From 277d79a765c1ac9ed59e7fc01caf3cd69dc95ce5 Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Fri, 9 Jan 2026 16:51:27 +0100
Subject: [PATCH 1/3] net: lib: websocket: remove usage of legacy Mbed TLS
 crypto

Remove optional use of legacy Mbed TLS crypto in favor of the already
existing PSA Crypto API alternative. This is required in order to jump
to the next version of Mbed TLS (i.e. 4.0) where all this legacy crypto
support is no more available.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 subsys/net/lib/websocket/Kconfig              |  4 +--
 subsys/net/lib/websocket/websocket.c          | 25 -------------------
 subsys/net/lib/websocket/websocket_internal.h |  3 ++-
 3 files changed, 4 insertions(+), 28 deletions(-)

diff --git a/subsys/net/lib/websocket/Kconfig b/subsys/net/lib/websocket/Kconfig
index 457cbc0c42b5d..9502ce0f2dc4e 100644
--- a/subsys/net/lib/websocket/Kconfig
+++ b/subsys/net/lib/websocket/Kconfig
@@ -7,9 +7,9 @@ config WEBSOCKET_CLIENT
 	select HTTP_PARSER
 	select HTTP_PARSER_URL
 	select HTTP_CLIENT
-	select MBEDTLS
 	select BASE64
-	select MBEDTLS_SHA1 if MBEDTLS_BUILTIN
+	select PSA_CRYPTO
+	select PSA_WANT_ALG_SHA_256
 	select EXPERIMENTAL
 	help
 	  Enable Websocket client library.
diff --git a/subsys/net/lib/websocket/websocket.c b/subsys/net/lib/websocket/websocket.c
index fdcd9fe2c85af..ca5ed2f00dbd2 100644
--- a/subsys/net/lib/websocket/websocket.c
+++ b/subsys/net/lib/websocket/websocket.c
@@ -30,11 +30,7 @@ LOG_MODULE_REGISTER(net_websocket, CONFIG_NET_WEBSOCKET_LOG_LEVEL);
 #include <zephyr/sys/byteorder.h>
 #include <zephyr/sys/base64.h>
 
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 #include <psa/crypto.h>
-#else
-#include <mbedtls/sha1.h>
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 #include "net_private.h"
 #include "sockets_internal.h"
@@ -253,10 +249,8 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 		"Sec-WebSocket-Version: 13\r\n",
 		NULL
 	};
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status_t psa_status;
 	size_t hash_length;
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 	fd = -1;
 
@@ -284,7 +278,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	ctx->http_cb = wreq->http_cb;
 	ctx->is_client = 1;
 
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)&rnd_value, sizeof(rnd_value),
 				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
 	if (psa_status != PSA_SUCCESS) {
@@ -292,15 +285,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 		ret = -EPROTO;
 		goto out;
 	}
-#else
-	ret = mbedtls_sha1((const unsigned char *)&rnd_value, sizeof(rnd_value), sec_accept_key);
-	if (ret != 0) {
-		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
-		ret = -EPROTO;
-		goto out;
-	}
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
-
 
 	ret = base64_encode(sec_ws_key + sizeof("Sec-Websocket-Key: ") - 1,
 			    sizeof(sec_ws_key) -
@@ -363,7 +347,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	memcpy(key_accept + key_len, WS_MAGIC, olen);
 
 	/* This SHA-1 value is then checked when we receive the response */
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)key_accept, olen + key_len,
 				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
 	if (psa_status != PSA_SUCCESS) {
@@ -371,14 +354,6 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 		ret = -EPROTO;
 		goto out;
 	}
-#else
-	ret = mbedtls_sha1(key_accept, olen + key_len, sec_accept_key);
-	if (ret != 0) {
-		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
-		ret = -EPROTO;
-		goto out;
-	}
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 	ret = http_client_req(sock, &req, timeout, ctx);
 	if (ret < 0) {
diff --git a/subsys/net/lib/websocket/websocket_internal.h b/subsys/net/lib/websocket/websocket_internal.h
index 50f2fee37973f..09a48d5695924 100644
--- a/subsys/net/lib/websocket/websocket_internal.h
+++ b/subsys/net/lib/websocket/websocket_internal.h
@@ -11,8 +11,9 @@
  */
 
