require Botan 2.14.0

[rrrooommmaaa]

Closes #1279

[rrrooommmaaa]

@ronaldtse Looks like we need to put correct version of botan to https://github.com/riboseinc/yum
CentOS 7 is missing it.
CentOS 8 has 2.12.1
Ubuntu 20.04 also has 2.12.1
https://pkgs.org/search/?q=botan2

[ronaldtse]

@ronaldtse Looks like we need to put correct version of botan to https://github.com/riboseinc/yum
CentOS 7 is missing it.
CentOS 8 has 2.12.1
Ubuntu 20.04 also has 2.12.1
https://pkgs.org/search/?q=botan2

@dewyatt could you help with it since you are familiar? Thanks!

[dewyatt]

@ronaldtse Looks like we need to put correct version of botan to https://github.com/riboseinc/yum
CentOS 7 is missing it.
CentOS 8 has 2.12.1
Ubuntu 20.04 also has 2.12.1
https://pkgs.org/search/?q=botan2

@dewyatt could you help with it since you are familiar? Thanks!

@ronaldtse It's been a while and it looks like there are some issues here. I think I would need maintainer access on GitLab ribose/rpm-spec-botan2 to troubleshoot this.
Alternatively if someone with permissions can maybe look at the mirroring settings and try to force sync that might be all I need.

[ronaldtse]

@ribose-jeffreylau could you help here? It would probably be better to move this yum repository to GitHub...

[ribose-jeffreylau]

@dewyatt I gave you maintainer access to https://gitlab.com/ribose/rpm-spec-botan2.

Since we don't have a subscription at GitLab, we can no longer mirror GitHub repos in GitLab, that's why the updates aren't automatically built. I manually pushed your changes to GitLab to see if it built --- there're some errors that may require your help.

@ronaldtse Should we investigate moving all the rpm-spec-* CI from GitLab to GitHub?

[ronaldtse]

@ribose-jeffreylau we should definitely move all the repos (and workflows) from GitLab back to GitHub, especially since GitHub now supports this type of workflow.

[dewyatt]

Well that's unfortunate they took mirroring out of the free tier.
I fixed up the 2.14.0 release so that's published now.

[dewyatt]

@ribose-jeffreylau we should definitely move all the repos (and workflows) from GitLab back to GitHub, especially since GitHub now supports this type of workflow.

I think I remember when I migrated these to GitLab that GHA didn't (at the time) have a feature like include:remote (used here), so that may be one of the challenges in migrating those back. But GHA has improved a lot since then, so...

[dewyatt]

I think this PR would need an update here as well:

rnp/ci/install.sh

Line 19 in 57c8afb

git clone --depth 1 --branch 2.13.0 https://github.com/randombit/botan "${botan_build}"

(We build most direct dependencies manually in centos CI to get useful stacktraces with ASaN, the RPM is more for end-users)

[rrrooommmaaa]

@dewyatt Since there is version 2.16 of Botan in MSYS2 and VCPKG repositories for WIndows, maybe we should use 2.16 everywhere?

[dewyatt]

@dewyatt Since there is version 2.16 of Botan in MSYS2 and VCPKG repositories for WIndows, maybe we should use 2.16 everywhere?

Sounds reasonable to me!

[rrrooommmaaa]

@ni4 Can you please advise on how to add additional setup steps for CIFuzz? To be exact, how to install Botan manually as we do in other steps, because there is Botan 2.12.1 out of the Ubuntu box.

[dewyatt]

@ni4 Can you please advise on how to add additional setup steps for CIFuzz? To be exact, how to install Botan manually as we do in other steps, because we there is Botan 2.12.1 out of the Ubuntu box.

We'll probably have to do some updates to oss-fuzz for this

[ni4]

We'll probably have to do some updates to oss-fuzz for this

Yeah, that's right - Botan for oss-fuzz is installed here: https://github.com/google/oss-fuzz/blob/51098cb7917a822bd8f3adc047c20126c5283113/projects/rnp/build.sh#L20

I'll do a PR and write back once it is merged.

[ni4]

Tracked via google/oss-fuzz#4900

[rrrooommmaaa]

@ni4 @dewyatt Should I set up minimum required version 2.16 or just leave 2.14 regardless that we're going to have 2.16 in the repos for the actual build?

[dewyatt]

@ni4 @dewyatt Should I set up minimum required version 2.16 or just leave 2.14 regardless that we're going to have 2.16 in the repos for the actual build?

For CMake you mean? I would say we should keep that at the minimum that builds and passes tests for most platforms, which is probably 2.8.0 (some FFI support for x25519 was added there).

2.9.0 might be better since that fixes CVE-2018-20187 (seems relevant to us).

[ni4]

@dewyatt Didn't we need to update to 2.14.0 because of 2020-03-24: Side channel during CBC padding ? It seems relevant to us.

As an alternative we may introduce some variable like CMAKE_FORCE_BOTAN_VERSION, allowing to build with older then 2.14

[dewyatt]

@dewyatt Didn't we need to update to 2.14.0 because of 2020-03-24: Side channel during CBC padding ? It seems relevant to us.

As an alternative we may introduce some variable like CMAKE_FORCE_BOTAN_VERSION, allowing to build with older then 2.14

I haven't been keeping up with RNP like I used to so you guys are probably in a better place to make that call, but I don't believe this one affects us.

