Add option --module-policy

A module policy is a file specifying three types of modules: ones which
are required, ones which are prohibited, and ones which should be used
if otherwise available (this is mostly for platform specific modules).

Finally there are whatever modules which exist in the library of which
the policy makes no mention. These will be included if an explicit
dependency of some other module pulls them in (so there is no reason
to mention base, utils, ... in the file) but skipped otherwise.

For example policy 'sane' does not mention 'utils' or 'twofish' either
way. Since utils is a dependency of other modules which are included,
but Twofish does not. However unlike an explicitly prohibited module,
not mentioned can still be requested as part of the build (here with
--enable-module=twofish)

Also fixes some test bugs noticed by compiling in different build
configs. DLIES test didn't check that the KDF and MAC existed. Adds a
typedef for MessageAuthenticationCode because typing it twice in a
single line in the DLIES test made me think it's way too long. :) Also
fix some fuzzer build problems. Due to a copy and paste bug the PKCS
certificate (it was not).

Inspired by GH #439

2 files changed, 276 insertions, 0 deletions

diff --git a/src/build-data/policy/bsi.txt b/src/build-data/policy/bsi.txt
new file mode 100644
index 000000000..9ab68a921
--- /dev/null
+++ b/src/build-data/policy/bsi.txt
@@ -0,0 +1,156 @@
+<required>
+# block
+aes
+
+# modes
+gcm
+cbc
+mode_pad
+
+# stream
+ctr
+
+# hash
+sha2_32
+sha2_64
+keccak
+
+# mac
+cmac
+hmac
+
+# pk_pad
+eme_oaep
+emsa_pssr
+
+# pubkey
+dlies
+dh
+rsa
+dsa
+ecdsa
+ecdh
+
+# rng
+auto_rng
+hmac_rng
+hmac_drbg
+</required>
+
+<if_available>
+# block
+aes_ni
+aes_ssse3
+
+# modes
+clmul
+
+# entropy sources
+beos_stats
+darwin_secrandom
+egd
+proc_walk
+unix_procs
+rdrand
+rdseed
+hres_timer
+dev_random
+system_rng
+cryptoapi_rng
+win32_stats
+
+# utils
+locking_allocator
+simd_altivec
+simd_scalar
+simd_sse2
+</if_available>
+
+<prohibited>
+# block
+blowfish
+camellia
+cascade
+cast
+gost_28147
+idea
+idea_sse2
+kasumi
+lion
+mars
+misty1
+noekeon
+noekeon_simd
+rc2
+rc5
+rc6
+safer
+seed
+serpent
+serpent_simd
+tea
+threefish
+threefish_avx2
+twofish
+xtea
+xtea_simd
+
+# modes
+ccm
+chacha20poly1305
+eax
+ocb
+siv
+cfb
+ecb
+
+# stream
+chacha
+ofb
+rc4
+salsa20
+
+# pubkey
+curve25519
+elgamal
+gost_3410
+mce
+mceies
+nr
+rw
+
+# pk_pad
+#eme_pkcs1 // needed for tls
+eme_raw
+#emsa_pkcs1 // needed for tls
+emsa_raw
+emsa_x931
+emsa1
+emsa1_bsi
+
+# hash
+blake2
+comb4p
+gost_3411
+has160
+md2
+md4
+#md5 // needed for tls
+rmd128
+rmd160
+#sha1 // needed for tls
+#sha1_sse2 // needed for tls
+skein
+tiger
+whirlpool
+
+# mac
+cbc_mac
+poly1305
+siphash
+x919_mac
+
+# rng
+x931_rng
+
+</prohibited>
diff --git a/src/build-data/policy/sane.txt b/src/build-data/policy/sane.txt
new file mode 100644
index 000000000..3482296d6
--- /dev/null
+++ b/src/build-data/policy/sane.txt
@@ -0,0 +1,120 @@
+<required>
+aes
+serpent
+threefish
+chacha
+
+sha2_32
+sha2_64
+blake2
+skein
+keccak
+
+gcm
+ocb
+chacha20poly1305
+
+kdf2
+hkdf
+cmac
+hmac
+poly1305
+siphash
+
+pbkdf2
+
+# required for private key encryption
+pbes2
+
+# required for TLS
+prf_tls
+
+curve25519
+ecdh
+ecdsa
+rsa
+
+eme_oaep
+emsa_pssr
+emsa1
+
+auto_rng
+hmac_rng
+
+ffi
+</required>
+
+<prohibited>
+cast
+des
+gost_28147
+idea
+idea_sse2
+kasumi
+lion
+mars
+misty1
+rc2
+rc4
+rc5
+rc6
+safer
+seed
+tea
+xtea
+xtea_simd
+
+cbc_mac
+x919_mac
+
+# MD5 and SHA1 are broken but not prohibited. They are widely in use
+# in non-crypto contexts and are required by TLS currently
+md2
+md4
+rmd128
+has160
+gost_3411
+
+cfb
+ecb
+ofb
+
+elgamal
+rw
+nr
+gost_3410
+
+emsa_x931
+pbkdf1
+prf_x942
+x931_rng
+
+passhash9
+cryptobox
+unix_procs
+</prohibited>
+
+<if_available>
+clmul
+locking_allocator
+
+sha1_sse2
+aes_ni
+aes_ssse3
+noekeon_simd
+serpent_simd
+threefish_avx2
+
+simd_scalar
+simd_sse2
+simd_altivec
+
+# entropy sources
+rdrand
+rdseed
+hres_timer
+dev_random
+system_rng
+cryptoapi_rng
+win32_stats
+</if_available>