Centralize Module Build Policy

[reneme]

The relevant modules are currently noted several times in the repository (and should be kept in sync). This is a potential source of confusion and omission.

We should harmonize this in some central configuration and pull the information from there. In the best case, this also allows for removing the manual step of updating the "audited modules" list in the Audit Report document.

See:

botan-docs/.github/scripts/ci_build.py

Lines 114 to 121 in c699be1

	enable_modules = []
	enable_modules += ['tls12','tls13','tls_cbc']
	enable_modules += ['pkcs11']
	enable_modules += ['xts']
	enable_modules += ['kyber','kyber_90s']
	enable_modules += ['dilithium','dilithium_aes']
	enable_modules += ['sphincsplus_sha2','sphincsplus_shake']
	flags += ['--module-policy=bsi', '--enable-modules=%s' % ','.join(enable_modules)]

botan-docs/docs/audit_report/src/00_09_introduction.rst

Lines 42 to 217 in c699be1

	Scope of the Review
	-------------------
	The library's code repository is structured into fine-grained modules
	(sub-directories in ``src/lib``). Additionally, the repository contains various
	unit and integration tests (in ``src/tests``, ``src/bogo_shim``,
	``src/fuzzer``), a command line interface (in ``src/cli``), python wrapper (in
	``src/python``), build system-related files and scripts (in ``configure.py``,
	``src/build-data``), and documentation (in ``src/doc``).
	The review in this document keeps track of changes in all the above-mentioned
	components. For the library implementation itself (``src/lib``), all modules
	that are *required* or *available* in the BSI build policy and their
	dependencies are in the scope of this document. Additionally, we review the
	following modules and its dependencies: ``certstor_flatfile``,
	``certstor_sqlite3``, ``certstor_system_macos``, ``certstor_system_windows``,
	``certstor_system``, ``dilithium_aes``, ``dilithium``, ``ffi``, ``kyber_90s``,
	``kyber``, ``pkcs11``, ``sha1_armv8``, ``sha1_sse2``, ``sha1_x86``, ``shake``,
	``sphincsplus_sha2``, ``sphincsplus_shake``, ``tls_cbc``, ``tls12``,
	``tls13_pqc``, ``tls13``, ``xts``. Patches that don't alter any of the
	above-mentioned components or relevant modules are considered out-of-scope.
	.. todo:: Update the module list below for the upcoming Botan 3.3.0 release
	Below is the full list of modules (from ``src/lib``) whose changes were
	reviewed:
	.. For each new document version, the list below should be sanity checked
	and potentially adapted using the script in scripts/audited_modules_list.py
	like so:
	1. Update the list of additional and platform dependent modules in
	the audited_modules_list.py script
	2. Check out the to-be-audited version of Botan "somewhere"
	3. poetry run python audited_modules_list.py --repo-location="somewhere"
	4. Copy the script's output over the list below
	5. Go through the `git diff` and sanity check
	6. Update the enumeration of "additional modules" above with the
	modules listed in the script.
	.. list-table::
	* - aead
	- aes
	- aes_armv8
	- aes_crystals_xof
	* - aes_ni
	- aes_power8
	- aes_vperm
	- argon2
	* - argon2_avx2
	- argon2_ssse3
	- argon2fmt
	- asn1
	* - auto_rng
	- base
	- base64
	- bigint
	* - blake2
	- block
	- cbc
	- ccm
	* - certstor_flatfile
	- certstor_sql
	- certstor_sqlite3
	- certstor_system
	* - certstor_system_macos
	- certstor_system_windows
	- cmac
	- cpuid
	* - ctr
	- dh
	- dilithium
	- dilithium_aes
	* - dilithium_common
	- dl_algo
	- dl_group
	- dlies
	* - dsa
	- dyn_load
	- ec_group
	- ecc_key
	* - ecdh
	- ecdsa
	- ecgdsa
	- ecies
	* - eckcdsa
	- eme_oaep
	- eme_pkcs1
	- emsa_pkcs1
	* - emsa_pssr
	- entropy
	- ffi
	- gcm
	* - getentropy
	- ghash
	- ghash_cpu
	- ghash_vperm
	* - gmac
	- hash
	- hash_id
	- hex
	* - hkdf
	- hmac
	- hmac_drbg
	- http_util
	* - iso9796
	- kdf
	- kdf1_iso18033
	- keccak_perm
	* - keccak_perm_bmi2
	- keypair
	- kyber
	- kyber_90s
	* - kyber_common
	- locking_allocator
	- mac
	- mdx_hash
	* - mem_pool
	- mgf1
	- mode_pad
	- modes
	* - mp
	- numbertheory
	- pbkdf
	- pem
	* - pk_pad
	- pkcs11
	- poly_dbl
	- prf_tls
	* - processor_rng
	- pubkey
	- rdseed
	- rng
	* - rsa
	- sha1
	- sha1_armv8
	- sha1_sse2
	* - sha1_x86
	- sha2_32
	- sha2_32_armv8
	- sha2_32_bmi2
	* - sha2_32_x86
	- sha2_64
	- sha2_64_bmi2
	- sha3
	* - shake
	- shake_xof
	- simd
	- socket
	* - sp800_108
	- sp800_56c
	- sphincsplus_common
	- sphincsplus_sha2
	* - sphincsplus_shake
	- stateful_rng
	- stream
	- system_rng
	* - tls
	- tls12
	- tls13
	- tls13_pqc
	* - tls_cbc
	- trunc_hash
	- utils
	- x509
	* - xmss
	- xof
	- xts
	-
	Here are some notable module changes compared to the last review (Botan |botan_git_base_ref|):
	* ``shake_xof`` contains a proper interface to the SHAKE XOFs and replaces
	``shake_cipher`` that provisionally exposed the XOF as a stream cipher
	* ``tls13_pqc`` implements a hybrid key exchange for TLS 1.3 for post-quantum security

botan-docs/docs/audit_report/scripts/audited_modules_list.py

Lines 12 to 65 in c699be1

	def platform_dependent_modules():
	""" Modules whose parents are part of the audit scope but that are platform
	dependent or dependent on external libraries and therefore might not
	show up in a particular run of ./configure.py.
	NOTE: Dependency resolution _will not happen_ for those modules!
	"""
	return set([
	'aes_armv8',
	'aes_ni',
	'aes_power8',
	'aes_vperm',
	'argon2_avx2',
	'argon2_ssse3',
	'certstor_sql',
	'certstor_sqlite3',
	'certstor_system_macos',
	'certstor_system_windows',
	'ghash_cpu',
	'ghash_vperm',
	'keccak_perm_bmi2',
	'sha1_armv8',
	'sha1_sse2',
	'sha1_x86',
	'sha2_32_armv8',
	'sha2_32_bmi2',
	'sha2_32_x86',
	'sha2_64_bmi2',
	])
	def additional_modules():
	""" Modules that are not in Botan's BSI module policy but that are
	part of the audit scope regardless.
	NOTE: Dependency resolution will be performed for the listed modules.
	"""
	return set([
	'certstor_flatfile',
	'certstor_system',
	'dilithium_aes',
	'dilithium',
	'ffi',
	'kyber_90s',
	'kyber',
	'pkcs11',
	'shake',
	'sphincsplus_sha2',
	'sphincsplus_shake',
	'tls_cbc',
	'tls12',
	'tls13_pqc',
	'tls13',
	'xts',
	])