Update release notes for #1587

m-holger
1 parent 91ad44eb
Showing 2 changed files with 8 additions and 5 deletions
libqpdf/QPDFCrypto_gnutls.cc
manual/release-notes.rst
@@ -18,9 +18,7 @@ QPDFCrypto_gnutls::QPDFCrypto_gnutls() :
     if (fips_mode) {
         // Relax FIPS mode for the lifetime of this object
-        gnutls_fips140_set_mode(
-            GNUTLS_FIPS140_LAX,
-            GNUTLS_FIPS140_SET_MODE_THREAD);
+        gnutls_fips140_set_mode(GNUTLS_FIPS140_LAX, GNUTLS_FIPS140_SET_MODE_THREAD);
     }
 }
@@ -38,8 +36,7 @@ QPDFCrypto_gnutls::~QPDFCrypto_gnutls()
     if (fips_mode) {
         // Restore saved FIPS mode
         gnutls_fips140_set_mode(
-            static_cast<gnutls_fips_mode_t>(fips_mode),
-            GNUTLS_FIPS140_SET_MODE_THREAD);
+            static_cast<gnutls_fips_mode_t>(fips_mode), GNUTLS_FIPS140_SET_MODE_THREAD);
     }
 }
@@ -71,6 +71,12 @@ more detail.
   - Other changes
+    - When running in a FIPS environment using the GnuTLS crypto provider,
+      calls to GnuTLS now use 'LAX' mode as the use of weak algorithms is
+      required to decrypt existing files and is specified by the PDF standards
+      for purposes unrelated to encryption. It is up to users to ensure
+      they comply with FIPS where required.
+
     - Calling ``QPDF::getRoot`` on a file with invalid trailer now throws a
       ``damaged_pdf`` error with message "unable to find /Root dictionary"
       rather than an internal error.