aboutsummaryrefslogtreecommitdiffstats
path: root/src/build-data/policy
Commit message (Collapse)AuthorAgeFilesLines
* Split 'cast' module into CAST-128 and CAST-256Jack Lloyd2018-09-133-3/+6
| | | | | | | They were only in the same place because of the desire to share the sbox tables, but that can be handled by adding a dependency. This makes it possible to disable CAST-256 while leaving CAST-128.
* Remove Darwin SecRandomCopyBytesJack Lloyd2018-09-043-3/+0
| | | | | It is the same RNG as arc4random and /dev/urandom. And arc4random seems to be working well for iOS and macOS.
* Merge GH #1660 Add AVX2 SerpentJack Lloyd2018-08-253-0/+3
|\
| * Update build policiesJack Lloyd2018-08-243-0/+3
| |
* | Mention the ARMv8 and POWER AES modules in the build policiesJack Lloyd2018-08-243-0/+6
|/
* Rename threefish module to threefish_512Jack Lloyd2018-03-063-6/+6
| | | | GH #1477
* Enable processor specific code in module policies [ci skip]Jack Lloyd2017-12-193-0/+15
| | | | These were added more recently and weren't enabled in the policy files.
* Update build policiesJack Lloyd2017-09-212-0/+12
|
* Refactor RNGs to support Windows PhoneJack Lloyd2017-09-023-3/+0
| | | | | | | | | | | | | | | | | | | This OS has its own crypto API and does not support CryptGenRandom. Splits System_RNG_Impl into distinct declarations one per implementation type. Easier to read now that we are up to 4 distinct versions. Removes the CryptoAPI entropy source, and replaces it with an entropy source that calls the system RNG. This is nominally a bit less flexible in that the entropy source allowed polling multiple providers (though we didn't actually make use of that). Plus side is it works on all systems. Currently the dev_random entropy source is still there because we do actually use it to poll both /dev/random and /dev/urandom, and it might be useful (on certain systems) to also poll a HW RNG, which are often assigned their own device node. This could debatably also be removed in favor of just reading the system RNG.
* Add http_util to module policies (GH #1109)René Korthaus2017-08-073-0/+3
| | | | | | http_util is required by the x509 module to perform online OCSP checks, which should be defaulted to ON. Without being part of the policy, it would be disabled.
* Add Streebog hash (GOST R 34.11-2012).Daniel Wyatt2017-08-042-0/+2
|
* Add ChaCha_RNGJack Lloyd2017-07-312-0/+6
|
* Update modern and nist policies with recent additionsJack Lloyd2017-06-302-0/+20
|
* Merge GH #1082 Add support for SM2 signature schemeJack Lloyd2017-06-301-0/+1
|\
| * Add SM2 signature schemeJack Lloyd2017-06-291-0/+2
| | | | | | | | | | | | From https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 This is a contribution from Ribose Inc (@riboseinc).
* | Update BSI module policyRené Korthaus2017-06-301-0/+3
|/ | | | | Prohibit SM4 block cipher, ed25519 signature scheme and NIST SP800-56A KDF.
* Enable Ed25519 in 'modern' policyJack Lloyd2017-06-091-0/+1
|
* Update BSI and NIST policies to prohibit SM3 hash.Daniel Wyatt2017-04-032-0/+2
|
* Update BSI module policyDaniel Neus2017-01-081-0/+4
|
* Merge GH #815 Add NIST build policyJack Lloyd2017-01-061-0/+153
|\
| * Add basic NIST policyJack Lloyd2017-01-051-0/+153
| | | | | | | | Just my best reckoning of what is NIST approved, may have errors.
* | Add iso9796 (required) and cecpq1 (prohibited) to BSI policy/bsi.txtDaniel Neus2017-01-061-0/+2
|/
* Remove ECB modeJack Lloyd2016-12-042-2/+0
| | | | | | | Not a good thing to offer at this level. If you know what you are doing for the strange special case where it is necessary, the raw BlockCipher interface is available and probably more convenient.
