2107240 - FIPS breaks pdftopdf and bannertopdf

2022-07-14 16:55:32 +02:00 · 2022-07-14 16:55:32 +02:00 · 703b9e4b1b
commit 703b9e4b1b
parent 456b830154
2 changed files with 128 additions and 76 deletions
--- a/qpdf-relax.patch
+++ b/qpdf-relax.patch
@ -1,48 +1,117 @@
-diff -up qpdf-10.6.0/libqpdf/QPDF.cc.relax qpdf-10.6.0/libqpdf/QPDF.cc
--- qpdf-10.6.0/libqpdf/QPDF.cc.relax	2022-02-10 12:27:57.433450324 +0100
-+++ qpdf-10.6.0/libqpdf/QPDF.cc	2022-02-10 12:41:11.071905145 +0100
-@@ -13,6 +13,10 @@
+diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
+index 3eeea86..2a6923c 100644
+--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
+@@ -11,6 +11,10 @@
+ #include <string.h>
 #include <memory.h>
- #include <regex>
 
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +# include <gnutls/crypto.h>
 +#endif
 +
 #include <qpdf/QTC.hh>
 #include <qpdf/QUtil.hh>
 #include <qpdf/Pipeline.hh>
-@@ -270,7 +274,13 @@ QPDF::processFile(char const* filename,
+@@ -262,7 +266,13 @@ QPDF::processFile(char const* filename, char const* password)
 {
     FileInputSource* fi = new FileInputSource();
     fi->setFilename(filename);
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
-     processInputSource(PointerHolder<InputSource>(fi), password);
-+#ifdef HAVE_GNUTLS
+     processInputSource(fi, password);
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
 }
 
 void
-@@ -279,7 +289,13 @@ QPDF::processFile(char const* descriptio
+@@ -271,7 +281,13 @@ QPDF::processFile(char const* description, FILE* filep,
 {
     FileInputSource* fi = new FileInputSource();
     fi->setFile(description, filep, close_file);
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
-     processInputSource(PointerHolder<InputSource>(fi), password);
-+#ifdef HAVE_GNUTLS
+     processInputSource(fi, password);
+#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
 }
 
 void
-diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_encryption.cc
--- qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax	2022-02-09 11:47:58.000000000 +0100
-+++ qpdf-10.6.0/libqpdf/QPDF_encryption.cc	2022-02-10 12:39:22.295390998 +0100
+diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
+index 689fef7..57df1eb 100644
+--- a/libqpdf/QPDFWriter.cc
+++ b/libqpdf/QPDFWriter.cc
+@@ -24,6 +24,10 @@
+ #include <algorithm>
+ #include <stdlib.h>
+ 
+#ifdef USE_CRYPTO_GNUTLS
+#include <gnutls/crypto.h>
+#endif
+
+ QPDFWriter::Members::Members(QPDF& pdf) :
+     pdf(pdf),
+     filename("unspecified"),
+@@ -321,6 +325,13 @@ void
+ QPDFWriter::setDeterministicID(bool val)
+ {
+     this->m->deterministic_id = val;
+
+#ifdef USE_CRYPTO_GNUTLS
+    if (val)
+	GNUTLS_FIPS140_SET_LAX_MODE();
+    else
+	GNUTLS_FIPS140_SET_STRICT_MODE();
+#endif
+ }
+ 
+ void
+@@ -342,6 +353,13 @@ void
+ QPDFWriter::setPreserveEncryption(bool val)
+ {
+     this->m->preserve_encryption = val;
+
+#ifdef USE_CRYPTO_GNUTLS
+    if (val)
+	GNUTLS_FIPS140_SET_STRICT_MODE();
+    else
+	GNUTLS_FIPS140_SET_LAX_MODE();
+#endif
+ }
+ 
+ void
+@@ -2301,12 +2319,23 @@ QPDFWriter::generateID()
+ 	    }
+ 	}
+ 
+#ifdef USE_CRYPTO_GNUTLS
+    unsigned oldmode = gnutls_fips140_mode_enabled();
+
+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+ 	MD5 m;
+ 	m.encodeString(seed.c_str());
+ 	MD5::Digest digest;
+ 	m.digest(digest);
+ 	result = std::string(reinterpret_cast<char*>(digest),
+                              sizeof(MD5::Digest));
+
+#ifdef USE_CRYPTO_GNUTLS
+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     }
+ 
+     // If /ID already exists, follow the spec: use the original first
+diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc
+index 2ff48df..ce6fb31 100644
+--- a/libqpdf/QPDF_encryption.cc
+++ b/libqpdf/QPDF_encryption.cc
@@ -1,6 +1,8 @@
 // This file implements methods from the QPDF class that involve
 // encryption.
@ -56,18 +125,40 @@ diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_e
 #include <assert.h>
 #include <string.h>
 
