mbedtls_config: add new config option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT

With the introduction of negative option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT, we don't need to implicitly enable it through PSA. Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2025-04-15 23:42:41 +00:00 · 2023-10-31 17:23:04 +08:00 · 2023-10-31 17:23:04 +08:00 · e367e47be0
commit e367e47be0
parent b67b47425e
2 changed files with 19 additions and 24 deletions
--- a/include/mbedtls/config_adjust_legacy_crypto.h
+++ b/include/mbedtls/config_adjust_legacy_crypto.h
@ -34,30 +34,6 @@
 #ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
 #define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H

-/*
- * ECB, CBC, XTS, KW modes require both ENCRYPT and DECRYPT directions.
- * MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is only enabled when those modes
- * are not requested via the PSA API and are not enabled in the legacy API.
- *
- * DES only supports ECB and CBC modes in Mbed TLS. As it's a deprecated and
- * insecure block cipher, MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is enabled when DES
- * is not requested via the PSA API and is not enabled in the legacy API.
- *
- * Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
- */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
-#if !defined(PSA_WANT_ALG_ECB_NO_PADDING) && \
-    !defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
-    !defined(PSA_WANT_ALG_CBC_PKCS7) && \
-    !defined(PSA_WANT_KEY_TYPE_DES) && \
-    !defined(MBEDTLS_CIPHER_MODE_CBC) && \
-    !defined(MBEDTLS_CIPHER_MODE_XTS) && \
-    !defined(MBEDTLS_DES_C) && \
-    !defined(MBEDTLS_NIST_KW_C)
-#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 1
-#endif
-#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
-
 /* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
 * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
 */
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@ -2383,6 +2383,25 @@
 */
 #define MBEDTLS_BASE64_C

+/**
+ * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+ *
+ * Remove decryption operation for AES, ARIA and Camellia block cipher.
+ *
+ * \note  This feature is incompatible with insecure block cipher,
+ *        MBEDTLS_DES_C, and cipher modes which always require decryption
+ *        operation, MBEDTLS_CIPHER_MODE_CBC, MBEDTLS_CIPHER_MODE_XTS and
+ *        MBEDTLS_NIST_KW_C.
+ *
+ * Module:  library/aes.c
+ *          library/aesce.c
+ *          library/aesni.c
+ *          library/aria.c
+ *          library/camellia.c
+ *          library/cipher.c
+ */
+//#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
+
 /**
 * \def MBEDTLS_BIGNUM_C
 *