* Updates module policy, fixes test suite errorsMatthias Gierlings2016-12-011-1/+1
| | | | | | | - Moves SHAKE to prohibited algorithms - Catches an error during XMSS private key generation when SHAKE is disabled. This should not be reported as error by the test bench since [SHAKE is optional in XMSS](https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-07#section-5)
* Updates docs & module policyMatthias Gierlings2016-11-261-0/+1
| | | | | | - Added GMAC to list of supported MAC algorithms in readme.rst - Updated module policy to prevent CI crash - Added myself to credits.rst
* Don't strictly require ffi in modern policyJack Lloyd2016-11-171-3/+2
|
* Added Extended Hash-Based Signatures (XMSS)Matthias Gierlings2016-11-111-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [1] XMSS: Extended Hash-Based Signatures, draft-itrf-cfrg-xmss-hash-based-signatures-06 Release: July 2016. https://datatracker.ietf.org/doc/ draft-irtf-cfrg-xmss-hash-based-signatures/?include_text=1 Provides XMSS_PublicKey and XMSS_PrivateKey classes as well as implementations for the Botan interfaces PK_Ops::Signature and PK_Ops::Verification. XMSS has been integrated into the Botan test bench, signature generation and verification can be tested independently by invoking "botan-test xmss_sign" and "botan-test xmss_verify" - Some headers that are not required to be exposed to users of the library have to be declared as public in `info.txt`. Declaring those headers private will cause the amalgamation build to fail. The following headers have been declared public inside `info.txt`, even though they are only intended for internal use: * atomic.h * xmss_hash.h * xmss_index_registry.h * xmss_address.h * xmss_common_ops.h * xmss_tools.h * xmss_wots_parameters.h * xmss_wots_privatekey.h * xmss_wots_publickey.h - XMSS_Verification_Operation Requires the "randomness" parameter out of the XMSS signature. "Randomness" is part of the prefix that is hashed *before* the message. Since the signature is unknown till sign() is called, all message content has to be buffered. For large messages this can be inconvenient or impossible. **Possible solution**: Change PK_Ops::Verification interface to take the signature as constructor argument, and provide a setter method to be able to update reuse the instance on multiple signatures. Make sign a parameterless member call. This solution requires interface changes in botan. **Suggested workaround** for signing large messages is to not sign the message itself, but to precompute the message hash manually using Botan::HashFunctio and sign the message hash instead of the message itself. - Some of the available test vectors for the XMSS signature verification have been commented out in order to reduce testbench runtime.
* Remove HMAC_RNG, X9.31-RNG, BeOS stats, EGD reader, Unix process runnerJack Lloyd2016-10-282-15/+0
| | | | | Change AutoSeeded_RNG to use SHA-384, SHA-256, SHA-3(256), or SHA-1, whichever is available (in that order).
* Merge GH #691/#488 Add GMAC. Add MessageAuthenticationCode::start_msgJack Lloyd2016-10-281-0/+1
|\
| * Implements GMAC with GHASH.Matthias Gierlings2016-10-281-0/+1
| | | | | | | | | | Adds support for Galois Message Authentication Code calculation based on GHASH, rather than GCM_Mode.
* | Update modern policy: Add NewHope, SQL, ChaCha20 SSE2. Prohibit TLS-CBCJack Lloyd2016-10-281-1/+8
|/
* Merge GH #669 Add SHA-3, SHAKE-128, and BoringSSL-mode NewHopeJack Lloyd2016-10-202-1/+3
|\
| * Update policy files for SHA-3Jack Lloyd2016-10-192-1/+3
| | | | | | | | BSI drops Keccak in favor of SHA-3. Modern adds SHA-3 and SHAKE-128.