• We use unpadded CBC for G10 so that is not affected.
• The fix targets PKCS7, X923, OneAndZeros, and ESP padding. I don't believe we use any of them (via botan). Although it's worth checking whether we have similar issues.
• It sounds mostly minor -- the commit message says probably not too serious in most circumstances but is not desirable behavior.

I can also say that adding exit calls to the code paths affected by the fix has no effect on whether ctest passes, so that's a good indicator that we don't need to worry about that CVE.

[ni4]

Happy New Year, guys!

@dewyatt Actually, I think it's more 'political' - to not allow others, who don't dig that deep as you, say 'rnp uses Botan with vulnerabilities'. So I'd vote for 2.14 at least.
@rrrooommmaaa oss-fuzz PR is merged now, so tests should run fine.

[ni4]

@rrrooommmaaa Looks like Windows/MSYS2 workflow still hangs due to Botan's update.

[rrrooommmaaa]

@rrrooommmaaa Looks like Windows/MSYS2 workflow still hangs due to Botan's update.

Yes. And setting CTEST_PARALLEL=1 didn't help either.
Strange, but all builds and tests pass ok on my fresh MSYS2 20201109, installed with choco.
Perhaps, need to review msys2 installation by gha.
Do you wish to take over or should I?

[ni4]

Yes. And setting CTEST_PARALLEL=1 didn't help either.
Strange, but all builds and tests pass ok on my fresh MSYS2 20201109, installed with choco.
Perhaps, need to review msys2 installation by gha.
Do you wish to take over or should I?

Feel free to continue on this. I spent a lot of time on this year ago, and wasn't able to find a solution, unfortunately.
There are some details discussed here: #1104 (comment)

[rrrooommmaaa]

Feel free to continue on this. I spent a lot of time on this year ago, and wasn't able to find a solution, unfortunately.
There are some details discussed here: #1104 (comment)

So is it because of -DBUILD_SHARED_LIBS=yes?
Should we try -DBUILD_SHARED_LIBS=no or shared lib support is mandatory?

[ni4]

So is it because of -DBUILD_SHARED_LIBS=yes?
Should we try -DBUILD_SHARED_LIBS=no or shared lib support is mandatory?

I don't know, If I know I'd resolve it :) Shared libraries are required for the ruby-rnp, but those tests are not run for msys2/mingw. It would be good to investigate and find the real reason for this problem, to be aware of it in the future.

[rrrooommmaaa]

So is it because of -DBUILD_SHARED_LIBS=yes?
Should we try -DBUILD_SHARED_LIBS=no or shared lib support is mandatory?

I don't know, If I know I'd resolve it :) Shared libraries are required for the ruby-rnp, but those tests are not run for msys2/mingw. It would be good to investigate and find the real reason for this problem, to be aware of it in the future.

I understand. But how much time is reasonable to spend on this, @ronaldtse ?
I may end up debugging botan library.

[dewyatt]

I can take a look today, it's not that hard to work around it.

EDIT: I did test a couple of workarounds successfully, I'll try to get something out today but I'm slightly out of commission with back pain at the moment.

[dewyatt]

I filed randombit/botan#2582 and and created msys2/MINGW-packages#7640. I'll try to get an immediate workaround in here now.

[rrrooommmaaa]

I filed randombit/botan#2582 and and created msys2/MINGW-packages#7640. I'll try to get an immediate workaround in here now.

Good! Thanks for your effort in this complicated matter.

[rrrooommmaaa]

When the test succeeds, we'll need to restore CTEST_PARALLEL and probably timeout settings too.

[ronaldtse]

Seems that the Windows test ran out of time at 3 hours at test 205:

        Start 204: cli_tests-EncryptElgamal
1535
204/213 Test #204: cli_tests-EncryptElgamal ......................................................   Passed   17.75 sec
1536
        Start 205: cli_tests-Misc
1537
Terminate batch job (Y/N)? 
1538

Stuck?

[ni4]

Stuck?

Yeah, looks like updated Botan package didn't get into distribution yet.

[ni4]

@rrrooommmaaa Could you please update it here to mingw-w64-x86_64-libbotan-2.17.3-2-any.pkg.tar.zst as only since this version MinGW applies Daniel's patch from https://github.com/msys2/MINGW-packages/pull/7640/files? I can do it myself, but then we'll end up with rebase/merge hell due to force-push.

[ni4]

P.S. And add some comment why that specific version is used.

[dewyatt]

Yeah sorry I dropped the ball on this but I have to step away for a few days. That is hopefully a quick solution, I was going to just do a makepkg w/thread_utils disabled in CI so we could have 2.16 across the board, but really I don't think it's that important and your solution should be quicker and easier.

[rrrooommmaaa]

@rrrooommmaaa Could you please update it here to mingw-w64-x86_64-libbotan-2.17.3-2-any.pkg.tar.zst as only since this version MinGW applies Daniel's patch from https://github.com/msys2/MINGW-packages/pull/7640/files? I can do it myself, but then we'll end up with rebase/merge hell due to force-push.

Sure.

[ni4]

@rrrooommmaaa Finally all green! Let's squash it to the single commit and approve.

[ronaldtse]

Thank you guys!!