Enable CIPHER_ENCRYPT_ONLY when DES is disabled
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
diff --git a/ChangeLog.d/add-cipher-encrypt-only.txt b/ChangeLog.d/add-cipher-encrypt-only.txt
index 1a0181d..434c294 100644
--- a/ChangeLog.d/add-cipher-encrypt-only.txt
+++ b/ChangeLog.d/add-cipher-encrypt-only.txt
@@ -4,3 +4,4 @@
MBEDTLS_CIPHER_ENCRYPT_ONLY when
- ECB and CBC cipher modes are not requested via the PSA API.
- ECB, CBC, XTS and KW are not enabled in the legacy API.
+ - DES is not requested in the PSA API and the legacy API.
diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index 4480b8c..c2fbb24 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@@ -39,14 +39,20 @@
* MBEDTLS_CIPHER_ENCRYPT_ONLY is only enabled when those modes
* are not requested via the PSA API and are not enabled in the legacy API.
*
+ * DES only supports ECB and CBC modes in Mbed TLS. As it's a deprecated and
+ * insecure block cipher, MBEDTLS_CIPHER_ENCRYPT_ONLY is enabled when DES
+ * is not requested via the PSA API and is not enabled in the legacy API.
+ *
* Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
*/
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
#if !defined(PSA_WANT_ALG_ECB_NO_PADDING) && \
!defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
!defined(PSA_WANT_ALG_CBC_PKCS7) && \
+ !defined(PSA_WANT_KEY_TYPE_DES) && \
!defined(MBEDTLS_CIPHER_MODE_CBC) && \
!defined(MBEDTLS_CIPHER_MODE_XTS) && \
+ !defined(MBEDTLS_DES_C) && \
!defined(MBEDTLS_NIST_KW_C)
#define MBEDTLS_CIPHER_ENCRYPT_ONLY 1
#endif
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index aee68c5..8223a88 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -4207,11 +4207,13 @@
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
+ scripts/config.py unset MBEDTLS_DES_C
scripts/config.py unset MBEDTLS_NIST_KW_C
echo '#undef PSA_WANT_ALG_CBC_NO_PADDING' >> psa_cipher_encrypt_only.h
echo '#undef PSA_WANT_ALG_CBC_PKCS7' >> psa_cipher_encrypt_only.h
echo '#undef PSA_WANT_ALG_ECB_NO_PADDING' >> psa_cipher_encrypt_only.h
+ echo '#undef PSA_WANT_KEY_TYPE_DES' >> psa_cipher_encrypt_only.h
# test AESNI intrinsics
scripts/config.py set MBEDTLS_AESNI_C
@@ -4260,11 +4262,13 @@
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
+ scripts/config.py unset MBEDTLS_DES_C
scripts/config.py unset MBEDTLS_NIST_KW_C
echo '#undef PSA_WANT_ALG_CBC_NO_PADDING' >> psa_cipher_encrypt_only.h
echo '#undef PSA_WANT_ALG_CBC_PKCS7' >> psa_cipher_encrypt_only.h
echo '#undef PSA_WANT_ALG_ECB_NO_PADDING' >> psa_cipher_encrypt_only.h
+ echo '#undef PSA_WANT_KEY_TYPE_DES' >> psa_cipher_encrypt_only.h
# test AESNI intrinsics for i386 with VIA PADLOCK
scripts/config.py set MBEDTLS_AESNI_C
@@ -4321,11 +4325,13 @@
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
+ scripts/config.py unset MBEDTLS_DES_C
scripts/config.py unset MBEDTLS_NIST_KW_C
echo '#undef PSA_WANT_ALG_CBC_NO_PADDING' >> psa_cipher_encrypt_only.h
echo '#undef PSA_WANT_ALG_CBC_PKCS7' >> psa_cipher_encrypt_only.h
echo '#undef PSA_WANT_ALG_ECB_NO_PADDING' >> psa_cipher_encrypt_only.h
+ echo '#undef PSA_WANT_KEY_TYPE_DES' >> psa_cipher_encrypt_only.h
# test AESCE baremetal build
scripts/config.py set MBEDTLS_AESCE_C