* | we do the padding ourself so eme_raw is fineDaniel Neus2016-10-201-1/+0
|/ | | | So it shouldn't be prohibited in the module policy
* Update BSI policyRené Korthaus2016-10-041-0/+3
|
* Update policy files wrt algorithm removalsJack Lloyd2016-09-022-13/+0
|
* Remove deprecated ciphers MARS, RC2, RC5, RC6, SAFER-SK and TEAJack Lloyd2016-09-022-12/+0
| | | | | XTEA was also deprecated but has been spared, it does seem to be somewhat common (eg, included in the Go x/crypto library)
* Check for non-existent modules in policy files.Jack Lloyd2016-09-012-9/+2
| | | | | | Fix policy files. GH #614
* Remove HMAC_RNG from BSI policy, not needed after #520/#593Jack Lloyd2016-08-291-1/+0
|
* RNG changes (GH #593)Jack Lloyd2016-08-242-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change reseed interval logic to count calls to `randomize` rather than bytes, to match SP 800-90A Changes RNG reseeding API: there is no implicit reference to the global entropy sources within the RNGs anymore. The entropy sources must be supplied with the API call. Adds support for reseding directly from another RNG (such as a system or hardware RNG). Stateful_RNG keeps optional references to both an RNG and a set of entropy sources. During a reseed, both sources are used if set. These can be provided to HMAC_DRBG constructor. For HMAC_DRBG, SP800-90A requires we output no more than 2**16 bytes per DRBG request. We treat requests longer than that as if the caller had instead made several sequential maximum-length requests. This means it is possible for one or more reseeds to trigger even in the course of generating a single (long) output (generate a 256-bit key and use ChaCha or HKDF if this is a problem). Adds RNG::randomize_with_ts_input which takes timestamps and uses them as the additional_data DRBG field. Stateful_RNG overrides this to also include the process ID and the reseed counter. AutoSeeded_RNG's `randomize` uses this. Officially deprecates RNG::make_rng and the Serialized_RNG construtor which creates an AutoSeeded_RNG. With these removed, it would be possible to perform a build with no AutoSeeded_RNG/HMAC_DRBG at all (eg, for applications which only use the system RNG). Tests courtesy @cordney in GH PRs #598 and #600
* Add RDRAND_RNGJack Lloyd2016-07-192-0/+2
| | | | | | | | For those that are willing to trust uninspectible hardware. :) Changes RDRAND entropy source to call RDRAND_RNG Add --rdrand flag to rng cmdlet
* Add Stateful_RNGJack Lloyd2016-07-172-2/+1
| | | | | | | | | | | | | | Handles fork checking for HMAC_RNG and HMAC_DRBG AutoSeeded_RNG change - switch to HMAC_DRBG as default. Start removing the io buffer from entropy poller. Update default RNG poll bits to 256. Fix McEliece test, was using wrong RNG API. Update docs.
* Rename policy 'sane' to 'modern' which better reflects intent.Jack Lloyd2016-07-111-29/+36
| | | | | Add RFC 6979 which became optional along the line. Also add bcrypt and compression, and add TLS by default. Prohibit EGD.
* Remove egd entropy sources from BSI module policyRené Korthaus2016-07-111-1/+1
|
* Various fixes with bsi module policyRené Korthaus2016-07-041-0/+12
|
* Merge GH #487 Remove CVC certificates and EMSA1_BSI signature encodingJack Lloyd2016-06-171-1/+5
|\
| * remove EMSA1_BSI (no longer recommended by BSI)Daniel Neus2016-04-301-1/+5
| |
* | Add support probabilistic DSA & ECDSARené Korthaus2016-05-081-0/+1
|/ | | | | | | Adds support for probabilistic, aka the standard, DSA and ECDSA. Can be enabled by disabling the rfc6979 module. Includes test vectors from NIST CAVP. Adds rfc6979 to the list of prohibited modules in BSI policy.
* Add ECGDSARené Korthaus2016-04-191-0/+1
|
* Add proc_walk, egd, Darwin entropy sources to policy.Jack Lloyd2016-03-062-9/+11
| | | | Prohibit unix_procs in BSI policy. See discussion in GH #446