import qpdf-10.3.1-4.el9_0.1

2022-08-09 11:54:21 -04:00 · 2022-08-09 11:54:21 -04:00 · 1d784a76ef
commit 1d784a76ef
parent 6b182ebb70
2 changed files with 140 additions and 88 deletions
--- a/SOURCES/qpdf-relax.patch
+++ b/SOURCES/qpdf-relax.patch
@ -1,124 +1,55 @@
-diff -up qpdf-10.2.0/libqpdf/QPDF.cc.relax qpdf-10.2.0/libqpdf/QPDF.cc
--- qpdf-10.2.0/libqpdf/QPDF.cc.relax	2021-02-23 16:41:58.000000000 +0100
-+++ qpdf-10.2.0/libqpdf/QPDF.cc	2021-02-24 12:35:50.715329461 +0100
+diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
+index 3eeea86..2a6923c 100644
+--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -11,6 +11,10 @@
 #include <string.h>
 #include <memory.h>
 
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +# include <gnutls/crypto.h>
 +#endif
 +
 #include <qpdf/QTC.hh>
 #include <qpdf/QUtil.hh>
 #include <qpdf/Pipeline.hh>
-@@ -261,7 +265,13 @@ QPDF::processFile(char const* filename,
+@@ -262,7 +266,13 @@ QPDF::processFile(char const* filename, char const* password)
 {
     FileInputSource* fi = new FileInputSource();
     fi->setFilename(filename);
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
     processInputSource(fi, password);
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
 }
 
 void
-@@ -270,7 +280,13 @@ QPDF::processFile(char const* descriptio
+@@ -271,7 +281,13 @@ QPDF::processFile(char const* description, FILE* filep,
 {
     FileInputSource* fi = new FileInputSource();
     fi->setFile(description, filep, close_file);
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
     processInputSource(fi, password);
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
 }
 
 void
-diff -up qpdf-10.2.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.2.0/libqpdf/QPDF_encryption.cc
--- qpdf-10.2.0/libqpdf/QPDF_encryption.cc.relax	2021-02-23 16:41:58.000000000 +0100
-+++ qpdf-10.2.0/libqpdf/QPDF_encryption.cc	2021-02-24 12:37:17.267561185 +0100
-@@ -1,6 +1,8 @@
- // This file implements methods from the QPDF class that involve
- // encryption.
- 
-+#include <qpdf/qpdf-config.h>
-+
- #include <qpdf/QPDF.hh>
- 
- #include <qpdf/QPDFExc.hh>
-@@ -18,6 +20,10 @@
- #include <assert.h>
- #include <string.h>
- 
-+#ifdef HAVE_GNUTLS
-+# include <gnutls/crypto.h>
-+#endif
-+
- static unsigned char const padding_string[] = {
-     0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
-     0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
-@@ -1150,6 +1156,12 @@ QPDF::getKeyForObject(
- void
- QPDF::decryptString(std::string& str, int objid, int generation)
- {
-+#ifdef HAVE_GNUTLS
-+    unsigned oldmode = gnutls_fips140_mode_enabled();
-+
-+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
-+
-     if (objid == 0)
-     {
- 	return;
-@@ -1230,6 +1242,10 @@ QPDF::decryptString(std::string& str, in
- 		      QUtil::int_to_string(objid) + " " +
- 		      QUtil::int_to_string(generation) + ": " + e.what());
-     }
-+
-+#ifdef HAVE_GNUTLS
-+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
- }
- 
- void
-@@ -1240,6 +1256,12 @@ QPDF::decryptStream(PointerHolder<Encryp
- 		    QPDFObjectHandle& stream_dict,
- 		    std::vector<PointerHolder<Pipeline> >& heap)
- {
-+#ifdef HAVE_GNUTLS
-+    unsigned oldmode = gnutls_fips140_mode_enabled();
-+
-+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
-+
-     std::string type;
-     if (stream_dict.getKey("/Type").isName())
-     {
-@@ -1361,6 +1383,10 @@ QPDF::decryptStream(PointerHolder<Encryp
-                               toI(key.length()));
-     }
-     heap.push_back(pipeline);
-+
-+#ifdef HAVE_GNUTLS
-+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
- }
- 
- void
-diff -up qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax qpdf-10.2.0/libqpdf/QPDFWriter.cc
--- qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax	2021-02-23 16:41:58.000000000 +0100
-+++ qpdf-10.2.0/libqpdf/QPDFWriter.cc	2021-02-24 12:35:50.716329452 +0100
+diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
+index 689fef7..57df1eb 100644
+--- a/libqpdf/QPDFWriter.cc
+++ b/libqpdf/QPDFWriter.cc
@@ -24,6 +24,10 @@
 #include <algorithm>
 #include <stdlib.h>
 
