Remove single-DES and 2-DES from the public API

[mpg]

Single-DES is thoroughly broken by brute-force, to the point where it can be cracked as a service for a few dozen dollars - it was also disallowed by NIST a long time ago.

Two-key triple-DES (aka two-key TDEA or 2-DES or DES-EDE2) is currently disallowed by NIST for encryption, and only allowed for legacy decryption. Also, it never had an adoption quite as large as 3DES (triple-key TDEA), or DES before it.

We should remove those from our public API, and only keep 3DES.

(Note: 3DES has been designed in such as way that it's possible to derive 2DES and single-DES from it by setting the keys appropriately, so if anyone still really needs 2DES for legacy decryption, they can still get it from an API that officially only supports 3DES.)

Task definition:

1. Remove support for MBEDTLS_CIPHER_DES_ECB, MBEDTLS_CIPHER_DES_CBC, MBEDTLS_CIPHER_DES_EDE_ECB, and MBEDTLS_CIPHER_DES_EDE_CBC in the cipher layer (cipher.h, cipher.candcipher_wrap.c`).
2. Remove the following APIs from des.h: the mbedtls_des_context type, and all mbedtls_des_xxx() and mbedtls_des3_set2key_xxx() functions (except mbedtls_des_self_test()) - we can start by making them static and then remove those that the compiler flags as unused.
3. Once the previous is done, check which MBEDTLS_DES_xxx_ALT flags are still present in the code, and remove the others from config.h. If it turns out we want to keep exposing mbedtls_des_setkey() to alt implementers, we should declare it in a new header file library/des_alt.h rather than in include/mbedtls/des.h where it is now.
4. Remove all the tests for single-DES and 2-DES.

[gilles-peskine-arm]

PSA also supports 1-key and 2-key DES, so that would have to go away as well. Given the number of parts involved in the removal, I think this is (size:M).

Also, some of our users (at least OP-TEE) want 1DES and 2DES because it's required for GlobalPlatform TEE API compliance (even though no one in their right mind would have used them even back when that standard was defined).

There would be maintenance gains to removing DES altogether, but not for just removing 1DES and 2DES. So I don't think we should expend our limited 3.0 bandwidth on that.

[mpg]

Well, PSA could keep supporting 1-key and 2-key DES by building them on top of 3-key DES, but that would also increase the amount of work needed.

I was already on the fence about putting this in "3.0" or "3.0 optional", so I'm moving it to optional now, and updating the size label as suggested.

[garcimag]

Nice proposal. One of the slowest moving sectors, the banking industry, (correction) still relies on 2-TDES. Even so, they are slowly moving to AES (yes, this late).

[mpg]

@TRodziewicz since this is a rather large task and a bit controversial (I'm not sure we really have a consensus on doing it), I think it's best to leave it alone for now - we'll probably revisit that in 4.0 actually.

[mpg]

Labeling "needs design approval" to reflect the fact that I'm not confident we have a consensus about what, if anything, should be done for 3.0.

[mpg]

Note: des.h will be made internal (non-public), see #8663

[gilles-peskine-arm]

Given that we missed the window in 2021, I propose to completely remove DES in 2025.

[gilles-peskine-arm]

Moot since we are removing DES altogether.