Upgrade Botan to 2.14.0

[ronaldtse]

Botan is now at 2.14.0, probably time to upgrade @dewyatt @ni4 ? I remember we had an issue with it @dewyatt ?

[ni4]

There is (or was?) an issue with Botan/MinGW, discussed here: https://github.com/rnpgp/rnp/issues/1104#issuecomment-623171383

Needs to recheck whether it was or wasn't gone with updated MinGW. Also once building with MSVC will succeed we would not need MinGW for TB integration, and be compiled natively.

[rrrooommmaaa]

The tests just succeeded in MSVC x64 (I'm going to add x32 build too), but vcpkg provides Botan version 2.12.1 there. Will it do?

[ronaldtse]

There is the following issue in Botan 2.12.2:

2020-03-24: Side channel during CBC padding The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected. Reported by Maximilian Blochberger of Universität Hamburg. Fixed in 2.14.0, all prior versions affected.

Still, it depends on whether the platform supports the later versions...?

[ni4]

Update: re-checked https://github.com/rnpgp/rnp/issues/1279#issuecomment-680202719, CI still hangs with the latest msys2/mingw + latest Botan 2.14 package.

[ronaldtse]

@ni4 @rrrooommmaaa can we have a re-check of this issue?

[rrrooommmaaa]

On my MSVC system, cmake says found suitable version "2.14.0", minimum required is "2.8.0", so we should change "required" version in CMake and it will work

[ni4]

@rrrooommmaaa Could you please make a PR which updates required Botan version to 2.14.0 and makes sure that all CI works fine?

[ronaldtse]

Sounds good guys — thanks!