 #include <zephyr/toolchain/common.h>
+#include <psa/crypto.h>
 
-#define WS_SHA1_OUTPUT_LEN 20
+#define WS_SHA1_OUTPUT_LEN PSA_HASH_LENGTH(PSA_ALG_SHA_1)
 
 /* Min Websocket header length */
 #define MIN_HEADER_LEN 2

From e50ad2a2f6506f89278e16b59538aab5adb68fec Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Fri, 9 Jan 2026 17:21:30 +0100
Subject: [PATCH 2/3] net: lib: http: http_server: replace usage of legacy Mbed
 TLS crypto

Use PSA Crypto API for SHA-1 computation instead of legacy Mbed TLS crypto.
The latter is going to be removed soon.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 subsys/net/lib/http/http_server_ws.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/subsys/net/lib/http/http_server_ws.c b/subsys/net/lib/http/http_server_ws.c
index 6d6c2f702a9ff..d87599d876fbb 100644
--- a/subsys/net/lib/http/http_server_ws.c
+++ b/subsys/net/lib/http/http_server_ws.c
@@ -17,6 +17,7 @@
 #include <zephyr/sys/base64.h>
 #include <mbedtls/sha1.h>
 #include <zephyr/net/websocket.h>
+#include <psa/crypto.h>
 
 LOG_MODULE_DECLARE(net_http_server, CONFIG_NET_HTTP_SERVER_LOG_LEVEL);
 
@@ -40,6 +41,7 @@ int handle_http1_to_websocket_upgrade(struct http_client_ctx *client)
 		"Sec-WebSocket-Accept: ";
 	char key_accept[HTTP_SERVER_WS_MAX_SEC_KEY_LEN + sizeof(WS_MAGIC)];
 	char accept[20];
+	size_t accept_len;
 	char tmp[64];
 	size_t key_len;
 	size_t olen;
@@ -52,7 +54,8 @@ int handle_http1_to_websocket_upgrade(struct http_client_ctx *client)
 	olen = MIN(sizeof(key_accept) - 1 - key_len, sizeof(WS_MAGIC) - 1);
 	memcpy(key_accept + key_len, WS_MAGIC, olen);
 
-	mbedtls_sha1(key_accept, olen + key_len, accept);
+	psa_hash_compute(PSA_ALG_SHA_1, key_accept, olen + key_len,
+			 accept, sizeof(accept), &accept_len);
 
 	ret = base64_encode(tmp, sizeof(tmp) - 1, &olen, accept, sizeof(accept));
 	if (ret) {

From af1e4e54cf3a7603dd9c5817a3dff132fd23ea7b Mon Sep 17 00:00:00 2001
From: Valerio Setti <vsetti@baylibre.com>
Date: Mon, 12 Jan 2026 10:14:48 +0100
Subject: [PATCH 3/3] net: lib: shell: make header file inclusion conditional

Include "websocket/websocket_internal.h" only when CONFIG_WEBSOCKET_CLIENT
is also enabled.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
---
 subsys/net/lib/shell/websocket.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/subsys/net/lib/shell/websocket.c b/subsys/net/lib/shell/websocket.c
index 61458c0a2296f..771ad199f39cd 100644
--- a/subsys/net/lib/shell/websocket.c
+++ b/subsys/net/lib/shell/websocket.c
@@ -14,11 +14,12 @@ LOG_MODULE_DECLARE(net_shell);
 
 #include "net_shell_private.h"
 
-#include "websocket/websocket_internal.h"
-
 #include <zephyr/sys/fdtable.h>
 
 #if defined(CONFIG_WEBSOCKET_CLIENT)
+
+#include "websocket/websocket_internal.h"
+
 static void websocket_context_cb(struct websocket_context *context,
 				 void *user_data)
 {