From 16029dd4b7fd6445389bd62e5319a173e80d0884 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 29 Jul 2019 17:28:54 +0200
Subject: [PATCH 1/2] Introduce --enable-gnutls-relax-mode, apply it in
 cupsHashData()

---
 config-scripts/cups-ssl.m4 |  5 +++++
 cups/hash.c                | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/config-scripts/cups-ssl.m4 b/config-scripts/cups-ssl.m4
index c1648b1c10..fb6c35b578 100644
--- a/config-scripts/cups-ssl.m4
+++ b/config-scripts/cups-ssl.m4
@@ -10,6 +10,7 @@ dnl
 AC_ARG_ENABLE(ssl, [  --disable-ssl           disable SSL/TLS support])
 AC_ARG_ENABLE(cdsassl, [  --enable-cdsassl        use CDSA for SSL/TLS support, default=first])
 AC_ARG_ENABLE(gnutls, [  --enable-gnutls         use GNU TLS for SSL/TLS support, default=second])
+AC_ARG_ENABLE(gnutls_relax_mode, [  --enable-gnutls-relax-mode         use GNU TLS in relax mode for MD5 hash function at non-crypto cases, default=disabled])
 
 SSLFLAGS=""
 SSLLIBS=""
@@ -61,6 +62,10 @@ if test x$enable_ssl != xno; then
 	    AC_CHECK_FUNC(gnutls_transport_set_pull_timeout_function, AC_DEFINE(HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION))
 	    AC_CHECK_FUNC(gnutls_priority_set_direct, AC_DEFINE(HAVE_GNUTLS_PRIORITY_SET_DIRECT))
 	    LIBS="$SAVELIBS"
+
+	    if "x$enable_gnutls_relax_mode" != "xno"; then
+	        AC_DEFINE(HAVE_GNUTLS_RELAX_MODE)
+	    fi
 	fi
     fi
 fi
diff --git a/cups/hash.c b/cups/hash.c
index 061486076c..2ac5a8b3c9 100644
--- a/cups/hash.c
+++ b/cups/hash.c
@@ -219,7 +219,16 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
       if (hashsize < tempsize)
         goto too_small;
 
+# if defined(HAVE_GNUTLS_RELAX_MODE)
+      GNUTLS_FIPS140_SET_LAX_MODE();
+# endif
+
       gnutls_hash_fast(alg, data, datalen, temp);
+
+# if defined(HAVE_GNUTLS_RELAX_MODE)
+      GNUTLS_FIPS140_SET_STRICT_MODE();
+# endif
+
       memcpy(hash, temp, tempsize);
 
       return ((ssize_t)tempsize);
@@ -228,8 +237,16 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
     if (hashsize < gnutls_hash_get_len(alg))
       goto too_small;
 
+# if defined(HAVE_GNUTLS_RELAX_MODE)
+    GNUTLS_FIPS140_SET_LAX_MODE();
+# endif
+
     gnutls_hash_fast(alg, data, datalen, hash);
 
+# if defined(HAVE_GNUTLS_RELAX_MODE)
+    GNUTLS_FIPS140_SET_STRICT_MODE();
+# endif
+
     return ((ssize_t)gnutls_hash_get_len(alg));
   }
 

From a7a2883fbf276df6fd88e0e1707ec0967fb00102 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 29 Jul 2019 17:36:14 +0200
Subject: [PATCH 2/2] Minimize the patch

---
 cups/hash.c | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/cups/hash.c b/cups/hash.c
index 2ac5a8b3c9..b8728fe1cf 100644
--- a/cups/hash.c
+++ b/cups/hash.c
@@ -186,7 +186,13 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
   size_t	tempsize = 0;		/* Truncate to this size? */
 
   if (!strcmp(algorithm, "md5"))
+  {
     alg = GNUTLS_DIG_MD5;
+
+# if defined(HAVE_GNUTLS_RELAX_MODE)
+    GNUTLS_FIPS140_SET_LAX_MODE();
+# endif
+  }
   else if (!strcmp(algorithm, "sha"))
     alg = GNUTLS_DIG_SHA1;
   else if (!strcmp(algorithm, "sha2-224"))
@@ -219,16 +225,8 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
       if (hashsize < tempsize)
         goto too_small;
 
-# if defined(HAVE_GNUTLS_RELAX_MODE)
-      GNUTLS_FIPS140_SET_LAX_MODE();
-# endif
-
       gnutls_hash_fast(alg, data, datalen, temp);
 
-# if defined(HAVE_GNUTLS_RELAX_MODE)
-      GNUTLS_FIPS140_SET_STRICT_MODE();
-# endif
-
       memcpy(hash, temp, tempsize);
 
       return ((ssize_t)tempsize);
@@ -237,14 +235,11 @@ cupsHashData(const char    *algorithm,	/* I - Algorithm name */
     if (hashsize < gnutls_hash_get_len(alg))
       goto too_small;
 
-# if defined(HAVE_GNUTLS_RELAX_MODE)
-    GNUTLS_FIPS140_SET_LAX_MODE();
-# endif
-
     gnutls_hash_fast(alg, data, datalen, hash);
 
 # if defined(HAVE_GNUTLS_RELAX_MODE)
-    GNUTLS_FIPS140_SET_STRICT_MODE();
+    if (!strcmp(algorithm, "md5"))
+      GNUTLS_FIPS140_SET_STRICT_MODE();
 # endif
 
     return ((ssize_t)gnutls_hash_get_len(alg));