From 38a91e7bdda384cdf7fe19d1fa356f6e8452b021 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 14 Jul 2022 17:01:28 +0200
Subject: [PATCH] Revert "2107240 - FIPS breaks pdftopdf and bannertopdf"

This reverts commit 703b9e4b1b6de8eb028265d22b8eef62d84fee89.
---
 qpdf-relax.patch | 199 ++++++++++++++++++-----------------------------
 qpdf.spec        |   5 +-
 2 files changed, 76 insertions(+), 128 deletions(-)

diff --git a/qpdf-relax.patch b/qpdf-relax.patch
index 2693e43..6cdaf0c 100644
--- a/qpdf-relax.patch
+++ b/qpdf-relax.patch
@@ -1,117 +1,48 @@
-diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
-index 3eeea86..2a6923c 100644
---- a/libqpdf/QPDF.cc
-+++ b/libqpdf/QPDF.cc
-@@ -11,6 +11,10 @@
- #include <string.h>
+diff -up qpdf-10.6.0/libqpdf/QPDF.cc.relax qpdf-10.6.0/libqpdf/QPDF.cc
+--- qpdf-10.6.0/libqpdf/QPDF.cc.relax	2022-02-10 12:27:57.433450324 +0100
++++ qpdf-10.6.0/libqpdf/QPDF.cc	2022-02-10 12:41:11.071905145 +0100
+@@ -13,6 +13,10 @@
  #include <memory.h>
+ #include <regex>
  
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +# include <gnutls/crypto.h>
 +#endif
 +
  #include <qpdf/QTC.hh>
  #include <qpdf/QUtil.hh>
  #include <qpdf/Pipeline.hh>
-@@ -262,7 +266,13 @@ QPDF::processFile(char const* filename, char const* password)
+@@ -270,7 +274,13 @@ QPDF::processFile(char const* filename,
  {
      FileInputSource* fi = new FileInputSource();
      fi->setFilename(filename);
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
-     processInputSource(fi, password);
-+#ifdef USE_CRYPTO_GNUTLS
+     processInputSource(PointerHolder<InputSource>(fi), password);
++#ifdef HAVE_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
  }
  
  void
-@@ -271,7 +281,13 @@ QPDF::processFile(char const* description, FILE* filep,
+@@ -279,7 +289,13 @@ QPDF::processFile(char const* descriptio
  {
      FileInputSource* fi = new FileInputSource();
      fi->setFile(description, filep, close_file);
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
-     processInputSource(fi, password);
-+#ifdef USE_CRYPTO_GNUTLS
+     processInputSource(PointerHolder<InputSource>(fi), password);
++#ifdef HAVE_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
  }
  
  void
-diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
-index 689fef7..57df1eb 100644
---- a/libqpdf/QPDFWriter.cc
-+++ b/libqpdf/QPDFWriter.cc
-@@ -24,6 +24,10 @@
- #include <algorithm>
- #include <stdlib.h>
- 
-+#ifdef USE_CRYPTO_GNUTLS
-+#include <gnutls/crypto.h>
-+#endif
-+
- QPDFWriter::Members::Members(QPDF& pdf) :
-     pdf(pdf),
-     filename("unspecified"),
-@@ -321,6 +325,13 @@ void
- QPDFWriter::setDeterministicID(bool val)
- {
-     this->m->deterministic_id = val;
-+
-+#ifdef USE_CRYPTO_GNUTLS
-+    if (val)
-+	GNUTLS_FIPS140_SET_LAX_MODE();
-+    else
-+	GNUTLS_FIPS140_SET_STRICT_MODE();
-+#endif
- }
- 
- void
-@@ -342,6 +353,13 @@ void
- QPDFWriter::setPreserveEncryption(bool val)
- {
-     this->m->preserve_encryption = val;
-+
-+#ifdef USE_CRYPTO_GNUTLS
-+    if (val)
-+	GNUTLS_FIPS140_SET_STRICT_MODE();
-+    else
-+	GNUTLS_FIPS140_SET_LAX_MODE();
-+#endif
- }
- 
- void
-@@ -2301,12 +2319,23 @@ QPDFWriter::generateID()
- 	    }
- 	}
- 
-+#ifdef USE_CRYPTO_GNUTLS
-+    unsigned oldmode = gnutls_fips140_mode_enabled();
-+
-+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
-+
- 	MD5 m;
- 	m.encodeString(seed.c_str());
- 	MD5::Digest digest;
- 	m.digest(digest);
- 	result = std::string(reinterpret_cast<char*>(digest),
-                              sizeof(MD5::Digest));
-+
-+#ifdef USE_CRYPTO_GNUTLS
-+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
-+
-     }
- 
-     // If /ID already exists, follow the spec: use the original first
-diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc
-index 2ff48df..ce6fb31 100644
---- a/libqpdf/QPDF_encryption.cc
-+++ b/libqpdf/QPDF_encryption.cc
+diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_encryption.cc
+--- qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax	2022-02-09 11:47:58.000000000 +0100
++++ qpdf-10.6.0/libqpdf/QPDF_encryption.cc	2022-02-10 12:39:22.295390998 +0100
 @@ -1,6 +1,8 @@
  // This file implements methods from the QPDF class that involve
  // encryption.
@@ -125,40 +56,18 @@ index 2ff48df..ce6fb31 100644
  #include <assert.h>
  #include <string.h>
  
