From 703b9e4b1b6de8eb028265d22b8eef62d84fee89 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Thu, 14 Jul 2022 16:55:32 +0200
Subject: [PATCH] 2107240 - FIPS breaks pdftopdf and bannertopdf

---
 qpdf-relax.patch | 199 +++++++++++++++++++++++++++++------------------
 qpdf.spec        |   5 +-
 2 files changed, 128 insertions(+), 76 deletions(-)

diff --git a/qpdf-relax.patch b/qpdf-relax.patch
index 6cdaf0c..2693e43 100644
--- a/qpdf-relax.patch
+++ b/qpdf-relax.patch
@@ -1,48 +1,117 @@
-diff -up qpdf-10.6.0/libqpdf/QPDF.cc.relax qpdf-10.6.0/libqpdf/QPDF.cc
---- qpdf-10.6.0/libqpdf/QPDF.cc.relax	2022-02-10 12:27:57.433450324 +0100
-+++ qpdf-10.6.0/libqpdf/QPDF.cc	2022-02-10 12:41:11.071905145 +0100
-@@ -13,6 +13,10 @@
+diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
+index 3eeea86..2a6923c 100644
+--- a/libqpdf/QPDF.cc
++++ b/libqpdf/QPDF.cc
+@@ -11,6 +11,10 @@
+ #include <string.h>
  #include <memory.h>
- #include <regex>
  
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +# include <gnutls/crypto.h>
 +#endif
 +
  #include <qpdf/QTC.hh>
  #include <qpdf/QUtil.hh>
  #include <qpdf/Pipeline.hh>
-@@ -270,7 +274,13 @@ QPDF::processFile(char const* filename,
+@@ -262,7 +266,13 @@ QPDF::processFile(char const* filename, char const* password)
  {
      FileInputSource* fi = new FileInputSource();
      fi->setFilename(filename);
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
-     processInputSource(PointerHolder<InputSource>(fi), password);
-+#ifdef HAVE_GNUTLS
+     processInputSource(fi, password);
++#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
  }
  
  void
-@@ -279,7 +289,13 @@ QPDF::processFile(char const* descriptio
+@@ -271,7 +281,13 @@ QPDF::processFile(char const* description, FILE* filep,
  {
      FileInputSource* fi = new FileInputSource();
      fi->setFile(description, filep, close_file);
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_LAX_MODE();
 +#endif
-     processInputSource(PointerHolder<InputSource>(fi), password);
-+#ifdef HAVE_GNUTLS
+     processInputSource(fi, password);
++#ifdef USE_CRYPTO_GNUTLS
 +    GNUTLS_FIPS140_SET_STRICT_MODE();
 +#endif
  }
  
  void
-diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_encryption.cc
---- qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax	2022-02-09 11:47:58.000000000 +0100
-+++ qpdf-10.6.0/libqpdf/QPDF_encryption.cc	2022-02-10 12:39:22.295390998 +0100
+diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
+index 689fef7..57df1eb 100644
+--- a/libqpdf/QPDFWriter.cc
++++ b/libqpdf/QPDFWriter.cc
+@@ -24,6 +24,10 @@
+ #include <algorithm>
+ #include <stdlib.h>
+ 
++#ifdef USE_CRYPTO_GNUTLS
++#include <gnutls/crypto.h>
++#endif
++
+ QPDFWriter::Members::Members(QPDF& pdf) :
+     pdf(pdf),
+     filename("unspecified"),
+@@ -321,6 +325,13 @@ void
+ QPDFWriter::setDeterministicID(bool val)
+ {
+     this->m->deterministic_id = val;
++
++#ifdef USE_CRYPTO_GNUTLS
++    if (val)
++	GNUTLS_FIPS140_SET_LAX_MODE();
++    else
++	GNUTLS_FIPS140_SET_STRICT_MODE();
++#endif
+ }
+ 
+ void
+@@ -342,6 +353,13 @@ void
+ QPDFWriter::setPreserveEncryption(bool val)
+ {
+     this->m->preserve_encryption = val;
++
++#ifdef USE_CRYPTO_GNUTLS
++    if (val)
++	GNUTLS_FIPS140_SET_STRICT_MODE();
++    else
++	GNUTLS_FIPS140_SET_LAX_MODE();
++#endif
+ }
+ 
+ void
+@@ -2301,12 +2319,23 @@ QPDFWriter::generateID()
+ 	    }
+ 	}
+ 
++#ifdef USE_CRYPTO_GNUTLS
++    unsigned oldmode = gnutls_fips140_mode_enabled();
++
++    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
++#endif
++
+ 	MD5 m;
+ 	m.encodeString(seed.c_str());
+ 	MD5::Digest digest;
+ 	m.digest(digest);
+ 	result = std::string(reinterpret_cast<char*>(digest),
+                              sizeof(MD5::Digest));
++
++#ifdef USE_CRYPTO_GNUTLS
++    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
++#endif
++
+     }
+ 
+     // If /ID already exists, follow the spec: use the original first
+diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc
+index 2ff48df..ce6fb31 100644
+--- a/libqpdf/QPDF_encryption.cc
++++ b/libqpdf/QPDF_encryption.cc
 @@ -1,6 +1,8 @@
  // This file implements methods from the QPDF class that involve
  // encryption.
@@ -56,18 +125,40 @@ diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_e
  #include <assert.h>
  #include <string.h>
  
