From c47d3a42866b0e150c4dd6c7c4d0868c0f1bda03 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 18 Mar 2022 10:18:58 +0100
Subject: [PATCH] 64-bit block ciphers are incompatible with some modes

Only allow selected modes with 64-bit block ciphers (i.e. DES).

This removes some storage tests and creates corresponding op_fail tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/mbedtls_dev/crypto_knowledge.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/mbedtls_dev/crypto_knowledge.py b/scripts/mbedtls_dev/crypto_knowledge.py
index 6f499403a..bd4d94ee8 100644
--- a/scripts/mbedtls_dev/crypto_knowledge.py
+++ b/scripts/mbedtls_dev/crypto_knowledge.py
@@ -218,6 +218,12 @@ class KeyType:
             return False
         if self.head == 'HMAC' and alg.head == 'HMAC':
             return True
+        if self.head == 'DES':
+            # 64-bit block ciphers only allow a reduced set of modes.
+            return alg.head in [
+                'CBC_NO_PADDING', 'CBC_PKCS7',
+                'ECB_NO_PADDING',
+            ]
         if self.head in BLOCK_CIPHERS and \
            alg.head in frozenset.union(BLOCK_MAC_MODES,
                                        BLOCK_CIPHER_MODES,