Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

botan2: 2.9.0 -> 2.17.2 #105461

Merged
merged 2 commits into from Dec 21, 2020
Merged

botan2: 2.9.0 -> 2.17.2 #105461

merged 2 commits into from Dec 21, 2020

Conversation

mweinelt
Copy link
Member

Motivation for this change

Updated botan2 by a bunch of versions. Thereby addressing the two advisories botan2 got in 2020.

https://botan.randombit.net/security.html

2020

    2020-07-05: Failure to enforce name constraints on alternative names

    The path validation algorithm enforced name constraints on the primary DN included in the certificate but failed to do so against alternative DNs which may be included in the subject alternative name. This would allow a corrupted sub-CA which was constrained by a name constraints extension in its own certificate to issue a certificate containing a prohibited DN. Until 2.15.0, there was no API to access these alternative name DNs so it is unlikely that any application would make incorrect access control decisions on the basis of the incorrect DN. Reported by Mario Korth of Ruhr-Universität Bochum.

    Introduced in 1.11.29, fixed in 2.15.0

    2020-03-24: Side channel during CBC padding

    The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected. Reported by Maximilian Blochberger of Universität Hamburg.

    Fixed in 2.14.0, all prior versions affected.

I have not checked the release notes yet and the commit message could probably use some love after doing that.
I have made sure that botan and botan2 build.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

andir
andir reviewed Nov 30, 2020
View reviewed changes
pkgs/development/libraries/botan/generic.nix Outdated
@@ -1,6 +1,7 @@
{ stdenv, fetchurl, python, bzip2, zlib, gmp, openssl, boost
# Passed by version specific builders
, baseVersion, revision, sha256
, srcext ? "tar.xz"
Copy link
Member

@andir andir Nov 30, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets keep these camelCase:

Suggested change
, srcext ? "tar.xz"
, sourceExtension ? "tar.xz"

@andir
Copy link
Member

andir commented Nov 30, 2020

neopg fails to build with this version of botan2:

In file included from /build/source/neopg-tool/cli/compress_command.cpp:8:
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/comp_filter.h:11:24: error: expected constructor, destructor, or type conversion before '(' token
   11 | BOTAN_DEPRECATED_HEADER(comp_filter.h)
      |                        ^
In file included from /nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/types.h:14,
                 from /nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/secmem.h:11,
                 from /nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/filters.h:12,
                 from /nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/comp_filter.h:13,
                 from /build/source/neopg-tool/cli/compress_command.cpp:8:
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/mem_ops.h: In function 'void Botan::copy_mem(T*, const T*, std::size_t)':
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/mem_ops.h:136:4: error: 'assertion_failure' is not a member of 'Botan'
  136 |    BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr,
      |    ^~~~~~~~~~~~~~~~~~~~~~~~
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/mem_ops.h: In function 'std::size_t Botan::buffer_insert(std::vector<_Tp, _Alloc>&, std::size_t, const T*, std::size_t)':
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/mem_ops.h:233:4: error: 'assertion_failure' is not a member of 'Botan'
  233 |    BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
      |    ^~~~~~~~~~~~~~~~~~
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/mem_ops.h: In function 'std::size_t Botan::buffer_insert(std::vector<_Tp, _Alloc>&, std::size_t, const std::vector<T, Alloc2>&)':
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/mem_ops.h:247:4: error: 'assertion_failure' is not a member of 'Botan'
  247 |    BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
      |    ^~~~~~~~~~~~~~~~~~
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/filter.h: In member function 'void Botan::Filter::send(const std::vector<unsigned char, Alloc>&, std::size_t)':
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/filter.h:83:10: error: 'assertion_failure' is not a member of 'Botan'
   83 |          BOTAN_ASSERT_NOMSG(length <= in.size());
      |          ^~~~~~~~~~~~~~~~~~
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/cipher_mode.h: In member function 'void Botan::Cipher_Mode::update(Botan::secure_vector<unsigned char>&, std::size_t)':
/nix/store/am5drb1pqlwfyrgz62c0f8c0pv589lwi-botan-2.17.2/include/botan-2/botan/cipher_mode.h:114:10: error: 'assertion_failure' is not a member of 'Botan'
  114 |          BOTAN_ASSERT(buffer.size() >= offset, "Offset ok");
      |          ^~~~~~~~~~~~

@andir
Copy link
Member

andir commented Nov 30, 2020

Given that neopg looks effectively dead and has the following in its README.md we might as well mark it as broken with a reference (and brief summary) to this PR.

Currently, NeoPG is under development, and in an exploratory phase. No promises are made about the stability, functionality, and security of the development releases "0.0.x". I am actively seeking feedback and guidance for the API design and scope of functionality from users and application developers.

From a purely practical point, the software should build and run, and a lot of legacy functionality is available through the "gpg2", "gpg-agent", "dirmngr" etc. subcommands. New subcommands are introduced as functionality is added or replaced.

From an organizational point of view, this is currently a one-man project without third-party funding. A significant amount of time is spent on developing a more substantial basis for the project. So you will see periods of coding activity, but also periods of organizational activity (such as talks, and grant application writing).

(source: https://github.com/das-labor/neopg/blame/05b370c04ffc019e55d75ab262d17abe6e69cafc/README.md#L34-L38)

@ofborg ofborg bot requested a review from 7c6f434c November 30, 2020 16:25
@andir
Copy link
Member

andir commented Nov 30, 2020

Other than the commit message, neopg (see above) & the small nit regarding sourceExtension this should be good to merge.

@mweinelt
botan2: 2.9.0 -> 2.17.2
4630fcf 
In botan 2.11.0 the upstream switched to tar.xz archives. To continue
supporting botan1 the source package extension can now be overriden from
within the specialized package.

Addresses two advisories, neither of which received a CVE:
- 2020-07-05: Failure to enforce name constraints on alternative names
- 2020-03-24: Side channel during CBC padding
@mweinelt
Copy link
Member Author

Reported the neopg issue upstream. das-labor/neopg#98

@mweinelt
neopg: mark as broken
e88bdd5 
Fails to build with recent versions of botan2. The issue has been
reported upstream at das-labor/neopg#98.
@mweinelt mweinelt marked this pull request as ready for review November 30, 2020 19:04
@7c6f434c 7c6f434c merged commit 67e7d11 into NixOS:master Dec 21, 2020
@mweinelt mweinelt deleted the botan branch January 14, 2021 07:08
@mweinelt mweinelt added the 9.needs: port to stable A PR needs a backport to the stable release. label Jan 14, 2021
@mweinelt
Copy link
Member Author

@erictapen I believe this update warrants a backport as well.

@erictapen
Copy link
Member

Backport in 01c6a08.

@erictapen erictapen added 8.has: port to stable A PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Jan 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andir andir andir left review comments

@redvers redvers Awaiting requested review from redvers

@7c6f434c 7c6f434c Awaiting requested review from 7c6f434c

@erictapen erictapen Awaiting requested review from erictapen

Assignees
No one assigned
Labels
1.severity: security 8.has: port to stable A PR already has a backport to the stable release. 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mweinelt @andir @erictapen @7c6f434c