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +# include <gnutls/crypto.h>
 +#endif
 +
  static unsigned char const padding_string[] = {
      0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
      0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
-@@ -380,10 +386,21 @@ QPDF::compute_data_key(std::string const& encryption_key,
- 	result += "sAlT";
-     }
- 
-+#ifdef USE_CRYPTO_GNUTLS
-+    unsigned oldmode = gnutls_fips140_mode_enabled();
-+
-+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
-+
-     MD5 md5;
-     md5.encodeDataIncrementally(result.c_str(), result.length());
-     MD5::Digest digest;
-     md5.digest(digest);
-+
-+#ifdef USE_CRYPTO_GNUTLS
-+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
-+#endif
-+
-     return std::string(reinterpret_cast<char*>(digest),
- 		       std::min(result.length(), toS(16)));
- }
-@@ -1150,6 +1167,12 @@ QPDF::getKeyForObject(
+@@ -1149,6 +1155,12 @@ QPDF::getKeyForObject(
  void
  QPDF::decryptString(std::string& str, int objid, int generation)
  {
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +    unsigned oldmode = gnutls_fips140_mode_enabled();
 +
 +    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
@@ -166,23 +75,23 @@ index 2ff48df..ce6fb31 100644
 +
      if (objid == 0)
      {
- 	return;
-@@ -1230,6 +1253,10 @@ QPDF::decryptString(std::string& str, int objid, int generation)
- 		      QUtil::int_to_string(objid) + " " +
- 		      QUtil::int_to_string(generation) + ": " + e.what());
+         return;
+@@ -1229,6 +1241,10 @@ QPDF::decryptString(std::string& str, in
+                       QUtil::int_to_string(objid) + " " +
+                       QUtil::int_to_string(generation) + ": " + e.what());
      }
 +
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
 +#endif
  }
  
  void
-@@ -1240,6 +1267,12 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
- 		    QPDFObjectHandle& stream_dict,
- 		    std::vector<PointerHolder<Pipeline> >& heap)
+@@ -1239,6 +1255,12 @@ QPDF::decryptStream(PointerHolder<Encryp
+                     QPDFObjectHandle& stream_dict,
+                     std::vector<std::shared_ptr<Pipeline>>& heap)
  {
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +    unsigned oldmode = gnutls_fips140_mode_enabled();
 +
 +    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
@@ -191,14 +100,56 @@ index 2ff48df..ce6fb31 100644
      std::string type;
      if (stream_dict.getKey("/Type").isName())
      {
-@@ -1361,6 +1394,10 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
-                               toI(key.length()));
+@@ -1361,6 +1383,10 @@ QPDF::decryptStream(PointerHolder<Encryp
      }
-     heap.push_back(pipeline);
+     pipeline = new_pipeline.get();
+     heap.push_back(new_pipeline);
 +
-+#ifdef USE_CRYPTO_GNUTLS
++#ifdef HAVE_GNUTLS
 +    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
 +#endif
  }
  
+ void
+diff -up qpdf-10.6.0/libqpdf/QPDFWriter.cc.relax qpdf-10.6.0/libqpdf/QPDFWriter.cc
+--- qpdf-10.6.0/libqpdf/QPDFWriter.cc.relax	2022-02-09 11:47:58.000000000 +0100
++++ qpdf-10.6.0/libqpdf/QPDFWriter.cc	2022-02-10 12:27:57.434450320 +0100
+@@ -25,6 +25,10 @@
+ #include <algorithm>
+ #include <stdlib.h>
+ 
++#ifdef HAVE_GNUTLS
++#include <gnutls/crypto.h>
++#endif
++
+ QPDFWriter::Members::Members(QPDF& pdf) :
+     pdf(pdf),
+     filename("unspecified"),
+@@ -339,6 +343,13 @@ void
+ QPDFWriter::setDeterministicID(bool val)
+ {
+     this->m->deterministic_id = val;
++
++#ifdef HAVE_GNUTLS
++    if (val)
++	GNUTLS_FIPS140_SET_LAX_MODE();
++    else
++	GNUTLS_FIPS140_SET_STRICT_MODE();
++#endif
+ }
+ 
+ void
+@@ -360,6 +371,13 @@ void
+ QPDFWriter::setPreserveEncryption(bool val)
+ {
+     this->m->preserve_encryption = val;
++
++#ifdef HAVE_GNUTLS
++    if (val)
++	GNUTLS_FIPS140_SET_STRICT_MODE();
++    else
++	GNUTLS_FIPS140_SET_LAX_MODE();
++#endif
+ }
+ 
  void
diff --git a/qpdf.spec b/qpdf.spec
index 974cff6..c19ac82 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -1,7 +1,7 @@
 Summary: Command-line tools and library for transforming PDF files
 Name:    qpdf
 Version: 10.6.3
-Release: 2%{?dist}
+Release: 1%{?dist}
 # MIT: e.g. libqpdf/sha2.c
 # upstream uses ASL 2.0 now, but he allowed other to distribute qpdf under
 # old license (see README)
@@ -154,9 +154,6 @@ make check
 
 
 %changelog
-* Thu Jul 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 10.6.3-2
-- 2107240 - FIPS breaks pdftopdf and bannertopdf
-
 * Fri Mar 18 2022 Zdenek Dohnal <zdohnal@redhat.com> - 10.6.3-1
 - 2063429 - qpdf-10.6.3 is available