TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 72d7bb4bca913a5ef46f3b992e1a9416ea2cfc39^! / .
commit72d7bb4bca913a5ef46f3b992e1a9416ea2cfc39[log] [tgz]
authorYanray Wang <yanray.wang@arm.com>Wed Aug 30 13:58:15 2023 +0800
committerYanray Wang <yanray.wang@arm.com>Fri Sep 01 17:35:58 2023 +0800
tree4be8cd1b518fc14839d1a92886ed01c99e8b6b6a
parent3c565275c48f1ffc00b5854b1cfecb4dfeacf844 [diff]
check_config.h: add checks for CIPHER_ENCRYPT_ONLY

MBEDTLS_CIPHER_ENCRYPT_ONLY is an internal configuration which is
automatically enabled via the PSA. Typically,
once MBEDTLS_CIPHER_ENCRYPT_ONLY is enabled,
MBEDTLS_PSA_CRYPTO_CONFIG must be enabled. This check is only used
to prevent user explicitly enabling MBEDTLS_CIPHER_ENCRYPT_ONLY.

In addition, we shouldn't enable MBEDTLS_CIPHER_ENCRYPT_ONLY if
either CIPHER_MODE_CBC, CIPHER_MODE_XTS or NIST_KW_C is enabled.
Since three of them always need AES-decrypt.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>

diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index ca267bd..c64e9c3 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h

@@ -84,6 +84,14 @@
 #error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_CIPHER_ENCRYPT_ONLY) && \
+    (!defined(MBEDTLS_PSA_CRYPTO_CONFIG) || \
+    (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+     defined(MBEDTLS_CIPHER_MODE_XTS) || \
+     defined(MBEDTLS_NIST_KW_C)))
+#error "MBEDTLS_CIPHER_ENCRYPT_ONLY defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECDH_C defined, but not all prerequisites"
 #endif

diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index f558ed8..9d68a34 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h

@@ -599,15 +599,18 @@
 #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
 
 /*
- * ECB, CBC, XTS modes require both ENCRYPT and DECRYPT directions.
- * CIPHER_ENCRYPT_ONLY is only enabled when those modes are not requested
- * via the PSA API.
+ * ECB, CBC, XTS, KW modes require both ENCRYPT and DECRYPT directions.
+ * MBEDTLS_CIPHER_ENCRYPT_ONLY is only enabled when those modes
+ * are not requested via the PSA API and are not enabled in the legacy API.
  *
- * Note: XTS is not yet supported via the PSA API in Mbed TLS.
+ * Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
  */
 #if !defined(PSA_WANT_ALG_ECB_NO_PADDING) && \
     !defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
-    !defined(PSA_WANT_ALG_CBC_PKCS7)
+    !defined(PSA_WANT_ALG_CBC_PKCS7) && \
+    !defined(MBEDTLS_CIPHER_MODE_CBC) && \
+    !defined(MBEDTLS_CIPHER_MODE_XTS) && \
+    !defined(MBEDTLS_NIST_KW_C)
 #define MBEDTLS_CIPHER_ENCRYPT_ONLY 1
 #endif