Add config option for AES encryption only
-Add config option for AES encyption only to config.h. Feature is
disabled by default.
-Enable AES encrypt only feature in baremetal.h configuration
-Remove AES encypt only feature from full config
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 8e735c6..9bf885a 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -40,6 +40,7 @@
#define MBEDTLS_AES_ROM_TABLES
#define MBEDTLS_AES_FEWER_TABLES
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+#define MBEDTLS_AES_ONLY_ENCRYPT
#define MBEDTLS_CCM_C
/* Asymmetric crypto: Single-curve ECC only. */
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 309d76c..317ff3b 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -616,6 +616,22 @@
//#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
/**
+ * \def MBEDTLS_AES_ONLY_ENCRYPT
+ *
+ * Use only AES encryption, decryption is not possible.
+ *
+ * Uncommenting this macro removes support for AES decryption.
+ *
+ * Tradeoff: Uncommenting this macro reduces ROM footprint by ~2.5 kB.
+ *
+ * Module: library/aes.c
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ */
+//#define MBEDTLS_AES_ONLY_ENCRYPT
+
+/**
* \def MBEDTLS_CAMELLIA_SMALL_MEMORY
*
* Use less ROM for the Camellia implementation (saves about 768 bytes).
diff --git a/library/aes.c b/library/aes.c
index 2672cdf..733aef8 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -222,6 +222,7 @@
#undef FT
+#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
/*
* Reverse S-box
*/
@@ -260,6 +261,7 @@
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
};
+#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
/*
* Reverse tables
@@ -331,9 +333,11 @@
V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
+#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
#define V(a,b,c,d) 0x##a##b##c##d
static const uint32_t RT0[256] = { RT };
#undef V
+#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
#if !defined(MBEDTLS_AES_FEWER_TABLES)
@@ -675,6 +679,13 @@
int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int keybits )
{
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+ (void) ctx;
+ (void) key;
+ (void) keybits;
+
+ return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+#else /* */
int i, j, ret;
mbedtls_aes_context cty;
uint32_t *RK;
@@ -737,6 +748,7 @@
mbedtls_aes_free( &cty );
return( ret );
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
}
#if defined(MBEDTLS_CIPHER_MODE_XTS)
@@ -937,7 +949,9 @@
/*
* AES-ECB block decryption
*/
+
#if !defined(MBEDTLS_AES_DECRYPT_ALT)
+#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
const unsigned char input[16],
unsigned char output[16] )
@@ -991,6 +1005,7 @@
return( 0 );
}
+#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
@@ -998,7 +1013,13 @@
const unsigned char input[16],
unsigned char output[16] )
{
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+ (void) ctx;
+ (void) input;
+ (void) output;
+#else /* MBEDTLS_AES_ONLY_ENCRYPT */
mbedtls_internal_aes_decrypt( ctx, input, output );
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
}
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
@@ -1015,6 +1036,7 @@
AES_VALIDATE_RET( output != NULL );
AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
mode == MBEDTLS_AES_DECRYPT );
+ (void) mode;
#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
@@ -1032,11 +1054,15 @@
//
}
#endif
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+ return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
+#else /* MBEDTLS_AES_ONLY_ENCRYPT */
if( mode == MBEDTLS_AES_ENCRYPT )
return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
else
return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
}
#if defined(MBEDTLS_CIPHER_MODE_CBC)
diff --git a/library/version_features.c b/library/version_features.c
index a708673..7a97d38 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -267,6 +267,9 @@
#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
"MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH",
#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+ "MBEDTLS_AES_ONLY_ENCRYPT",
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
"MBEDTLS_CAMELLIA_SMALL_MEMORY",
#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index 71e6600..fd2bc90 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -754,6 +754,14 @@
}
#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+ if( strcmp( "MBEDTLS_AES_ONLY_ENCRYPT", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_AES_ONLY_ENCRYPT );
+ return( 0 );
+ }
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
+
#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
if( strcmp( "MBEDTLS_CAMELLIA_SMALL_MEMORY", config ) == 0 )
{
diff --git a/scripts/config.pl b/scripts/config.pl
index cf766a8..619c5ca 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -52,6 +52,7 @@
# MBEDTLS_NO_UDBL_DIVISION
# MBEDTLS_NO_64BIT_MULTIPLICATION
# MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+# MBEDTLS_AES_ONLY_ENCRYPT
# and any symbol beginning _ALT
#
@@ -128,6 +129,7 @@
MBEDTLS_NO_64BIT_MULTIPLICATION
MBEDTLS_USE_TINYCRYPT
MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+MBEDTLS_AES_ONLY_ENCRYPT
_ALT\s*$
);