aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-03-05 12:26:39 -0500
committerJack Lloyd <[email protected]>2016-03-06 04:22:09 -0500
commit028a5126095e4eecd4dd213218f241a990fcbddd (patch)
treebca7266cde5b0089055fca33dee15933259c94d8 /src
parenta3ce0bd1e9e018ea69741c4380bf065cccedec93 (diff)
Add option --module-policy
A module policy is a file specifying three types of modules: ones which are required, ones which are prohibited, and ones which should be used if otherwise available (this is mostly for platform specific modules). Finally there are whatever modules which exist in the library of which the policy makes no mention. These will be included if an explicit dependency of some other module pulls them in (so there is no reason to mention base, utils, ... in the file) but skipped otherwise. For example policy 'sane' does not mention 'utils' or 'twofish' either way. Since utils is a dependency of other modules which are included, but Twofish does not. However unlike an explicitly prohibited module, not mentioned can still be requested as part of the build (here with --enable-module=twofish) Also fixes some test bugs noticed by compiling in different build configs. DLIES test didn't check that the KDF and MAC existed. Adds a typedef for MessageAuthenticationCode because typing it twice in a single line in the DLIES test made me think it's way too long. :) Also fix some fuzzer build problems. Due to a copy and paste bug the PKCS certificate (it was not). Inspired by GH #439
Diffstat (limited to 'src')
-rw-r--r--src/build-data/policy/bsi.txt156
-rw-r--r--src/build-data/policy/sane.txt120
-rw-r--r--src/lib/mac/mac.h2
-rw-r--r--src/lib/pubkey/dlies/dlies.cpp2
-rw-r--r--src/tests/test_dlies.cpp21
-rw-r--r--src/tests/test_fuzzer.cpp6
6 files changed, 298 insertions, 9 deletions
diff --git a/src/build-data/policy/bsi.txt b/src/build-data/policy/bsi.txt
new file mode 100644
index 000000000..9ab68a921
--- /dev/null
+++ b/src/build-data/policy/bsi.txt
@@ -0,0 +1,156 @@
+<required>
+# block
+aes
+
+# modes
+gcm
+cbc
+mode_pad
+
+# stream
+ctr
+
+# hash
+sha2_32
+sha2_64
+keccak
+
+# mac
+cmac
+hmac
+
+# pk_pad
+eme_oaep
+emsa_pssr
+
+# pubkey
+dlies
+dh
+rsa
+dsa
+ecdsa
+ecdh
+
+# rng
+auto_rng
+hmac_rng
+hmac_drbg
+</required>
+
+<if_available>
+# block
+aes_ni
+aes_ssse3
+
+# modes
+clmul
+
+# entropy sources
+beos_stats
+darwin_secrandom
+egd
+proc_walk
+unix_procs
+rdrand
+rdseed
+hres_timer
+dev_random
+system_rng
+cryptoapi_rng
+win32_stats
+
+# utils
+locking_allocator
+simd_altivec
+simd_scalar
+simd_sse2
+</if_available>
+
+<prohibited>
+# block
+blowfish
+camellia
+cascade
+cast
+gost_28147
+idea
+idea_sse2
+kasumi
+lion
+mars
+misty1
+noekeon
+noekeon_simd
+rc2
+rc5
+rc6
+safer
+seed
+serpent
+serpent_simd
+tea
+threefish
+threefish_avx2
+twofish
+xtea
+xtea_simd
+
+# modes
+ccm
+chacha20poly1305
+eax
+ocb
+siv
+cfb
+ecb
+
+# stream
+chacha
+ofb
+rc4
+salsa20
+
+# pubkey
+curve25519
+elgamal
+gost_3410
+mce
+mceies
+nr
+rw
+
+# pk_pad
+#eme_pkcs1 // needed for tls
+eme_raw
+#emsa_pkcs1 // needed for tls
+emsa_raw
+emsa_x931
+emsa1
+emsa1_bsi
+
+# hash
+blake2
+comb4p
+gost_3411
+has160
+md2
+md4
+#md5 // needed for tls
+rmd128
+rmd160
+#sha1 // needed for tls
+#sha1_sse2 // needed for tls
+skein
+tiger
+whirlpool
+
+# mac
+cbc_mac
+poly1305
+siphash
+x919_mac
+
+# rng
+x931_rng
+
+</prohibited>
diff --git a/src/build-data/policy/sane.txt b/src/build-data/policy/sane.txt
new file mode 100644
index 000000000..3482296d6
--- /dev/null
+++ b/src/build-data/policy/sane.txt
@@ -0,0 +1,120 @@
+<required>
+aes
+serpent
+threefish
+chacha
+
+sha2_32
+sha2_64
+blake2
+skein
+keccak
+
+gcm
+ocb
+chacha20poly1305
+
+kdf2
+hkdf
+cmac
+hmac