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +# include <gnutls/crypto.h>
 +#endif
 +
  static unsigned char const padding_string[] = {
      0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41,
      0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
-@@ -1149,6 +1155,12 @@ QPDF::getKeyForObject(
+@@ -380,10 +386,21 @@ QPDF::compute_data_key(std::string const& encryption_key,
+ 	result += "sAlT";
+     }
+ 
++#ifdef USE_CRYPTO_GNUTLS
++    unsigned oldmode = gnutls_fips140_mode_enabled();
++
++    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
++#endif
++
+     MD5 md5;
+     md5.encodeDataIncrementally(result.c_str(), result.length());
+     MD5::Digest digest;
+     md5.digest(digest);
++
++#ifdef USE_CRYPTO_GNUTLS
++    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
++#endif
++
+     return std::string(reinterpret_cast<char*>(digest),
+ 		       std::min(result.length(), toS(16)));
+ }
+@@ -1150,6 +1167,12 @@ QPDF::getKeyForObject(
  void
  QPDF::decryptString(std::string& str, int objid, int generation)
  {
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +    unsigned oldmode = gnutls_fips140_mode_enabled();
 +
 +    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
@@ -75,23 +166,23 @@ diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_e
 +
      if (objid == 0)
      {
-         return;
-@@ -1229,6 +1241,10 @@ QPDF::decryptString(std::string& str, in
-                       QUtil::int_to_string(objid) + " " +
-                       QUtil::int_to_string(generation) + ": " + e.what());
+ 	return;
+@@ -1230,6 +1253,10 @@ QPDF::decryptString(std::string& str, int objid, int generation)
+ 		      QUtil::int_to_string(objid) + " " +
+ 		      QUtil::int_to_string(generation) + ": " + e.what());
      }
 +
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
 +#endif
  }
  
  void
-@@ -1239,6 +1255,12 @@ QPDF::decryptStream(PointerHolder<Encryp
-                     QPDFObjectHandle& stream_dict,
-                     std::vector<std::shared_ptr<Pipeline>>& heap)
+@@ -1240,6 +1267,12 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
+ 		    QPDFObjectHandle& stream_dict,
+ 		    std::vector<PointerHolder<Pipeline> >& heap)
  {
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +    unsigned oldmode = gnutls_fips140_mode_enabled();
 +
 +    gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
@@ -100,56 +191,14 @@ diff -up qpdf-10.6.0/libqpdf/QPDF_encryption.cc.relax qpdf-10.6.0/libqpdf/QPDF_e
      std::string type;
      if (stream_dict.getKey("/Type").isName())
      {
-@@ -1361,6 +1383,10 @@ QPDF::decryptStream(PointerHolder<Encryp
+@@ -1361,6 +1394,10 @@ QPDF::decryptStream(PointerHolder<EncryptionParameters> encp,
+                               toI(key.length()));
      }
-     pipeline = new_pipeline.get();
-     heap.push_back(new_pipeline);
+     heap.push_back(pipeline);
 +
-+#ifdef HAVE_GNUTLS
++#ifdef USE_CRYPTO_GNUTLS
 +    gnutls_fips140_set_mode(static_cast<gnutls_fips_mode_t>(oldmode), GNUTLS_FIPS140_SET_MODE_THREAD);
 +#endif
  }
  
- void
-diff -up qpdf-10.6.0/libqpdf/QPDFWriter.cc.relax qpdf-10.6.0/libqpdf/QPDFWriter.cc
---- qpdf-10.6.0/libqpdf/QPDFWriter.cc.relax	2022-02-09 11:47:58.000000000 +0100
-+++ qpdf-10.6.0/libqpdf/QPDFWriter.cc	2022-02-10 12:27:57.434450320 +0100
-@@ -25,6 +25,10 @@
- #include <algorithm>
- #include <stdlib.h>
- 
-+#ifdef HAVE_GNUTLS
-+#include <gnutls/crypto.h>
-+#endif
-+
- QPDFWriter::Members::Members(QPDF& pdf) :
-     pdf(pdf),
-     filename("unspecified"),
-@@ -339,6 +343,13 @@ void
- QPDFWriter::setDeterministicID(bool val)
- {
-     this->m->deterministic_id = val;
-+
-+#ifdef HAVE_GNUTLS
-+    if (val)
-+	GNUTLS_FIPS140_SET_LAX_MODE();
-+    else
-+	GNUTLS_FIPS140_SET_STRICT_MODE();
-+#endif
- }
- 
- void
-@@ -360,6 +371,13 @@ void
- QPDFWriter::setPreserveEncryption(bool val)
- {
-     this->m->preserve_encryption = val;
-+
-+#ifdef HAVE_GNUTLS
-+    if (val)
-+	GNUTLS_FIPS140_SET_STRICT_MODE();
-+    else
-+	GNUTLS_FIPS140_SET_LAX_MODE();
-+#endif
- }
- 
  void
diff --git a/qpdf.spec b/qpdf.spec
index c19ac82..974cff6 100644
--- a/qpdf.spec
+++ b/qpdf.spec
@@ -1,7 +1,7 @@
 Summary: Command-line tools and library for transforming PDF files
 Name:    qpdf
 Version: 10.6.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 # MIT: e.g. libqpdf/sha2.c
 # upstream uses ASL 2.0 now, but he allowed other to distribute qpdf under
 # old license (see README)
@@ -154,6 +154,9 @@ make check
 
 
 %changelog
+* Thu Jul 14 2022 Zdenek Dohnal <zdohnal@redhat.com> - 10.6.3-2
+- 2107240 - FIPS breaks pdftopdf and bannertopdf
+
 * Fri Mar 18 2022 Zdenek Dohnal <zdohnal@redhat.com> - 10.6.3-1
 - 2063429 - qpdf-10.6.3 is available