** Description changed: + [ Impact ] + + * After enabling fips (or fips-updates) libqpdf will fail to calculate + MD5 for decoding the PDFs (which are used by cups-filters during the + printing process). + + * Printing may become impossible after enabling FIPS. + + [ Test Plan ] + + * Enable FIPS: + pro attach # to be able to enable FIPS mode + pro enable fips-updates + reboot # to boot the fips kernel + + * Try to run the filter directly: + /usr/lib/cups/filter/pdftopdf 555 $USER title 1 "" /usr/share/cups/data/confidential.pdf + + * With affected qpdf version it aborts with the following messages: + ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated. + ERROR: pdftopdf filter function failed. + + [ Where problems could occur ] + + * The patch relaxes gnutls restrictions on algorithms in non-security related contexts (GNUTLS_FIPS140_LAX mode). If there is an automated tooling or auditting software they may detect that not only FIPS-approved algorithms are + being used. + + However, in context of decoding PDFs it is not possible to get rid of + MD5 entirely. It's usage however is limited to only non-security related + taks. + + [ Other Info ] + + Original bug description: + After enabling fips/fips-updates it is impossible to print anymore. Requesting a print results in the following message in the cups logs: `ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated.` I have came up with a small reproducer: ``` pro attach # to be able to enable FIPS mode pro enable fips-updates reboot # to boot the fips kernel # with FIPS mode enabled /usr/lib/cups/filter/pdftopdf 555 $USER title 1 "" /usr/share/cups/data/confidential.pdf ``` The output ends with: ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not enabled was negotiated. ERROR: pdftopdf filter function failed. I have tracked the problematic code to: QPDF::compute_data_key in libqpdf/QPDF_encryption.cc It unconditionally uses MD5 (that in turn asks gnutls for MD5) and in FIPS mode it fails as MD5 is not fips-approved. The bottomline is: it is not possible to print with fips-mode enabled.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2129676 Title: QPDF tries to use MD5 in FIPS mode To manage notifications about this bug go to: https://bugs.launchpad.net/qpdf/+bug/2129676/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
