zephyrproject-rtos · henrikbrixandersen · Jan 13, 2026 · Jan 9, 2026 · Jan 9, 2026 · Jan 12, 2026
diff --git a/subsys/net/lib/http/http_server_ws.c b/subsys/net/lib/http/http_server_ws.c
@@ -17,6 +17,7 @@
 #include <zephyr/sys/base64.h>
 #include <mbedtls/sha1.h>
 #include <zephyr/net/websocket.h>
+#include <psa/crypto.h>
 
 LOG_MODULE_DECLARE(net_http_server, CONFIG_NET_HTTP_SERVER_LOG_LEVEL);
 
@@ -40,6 +41,7 @@ int handle_http1_to_websocket_upgrade(struct http_client_ctx *client)
 		"Sec-WebSocket-Accept: ";
 	char key_accept[HTTP_SERVER_WS_MAX_SEC_KEY_LEN + sizeof(WS_MAGIC)];
 	char accept[20];
+	size_t accept_len;
 	char tmp[64];
 	size_t key_len;
 	size_t olen;
@@ -52,7 +54,8 @@ int handle_http1_to_websocket_upgrade(struct http_client_ctx *client)
 	olen = MIN(sizeof(key_accept) - 1 - key_len, sizeof(WS_MAGIC) - 1);
 	memcpy(key_accept + key_len, WS_MAGIC, olen);
 
-	mbedtls_sha1(key_accept, olen + key_len, accept);
+	psa_hash_compute(PSA_ALG_SHA_1, key_accept, olen + key_len,
+			 accept, sizeof(accept), &accept_len);
 
 	ret = base64_encode(tmp, sizeof(tmp) - 1, &olen, accept, sizeof(accept));
 	if (ret) {

diff --git a/subsys/net/lib/shell/websocket.c b/subsys/net/lib/shell/websocket.c
@@ -14,11 +14,12 @@ LOG_MODULE_DECLARE(net_shell);
 
 #include "net_shell_private.h"
 
-#include "websocket/websocket_internal.h"
-
 #include <zephyr/sys/fdtable.h>
 
 #if defined(CONFIG_WEBSOCKET_CLIENT)
+
+#include "websocket/websocket_internal.h"
+
 static void websocket_context_cb(struct websocket_context *context,
 				 void *user_data)
 {

diff --git a/subsys/net/lib/websocket/Kconfig b/subsys/net/lib/websocket/Kconfig
@@ -7,9 +7,9 @@ config WEBSOCKET_CLIENT
 	select HTTP_PARSER
 	select HTTP_PARSER_URL
 	select HTTP_CLIENT
-	select MBEDTLS
 	select BASE64
-	select MBEDTLS_SHA1 if MBEDTLS_BUILTIN
+	select PSA_CRYPTO
+	select PSA_WANT_ALG_SHA_256
 	select EXPERIMENTAL
 	help
 	  Enable Websocket client library.

diff --git a/subsys/net/lib/websocket/websocket.c b/subsys/net/lib/websocket/websocket.c
@@ -30,11 +30,7 @@ LOG_MODULE_REGISTER(net_websocket, CONFIG_NET_WEBSOCKET_LOG_LEVEL);
 #include <zephyr/sys/byteorder.h>
 #include <zephyr/sys/base64.h>
 
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 #include <psa/crypto.h>
-#else
-#include <mbedtls/sha1.h>
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 #include "net_private.h"
 #include "sockets_internal.h"
@@ -253,10 +249,8 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 		"Sec-WebSocket-Version: 13\r\n",
 		NULL
 	};
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status_t psa_status;
 	size_t hash_length;
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 	fd = -1;
 
@@ -284,23 +278,13 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	ctx->http_cb = wreq->http_cb;
 	ctx->is_client = 1;
 
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)&rnd_value, sizeof(rnd_value),
 				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
 	if (psa_status != PSA_SUCCESS) {
 		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, psa_status);
 		ret = -EPROTO;
 		goto out;
 	}
-#else
-	ret = mbedtls_sha1((const unsigned char *)&rnd_value, sizeof(rnd_value), sec_accept_key);
-	if (ret != 0) {
-		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
-		ret = -EPROTO;
-		goto out;
-	}
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
-
 
 	ret = base64_encode(sec_ws_key + sizeof("Sec-Websocket-Key: ") - 1,
 			    sizeof(sec_ws_key) -
@@ -363,22 +347,13 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	memcpy(key_accept + key_len, WS_MAGIC, olen);
 
 	/* This SHA-1 value is then checked when we receive the response */
-#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
 	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)key_accept, olen + key_len,
 				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
 	if (psa_status != PSA_SUCCESS) {
 		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, psa_status);
 		ret = -EPROTO;
 		goto out;
 	}
-#else
-	ret = mbedtls_sha1(key_accept, olen + key_len, sec_accept_key);
-	if (ret != 0) {
-		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
-		ret = -EPROTO;
-		goto out;
-	}
-#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 	ret = http_client_req(sock, &req, timeout, ctx);
 	if (ret < 0) {

diff --git a/subsys/net/lib/websocket/websocket_internal.h b/subsys/net/lib/websocket/websocket_internal.h
@@ -11,8 +11,9 @@
  */
 
 #include <zephyr/toolchain/common.h>
+#include <psa/crypto.h>
 
-#define WS_SHA1_OUTPUT_LEN 20
+#define WS_SHA1_OUTPUT_LEN PSA_HASH_LENGTH(PSA_ALG_SHA_1)
 
 /* Min Websocket header length */
 #define MIN_HEADER_LEN 2