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +# include <gnutls/crypto.h>
 +#endif
 +
 static unsigned char const padding_string[] = {
     0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
     0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
-@@ -1149,6 +1155,12 @@ QPDF::getKeyForObject(
+@@ -380,10 +386,21 @@ QPDF::compute_data_key(std::string const& encryption_key,
+ 	result += "sAlT";
+     }
+ 
+#ifdef USE_CRYPTO_GNUTLS
+    unsigned oldmode = gnutls_fips140_mode_enabled();
+
+    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     MD5 md5;
+     md5.encodeDataIncrementally(result.c_str(), result.length());
+     MD5::Digest digest;
+     md5.digest(digest);
+
+#ifdef USE_CRYPTO_GNUTLS
+    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
+#endif
+
+     return std::string(reinterpret_cast<char*>(digest),
+ 		       std::min(result.length(), toS(16)));
+ }
+@@ -1150,6 +1167,12 @@ QPDF::getKeyForObject(
 void
 QPDF::decryptString(std::string& str, int objid, int generation)
 {
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    unsigned oldmode = gnutls_fips140_mode_enabled();
 +
 +    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
@ -75,23 +166,23 @@ diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_e
 +
     if (objid == 0)
     {
-         return;
-@@ -1229,6 +1241,10 @@ QPDF::decryptString(std::string& str, in
-                       QUtil::int_to_string(objid) + " " +
-                       QUtil::int_to_string(generation) + ": " + e.what());
+ 	return;
+@@ -1230,6 +1253,10 @@ QPDF::decryptString(std::string& str, int objid, int generation)
+ 		      QUtil::int_to_string(objid) + " " +
+ 		      QUtil::int_to_string(generation) + ": " + e.what());
     }
 +
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
 +#endif
 }
 
 void
-@@ -1239,6 +1255,12 @@ QPDF::decryptStream(PointerHolder<Encryp
-                     QPDFObjectHandle& stream_dict,
-                     std::vector<std::shared_ptr<Pipeline>>& heap)
+@@ -1240,6 +1267,12 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
+ 		    QPDFObjectHandle& stream_dict,
+ 		    std::vector<PointerHolder<Pipeline> >& heap)
 {
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    unsigned oldmode = gnutls_fips140_mode_enabled();
 +
 +    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
@ -100,56 +191,14 @@ diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_e
     std::string type;
     if (stream_dict.getKey("/Type").isName())
     {
-@@ -1361,6 +1383,10 @@ QPDF::decryptStream(PointerHolder<Encryp
+@@ -1361,6 +1394,10 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
+                               toI(key.length()));
     }
-     pipeline = new_pipeline.get();
-     heap.push_back(new_pipeline);
+     heap.push_back(pipeline);
 +
-+#ifdef HAVE_GNUTLS
+#ifdef USE_CRYPTO_GNUTLS
 +    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
 +#endif
 }
 
- void
-diff -up qpdf-10.6.0/libqpdf/QPDFWriter.cc.relax qpdf-10.6.0/libqpdf/QPDFWriter.cc
--- qpdf-10.6.0/libqpdf/QPDFWriter.cc.relax	2022-02-09 11:47:58.000000000 +0100
-+++ qpdf-10.6.0/libqpdf/QPDFWriter.cc	2022-02-10 12:27:57.434450320 +0100
-@@ -25,6 +25,10 @@
- #include <algorithm>
- #include <stdlib.h>
- 
-+#ifdef HAVE_GNUTLS
-+#include <gnutls/crypto.h>
-+#endif
-+
- QPDFWriter::Members::Members(QPDF& pdf) :
-     pdf(pdf),
-     filename("unspecified"),
-@@ -339,6 +343,13 @@ void
- QPDFWriter::setDeterministicID(bool val)
- {
-     this->m->deterministic_id = val;
-+
-+#ifdef HAVE_GNUTLS
-+    if (val)
-+	GNUTLS_FIPS140_SET_LAX_MODE();
-+    else
-+	GNUTLS_FIPS140_SET_STRICT_MODE();
-+#endif
- }
- 
- void
-@@ -360,6 +371,13 @@ void
- QPDFWriter::setPreserveEncryption(bool val)
- {
-     this->m->preserve_encryption = val;
-+
-+#ifdef HAVE_GNUTLS
-+    if (val)
-+	GNUTLS_FIPS140_SET_STRICT_MODE();
-+    else
-+	GNUTLS_FIPS140_SET_LAX_MODE();
-+#endif
- }
- 
 void
--- a/qpdf.spec
+++ b/qpdf.spec
@ -1,7 +1,7 @@
 Summary: Command-line tools and library for transforming PDF files
 Name:    qpdf
 Version: 10.6.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 # MIT: e.g. libqpdf/sha2.c
 # upstream uses ASL 2.0 now, but he allowed other to distribute qpdf under
 # old license (see README)
@ -154,6 +154,9 @@ make check


 %changelog
+* Thu Jul 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 10.6.3-2
+- 2107240 - FIPS breaks pdftopdf and bannertopdf
+
 * Fri Mar 18 2022 Zdenek Dohnal <zdohnal@redhat.com> - 10.6.3-1
 - 2063429 - qpdf-10.6.3 is available