From 3caaf0c61eac1707e15eb027828bad687813c7c2 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 7 Sep 2023 17:50:14 +0800 Subject: [PATCH] Enable CIPHER_ENCRYPT_ONLY when DES is disabled Signed-off-by: Yanray Wang --- ChangeLog.d/add-cipher-encrypt-only.txt | 1 + include/mbedtls/config_adjust_legacy_crypto.h | 6 ++++++ tests/scripts/all.sh | 6 ++++++ 3 files changed, 13 insertions(+) diff --git a/ChangeLog.d/add-cipher-encrypt-only.txt b/ChangeLog.d/add-cipher-encrypt-only.txt index 1a0181d6d4..434c294d24 100644 --- a/ChangeLog.d/add-cipher-encrypt-only.txt +++ b/ChangeLog.d/add-cipher-encrypt-only.txt @@ -4,3 +4,4 @@ Features MBEDTLS_CIPHER_ENCRYPT_ONLY when - ECB and CBC cipher modes are not requested via the PSA API. - ECB, CBC, XTS and KW are not enabled in the legacy API. + - DES is not requested in the PSA API and the legacy API. diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 4480b8caee..c2fbb2432c 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -39,14 +39,20 @@ * MBEDTLS_CIPHER_ENCRYPT_ONLY is only enabled when those modes * are not requested via the PSA API and are not enabled in the legacy API. * + * DES only supports ECB and CBC modes in Mbed TLS. As it's a deprecated and + * insecure block cipher, MBEDTLS_CIPHER_ENCRYPT_ONLY is enabled when DES + * is not requested via the PSA API and is not enabled in the legacy API. + * * Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. */ #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) #if !defined(PSA_WANT_ALG_ECB_NO_PADDING) && \ !defined(PSA_WANT_ALG_CBC_NO_PADDING) && \ !defined(PSA_WANT_ALG_CBC_PKCS7) && \ + !defined(PSA_WANT_KEY_TYPE_DES) && \ !defined(MBEDTLS_CIPHER_MODE_CBC) && \ !defined(MBEDTLS_CIPHER_MODE_XTS) && \ + !defined(MBEDTLS_DES_C) && \ !defined(MBEDTLS_NIST_KW_C) #define MBEDTLS_CIPHER_ENCRYPT_ONLY 1 #endif diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index aee68c571e..8223a889de 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4207,11 +4207,13 @@ component_test_cipher_encrypt_only_aesni () { scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_NIST_KW_C echo '#undef PSA_WANT_ALG_CBC_NO_PADDING' >> psa_cipher_encrypt_only.h echo '#undef PSA_WANT_ALG_CBC_PKCS7' >> psa_cipher_encrypt_only.h echo '#undef PSA_WANT_ALG_ECB_NO_PADDING' >> psa_cipher_encrypt_only.h + echo '#undef PSA_WANT_KEY_TYPE_DES' >> psa_cipher_encrypt_only.h # test AESNI intrinsics scripts/config.py set MBEDTLS_AESNI_C @@ -4260,11 +4262,13 @@ component_test_cipher_encrypt_only_aesni_m32 () { scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_NIST_KW_C echo '#undef PSA_WANT_ALG_CBC_NO_PADDING' >> psa_cipher_encrypt_only.h echo '#undef PSA_WANT_ALG_CBC_PKCS7' >> psa_cipher_encrypt_only.h echo '#undef PSA_WANT_ALG_ECB_NO_PADDING' >> psa_cipher_encrypt_only.h + echo '#undef PSA_WANT_KEY_TYPE_DES' >> psa_cipher_encrypt_only.h # test AESNI intrinsics for i386 with VIA PADLOCK scripts/config.py set MBEDTLS_AESNI_C @@ -4321,11 +4325,13 @@ component_test_cipher_encrypt_only_aesce_armcc () { scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_NIST_KW_C echo '#undef PSA_WANT_ALG_CBC_NO_PADDING' >> psa_cipher_encrypt_only.h echo '#undef PSA_WANT_ALG_CBC_PKCS7' >> psa_cipher_encrypt_only.h echo '#undef PSA_WANT_ALG_ECB_NO_PADDING' >> psa_cipher_encrypt_only.h + echo '#undef PSA_WANT_KEY_TYPE_DES' >> psa_cipher_encrypt_only.h # test AESCE baremetal build scripts/config.py set MBEDTLS_AESCE_C