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +#include <gnutls/crypto.h>
 +#endif
 +
@ -130,7 +61,7 @@ diff -up qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax qpdf-10.2.0/libqpdf/QPDFWriter.
 {
     this->m->deterministic_id = val;
 +
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    if (val)
 +	GNUTLS_FIPS140_SET_LAX_MODE();
 +    else
@ -144,7 +75,7 @@ diff -up qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax qpdf-10.2.0/libqpdf/QPDFWriter.
 {
     this->m->preserve_encryption = val;
 +
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    if (val)
 +	GNUTLS_FIPS140_SET_STRICT_MODE();
 +    else
@ -152,4 +83,122 @@ diff -up qpdf-10.2.0/libqpdf/QPDFWriter.cc.relax qpdf-10.2.0/libqpdf/QPDFWriter.
 +#endif
 }
 
+ void
+@@ -2301,12 +2319,23 @@ QPDFWriter::generateID()
+ 	    }
+ 	}
+ 
+#ifdef USE_CRYPTO_GNUTLS
+    unsigned oldmode = gnutls_fips140_mode_enabled();
+
+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+ 	MD5 m;
+ 	m.encodeString(seed.c_str());
+ 	MD5::Digest digest;
+ 	m.digest(digest);
+ 	result = std::string(reinterpret_cast<char*>(digest),
+                              sizeof(MD5::Digest));
+
+#ifdef USE_CRYPTO_GNUTLS
+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     }
+ 
+     // If /ID already exists, follow the spec: use the original first
+diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc
+index 2ff48df..ce6fb31 100644
+--- a/libqpdf/QPDF_encryption.cc
+++ b/libqpdf/QPDF_encryption.cc
+@@ -1,6 +1,8 @@
+ // This file implements methods from the QPDF class that involve
+ // encryption.
+ 
+#include <qpdf/qpdf-config.h>
+
+ #include <qpdf/QPDF.hh>
+ 
+ #include <qpdf/QPDFExc.hh>
+@@ -18,6 +20,10 @@
+ #include <assert.h>
+ #include <string.h>
+ 
+#ifdef USE_CRYPTO_GNUTLS
+# include <gnutls/crypto.h>
+#endif
+
+ static unsigned char const padding_string[] = {
+     0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
+     0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
+@@ -380,10 +386,21 @@ QPDF::compute_data_key(std::string const& encryption_key,
+ 	result += "sAlT";
+     }
+ 
+#ifdef USE_CRYPTO_GNUTLS
+    unsigned oldmode = gnutls_fips140_mode_enabled();
+
+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     MD5 md5;
+     md5.encodeDataIncrementally(result.c_str(), result.length());
+     MD5::Digest digest;
+     md5.digest(digest);
+
+#ifdef USE_CRYPTO_GNUTLS
+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     return std::string(reinterpret_cast<char*>(digest),
+ 		       std::min(result.length(), toS(16)));
+ }
+@@ -1150,6 +1167,12 @@ QPDF::getKeyForObject(
+ void
+ QPDF::decryptString(std::string& str, int objid, int generation)
+ {
+#ifdef USE_CRYPTO_GNUTLS
+    unsigned oldmode = gnutls_fips140_mode_enabled();
+
+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     if (objid == 0)
+     {
+ 	return;
+@@ -1230,6 +1253,10 @@ QPDF::decryptString(std::string& str, int objid, int generation)
+ 		      QUtil::int_to_string(objid) + " " +
+ 		      QUtil::int_to_string(generation) + ": " + e.what());
+     }
+
+#ifdef USE_CRYPTO_GNUTLS
+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+ }
+ 
+ void
+@@ -1240,6 +1267,12 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
+ 		    QPDFObjectHandle& stream_dict,
+ 		    std::vector<PointerHolder<Pipeline> >& heap)
+ {
+#ifdef USE_CRYPTO_GNUTLS
+    unsigned oldmode = gnutls_fips140_mode_enabled();
+
+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     std::string type;
+     if (stream_dict.getKey("/Type").isName())
+     {
+@@ -1361,6 +1394,10 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
+                               toI(key.length()));
+     }
+     heap.push_back(pipeline);
+
+#ifdef USE_CRYPTO_GNUTLS
+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+ }
+ 
 void
--- a/SPECS/qpdf.spec
+++ b/SPECS/qpdf.spec
@ -1,7 +1,7 @@
 Summary: Command-line tools and library for transforming PDF files
 Name:    qpdf
 Version: 10.3.1
-Release: 4%{?dist}
+Release: 4%{?dist}.1
 # MIT: e.g. libqpdf/sha2.c
 # upstream uses ASL 2.0 now, but he allowed other to distribute qpdf under
 # old license (see README)
@ -153,6 +153,9 @@ make check


 %changelog
+* Thu Jul 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 10.3.1-4.1
+- 2106940 - FIPS breaks pdftopdf and bannertopdf
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 10.3.1-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688