TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e367e47be00bc36e6e8122758fa2ffe2ac0d5f76^! / . / include / mbedtls
commite367e47be00bc36e6e8122758fa2ffe2ac0d5f76[log] [tgz]
authorYanray Wang <yanray.wang@arm.com>Tue Oct 31 17:23:04 2023 +0800
committerYanray Wang <yanray.wang@arm.com>Thu Nov 02 12:36:41 2023 +0800
tree253aa81c8aff2b8ef8b739ae7068c48c5d4f6213
parentb67b47425ed1163a3c44bd6ca526b83b44901367 [diff]
mbedtls_config: add new config option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT

With the introduction of negative option
MBEDTLS_BLOCK_CIPHER_NO_DECRYPT, we don't need to implicitly enable
it through PSA.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>

diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h
index 6777721..495cd5a 100644
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h

@@ -34,30 +34,6 @@
 #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
 #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
 
-/*
- * ECB, CBC, XTS, KW modes require both ENCRYPT and DECRYPT directions.
- * MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is only enabled when those modes
- * are not requested via the PSA API and are not enabled in the legacy API.
- *
- * DES only supports ECB and CBC modes in Mbed TLS. As it's a deprecated and
- * insecure block cipher, MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is enabled when DES
- * is not requested via the PSA API and is not enabled in the legacy API.
- *
- * Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
- */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-#if !defined(PSA_WANT_ALG_ECB_NO_PADDING) && \
-    !defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
-    !defined(PSA_WANT_ALG_CBC_PKCS7) && \
-    !defined(PSA_WANT_KEY_TYPE_DES) && \
-    !defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    !defined(MBEDTLS_CIPHER_MODE_XTS) && \
-    !defined(MBEDTLS_DES_C) && \
-    !defined(MBEDTLS_NIST_KW_C)
-#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 1
-#endif
-#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
-
 /* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
  * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
  */

diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index af07613..3caea9c 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h

@@ -2384,6 +2384,25 @@
 #define MBEDTLS_BASE64_C
 
 /**
+ * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+ *
+ * Remove decryption operation for AES, ARIA and Camellia block cipher.
+ *
+ * \note  This feature is incompatible with insecure block cipher,
+ *        MBEDTLS_DES_C, and cipher modes which always require decryption
+ *        operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and
+ *        MBEDTLS_NIST_KW_C.
+ *
+ * Module:  library/aes.c
+ *          library/aesce.c
+ *          library/aesni.c
+ *          library/aria.c
+ *          library/camellia.c
+ *          library/cipher.c
+ */
+//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+
+/**
  * \def MBEDTLS_BIGNUM_C
  *
  * Enable the multi-precision integer library.