @@ static const uint8_t key_256[] = {
     0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
 };
 
-TEST_CASE("PSA ARIA-GCM multipart", "[psa-gcm]")
+TEST_CASE("PSA ARIA-GCM multipart", "[psa-gcm][aria]")
 {
-    // TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_crypto_init());
-
     const size_t SZ = 100;
     const size_t iv_SZ = 12;  // GCM typically uses 12 bytes IV
     const size_t tag_SZ = 16; // GCM tag size
@@ -134,7 +131,7 @@ TEST_CASE("PSA ARIA-GCM multipart", "[psa-gcm]")
     psa_destroy_key(key_id);
 }
 
-TEST_CASE("PSA ARIA-GCM one-shot", "[psa-gcm]")
+TEST_CASE("PSA ARIA-GCM one-shot", "[psa-gcm][aria]")
 {
     // TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_crypto_init());
 
@@ -209,4 +206,4 @@ TEST_CASE("PSA ARIA-GCM one-shot", "[psa-gcm]")
     /* Destroy the key */
     psa_destroy_key(key_id);
 }
-#endif /* CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER */
+#endif /* CONFIG_MBEDTLS_ARIA_C */

components/mbedtls/test_apps/pytest_mbedtls_ut.py

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
+# SPDX-FileCopyrightText: 2022-2026 Espressif Systems (Shanghai) CO LTD
 # SPDX-License-Identifier: CC0-1.0
 import pytest
 from pytest_embedded import Dut
@@ -116,3 +116,16 @@ def test_mbedtls_ecdsa_sign(dut: Dut) -> None:
 @idf_parametrize('target', ['esp32s3'], indirect=['target'])
 def test_mbedtls_ds_rsa(dut: Dut) -> None:
     dut.run_all_single_board_cases(group='ds_rsa')
+
+
+@pytest.mark.generic
+@pytest.mark.parametrize(
+    'config',
+    [
+        'aria',
+    ],
+    indirect=True,
+)
+@idf_parametrize('target', ['esp32s3'], indirect=['target'])
+def test_mbedtls_aria(dut: Dut) -> None:
+    dut.run_all_single_board_cases(group='aria')

components/mbedtls/test_apps/sdkconfig.ci.aria

@@ -0,0 +1 @@
+CONFIG_MBEDTLS_ARIA_C=y