Add config option for AES encryption only

-Add config option for AES encyption only to config.h. Feature is
 disabled by default.
-Enable AES encrypt only feature in baremetal.h configuration
-Remove AES encypt only feature from full config
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 8e735c6..9bf885a 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -40,6 +40,7 @@
 #define MBEDTLS_AES_ROM_TABLES
 #define MBEDTLS_AES_FEWER_TABLES
 #define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+#define MBEDTLS_AES_ONLY_ENCRYPT
 #define MBEDTLS_CCM_C
 
 /* Asymmetric crypto: Single-curve ECC only. */
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 309d76c..317ff3b 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -616,6 +616,22 @@
 //#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
 
 /**
+ * \def MBEDTLS_AES_ONLY_ENCRYPT
+ *
+ * Use only AES encryption, decryption is not possible.
+ *
+ * Uncommenting this macro removes support for AES decryption.
+ *
+ * Tradeoff: Uncommenting this macro reduces ROM footprint by ~2.5 kB.
+ *
+ * Module:  library/aes.c
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ */
+//#define MBEDTLS_AES_ONLY_ENCRYPT
+
+/**
  * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
  *
  * Use less ROM for the Camellia implementation (saves about 768 bytes).
diff --git a/library/aes.c b/library/aes.c
index 2672cdf..733aef8 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -222,6 +222,7 @@
 
 #undef FT
 
+#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
 /*
  * Reverse S-box
  */
@@ -260,6 +261,7 @@
     0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
     0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
 };
+#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
 
 /*
  * Reverse tables
@@ -331,9 +333,11 @@
     V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
     V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
 
+#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
 #define V(a,b,c,d) 0x##a##b##c##d
 static const uint32_t RT0[256] = { RT };
 #undef V
+#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
 
 #if !defined(MBEDTLS_AES_FEWER_TABLES)
 
@@ -675,6 +679,13 @@
 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
                     unsigned int keybits )
 {
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+    (void) ctx;
+    (void) key;
+    (void) keybits;
+
+    return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+#else /* */
     int i, j, ret;
     mbedtls_aes_context cty;
     uint32_t *RK;
@@ -737,6 +748,7 @@
     mbedtls_aes_free( &cty );
 
     return( ret );
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
 }
 
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
@@ -937,7 +949,9 @@
 /*
  * AES-ECB block decryption
  */
+
 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
+#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
                                   const unsigned char input[16],
                                   unsigned char output[16] )
@@ -991,6 +1005,7 @@
 
     return( 0 );
 }
+#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
 
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
@@ -998,7 +1013,13 @@
                           const unsigned char input[16],
                           unsigned char output[16] )
 {
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+    (void) ctx;
+    (void) input;
+    (void) output;
+#else /* MBEDTLS_AES_ONLY_ENCRYPT */
     mbedtls_internal_aes_decrypt( ctx, input, output );
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
 }
 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
@@ -1015,6 +1036,7 @@
     AES_VALIDATE_RET( output != NULL );
     AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
                       mode == MBEDTLS_AES_DECRYPT );
+    (void) mode;
 
 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
@@ -1032,11 +1054,15 @@
         //
     }
 #endif
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+    return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
+#else /* MBEDTLS_AES_ONLY_ENCRYPT */
 
     if( mode == MBEDTLS_AES_ENCRYPT )
         return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
     else
         return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
 }
 
 #if defined(MBEDTLS_CIPHER_MODE_CBC)
diff --git a/library/version_features.c b/library/version_features.c
index a708673..7a97d38 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -267,6 +267,9 @@
 #if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
     "MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH",
 #endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+    "MBEDTLS_AES_ONLY_ENCRYPT",
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
     "MBEDTLS_CAMELLIA_SMALL_MEMORY",
 #endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index 71e6600..fd2bc90 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -754,6 +754,14 @@
     }
 #endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
 
+#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
+    if( strcmp( "MBEDTLS_AES_ONLY_ENCRYPT", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_AES_ONLY_ENCRYPT );
+        return( 0 );
+    }
+#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
+
 #if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
     if( strcmp( "MBEDTLS_CAMELLIA_SMALL_MEMORY", config ) == 0 )
     {
diff --git a/scripts/config.pl b/scripts/config.pl
index cf766a8..619c5ca 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -52,6 +52,7 @@
 #   MBEDTLS_NO_UDBL_DIVISION
 #   MBEDTLS_NO_64BIT_MULTIPLICATION
 #   MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+#   MBEDTLS_AES_ONLY_ENCRYPT
 #   and any symbol beginning _ALT
 #
 
@@ -128,6 +129,7 @@
 MBEDTLS_NO_64BIT_MULTIPLICATION
 MBEDTLS_USE_TINYCRYPT
 MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
+MBEDTLS_AES_ONLY_ENCRYPT
 _ALT\s*$
 );