Default McEliece and XMSS to SIV mode

2 files changed, 14 insertions, 2 deletions

diff --git a/news.rst b/news.rst
index 7b1c50105..75e449b0e 100644
--- a/news.rst
+++ b/news.rst
@@ -29,6 +29,10 @@ Version 2.10.0, Not Yet Released
   removed, since already POSIX and Win32 versions had to be maintained for
   portability. (GH #1814)
 
+* Newly generated McEliece and XMSS keys now default to being encrypted using
+  SIV mode, support for which was added in 2.8.0. Previously GCM was used by
+  default for these algorithms.
+
 * Add a facility for sandboxing the command line util. Currently FreeBSD
   (Capsicum) and OpenBSD (``pledge``) sandboxes are supported. (GH #1808)
 
diff --git a/src/lib/pubkey/pkcs8.cpp b/src/lib/pubkey/pkcs8.cpp
index b6d33cfcb..d5add2adf 100644
--- a/src/lib/pubkey/pkcs8.cpp
+++ b/src/lib/pubkey/pkcs8.cpp
@@ -159,13 +159,21 @@ choose_pbe_params(const std::string& pbe_algo, const std::string& key_algo)
    {
    if(pbe_algo.empty())
       {
-      // Defaults:
+      /*
+      * For algorithms where we are using a non-RFC format anyway, default to
+      * SIV or GCM. For others (RSA, ECDSA, ...) default to something widely
+      * compatible.
+      */
       const bool nonstandard_pk = (key_algo == "McEliece" || key_algo == "XMSS");
 
-#if defined(BOTAN_HAS_GCM) && defined(BOTAN_HAS_SHA2_64)
       if(nonstandard_pk)
+         {
+#if defined(BOTAN_HAS_AEAD_SIV) && defined(BOTAN_HAS_SHA2_64)
+         return std::make_pair("AES-256/SIV", "SHA-512");
+#elif defined(BOTAN_HAS_AEAD_GCM) && defined(BOTAN_HAS_SHA2_64)
          return std::make_pair("AES-256/GCM", "SHA-512");
 #endif
+         }
 
       // Default is something compatible with everyone else
       return std::make_pair("AES-256/CBC", "SHA-256");