+poly1305
+siphash
+
+pbkdf2
+
+# required for private key encryption
+pbes2
+
+# required for TLS
+prf_tls
+
+curve25519
+ecdh
+ecdsa
+rsa
+
+eme_oaep
+emsa_pssr
+emsa1
+
+auto_rng
+hmac_rng
+
+ffi
+</required>
+
+<prohibited>
+cast
+des
+gost_28147
+idea
+idea_sse2
+kasumi
+lion
+mars
+misty1
+rc2
+rc4
+rc5
+rc6
+safer
+seed
+tea
+xtea
+xtea_simd
+
+cbc_mac
+x919_mac
+
+# MD5 and SHA1 are broken but not prohibited. They are widely in use
+# in non-crypto contexts and are required by TLS currently
+md2
+md4
+rmd128
+has160
+gost_3411
+
+cfb
+ecb
+ofb
+
+elgamal
+rw
+nr
+gost_3410
+
+emsa_x931
+pbkdf1
+prf_x942
+x931_rng
+
+passhash9
+cryptobox
+unix_procs
+</prohibited>
+
+<if_available>
+clmul
+locking_allocator
+
+sha1_sse2
+aes_ni
+aes_ssse3
+noekeon_simd
+serpent_simd
+threefish_avx2
+
+simd_scalar
+simd_sse2
+simd_altivec
+
+# entropy sources
+rdrand
+rdseed
+hres_timer
+dev_random
+system_rng
+cryptoapi_rng
+win32_stats
+</if_available>
diff --git a/src/lib/mac/mac.h b/src/lib/mac/mac.h
index 90ef4db15..fe3388f3b 100644
--- a/src/lib/mac/mac.h
+++ b/src/lib/mac/mac.h
@@ -53,6 +53,8 @@ class BOTAN_DLL MessageAuthenticationCode : public Buffered_Computation,
virtual MessageAuthenticationCode* clone() const = 0;
};
+typedef MessageAuthenticationCode MAC;
+
}
#endif
diff --git a/src/lib/pubkey/dlies/dlies.cpp b/src/lib/pubkey/dlies/dlies.cpp
index 86cd51e19..ba890ac3d 100644
--- a/src/lib/pubkey/dlies/dlies.cpp
+++ b/src/lib/pubkey/dlies/dlies.cpp
@@ -21,6 +21,8 @@ DLIES_Encryptor::DLIES_Encryptor(const PK_Key_Agreement_Key& key,
m_mac(mac_obj),
m_mac_keylen(mac_kl)
{
+ BOTAN_ASSERT_NONNULL(kdf_obj);
+ BOTAN_ASSERT_NONNULL(mac_obj);
m_my_key = key.public_value();
}
diff --git a/src/tests/test_dlies.cpp b/src/tests/test_dlies.cpp
index 1c7327ab4..ba8142dcb 100644
--- a/src/tests/test_dlies.cpp
+++ b/src/tests/test_dlies.cpp
@@ -42,20 +42,29 @@ class DLIES_KAT_Tests : public Text_Based_Test
Botan::DH_PrivateKey from(Test::rng(), domain, x1);
Botan::DH_PrivateKey to(Test::rng(), domain, x2);
- const std::string kdf = "KDF2(SHA-1)";
- const std::string mac = "HMAC(SHA-1)";
+ const std::string kdf_algo = "KDF2(SHA-1)";
+ const std::string mac_algo = "HMAC(SHA-1)";
const size_t mac_key_len = 16;
Test::Result result("DLIES");
+ std::unique_ptr<Botan::KDF> kdf(Botan::KDF::create(kdf_algo));
+ std::unique_ptr<Botan::MAC> mac(Botan::MAC::create(mac_algo));
+
+ if(!kdf || !mac)
+ {
+ result.test_note("Skipping due to missing KDF or MAC algo");
+ return result;
+ }
+
Botan::DLIES_Encryptor encryptor(from,
- Botan::KDF::create(kdf).release(),
- Botan::MessageAuthenticationCode::create(mac).release(),
+ kdf->clone(),
+ mac->clone(),
mac_key_len);
Botan::DLIES_Decryptor decryptor(to,
- Botan::KDF::create(kdf).release(),
- Botan::MessageAuthenticationCode::create(mac).release(),
+ kdf.release(),
+ mac.release(),
mac_key_len);
encryptor.set_other_key(to.public_value());
diff --git a/src/tests/test_fuzzer.cpp b/src/tests/test_fuzzer.cpp
index 18516a68c..2be8e7c08 100644
--- a/src/tests/test_fuzzer.cpp
+++ b/src/tests/test_fuzzer.cpp
@@ -6,12 +6,12 @@
#include "tests.h"
#include <chrono>
+#include <botan/internal/filesystem.h>
#if defined(BOTAN_HAS_X509_CERTIFICATES)
#include <botan/x509cert.h>
#include <botan/x509_crl.h>
#include <botan/base64.h>
- #include <botan/internal/filesystem.h>
#endif
#if defined(BOTAN_HAS_PUBLIC_KEY_CRYPTO)
@@ -61,8 +61,8 @@ class Fuzzer_Input_Tests : public Test
{
try
{
- std::unique_ptr<Botan::Private_Key> key(Botan::PKCS8::load_key(vec_file, Test::rng()));
- Botan::X509_Certificate cert(vec_file);
+ std::unique_ptr<Botan::Private_Key> key(
+ Botan::PKCS8::load_key(vec_file, Test::rng()));
}
catch(std::exception&) {}