botan: 3.6.1 -> 3.8.1 (#404895)

Author: 7c6f434c

pkgs/by-name/es/esdm/package.nix

@@ -23,13 +23,13 @@
   drngChaCha20 ? false, # set the default drng callback
   ais2031 ? false, # set the seeding strategy to be compliant with AIS 20/31
   sp80090c ? false, # set compliance with NIST SP800-90C
-  cryptoBackend ? "botan", # set backend for hash and drbg operations
+  cryptoBackend ? "builtin", # set backend for hash and drbg operations
   linuxDevFiles ? true, # enable linux /dev/random and /dev/urandom support
   linuxGetRandom ? true, # enable linux getrandom support
   hashSha512 ? false, # set the conditioning hash: SHA2-512
   hashSha3_512 ? true, # set the conditioning hash: SHA3-512
-  openSSLRandProvider ? true, # build ESDM provider for OpenSSL 3.x
-  botanRng ? true, # build ESDM class for Botan 3.x
+  openSSLRandProvider ? false, # build ESDM provider for OpenSSL 3.x
+  botanRng ? false, # build ESDM class for Botan 3.x
 
   # client-related options (handle with care, consult source code and meson options)
   # leave as is if in doubt
@@ -56,10 +56,7 @@
 
 assert drngHashDrbg != drngChaCha20;
 assert hashSha512 != hashSha3_512;
-assert
-  cryptoBackend == "openssl"
-  || cryptoBackend == "botan"
-  || cryptoBackend == "builtin" "Unsupported ESDM crypto backend";
+assert cryptoBackend == "openssl" || cryptoBackend == "botan" || cryptoBackend == "builtin";
 
 stdenv.mkDerivation rec {
   pname = "esdm";

pkgs/development/libraries/botan/default.nix

@@ -7,9 +7,23 @@
   bzip2,
   zlib,
   jitterentropy,
+  darwin,
+  esdm,
+  tpm2-tss,
   static ? stdenv.hostPlatform.isStatic, # generates static libraries *only*
+
+  # build ESDM RNG plugin
+  with_esdm ? false,
+  # useful, but have to disable tests for now, as /dev/tpmrm0 is not accessible
+  with_tpm2 ? false,
+  # only allow BSI approved algorithms, FFI and SHAKE for XMSS
+  with_bsi_policy ? false,
+  # only allow NIST approved algorithms
+  with_fips140_policy ? false,
 }:
 
+assert (!with_bsi_policy && !with_fips140_policy) || (with_bsi_policy != with_fips140_policy);
+
 let
   common =
     {
@@ -50,9 +64,14 @@ let
           bzip2
           zlib
         ]
-
+        ++ lib.optionals (stdenv.hostPlatform.isLinux && with_tpm2) [
+          tpm2-tss
+        ]
         ++ lib.optionals (lib.versionAtLeast version "3.6.0") [
           jitterentropy
+        ]
+        ++ lib.optionals (lib.versionAtLeast version "3.7.0" && with_esdm) [
+          esdm
         ];
 
       buildTargets =
@@ -77,8 +96,22 @@ let
         ++ lib.optionals stdenv.cc.isClang [
           "--cc=clang"
         ]
+        ++ lib.optionals (stdenv.hostPlatform.isLinux && with_tpm2) [
+          "--with-tpm2"
+        ]
         ++ lib.optionals (lib.versionAtLeast version "3.6.0") [
           "--enable-modules=jitter_rng"
+        ]
+        ++ lib.optionals (lib.versionAtLeast version "3.7.0" && with_esdm) [
+          "--enable-modules=esdm_rng"
+        ]
+        ++ lib.optionals (lib.versionAtLeast version "3.8.0" && with_bsi_policy) [
+          "--module-policy=bsi"
+          "--enable-module=ffi"
+          "--enable-module=shake"
+        ]
+        ++ lib.optionals (lib.versionAtLeast version "3.8.0" && with_fips140_policy) [
+          "--module-policy=fips140"
         ];
 
       configurePhase = ''
@@ -115,8 +148,8 @@ let
 in
 {
   botan3 = common {
-    version = "3.6.1";
-    hash = "sha256-fLhXXYjSMsdxdHadf54ku0REQWBYWYbuvWbnScuakIk=";
+    version = "3.8.1";
+    hash = "sha256-sDloHUuGGi9YU3Rti6gG9VPiOGntctie2/o8Pb+hfmg=";
   };
 
   botan2 = common {