50092c
diff --git a/config.h.cmake b/config.h.cmake
50092c
index 7989cbfb..6f5e147e 100644
50092c
--- a/config.h.cmake
50092c
+++ b/config.h.cmake
50092c
@@ -24,9 +24,6 @@
50092c
 /* Use zlib instead of builtin zlib decoder to uncompress flate streams. */
50092c
 #cmakedefine ENABLE_ZLIB_UNCOMPRESS 1
50092c
 
50092c
-/* Build against libnss3 for digital signature validation */
50092c
-#cmakedefine ENABLE_NSS3 1
50092c
-
50092c
 /* Use cairo for rendering. */
50092c
 #cmakedefine HAVE_CAIRO 1
50092c
 
50092c
diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
50092c
index 16476f4f..9f4adda3 100644
50092c
--- a/poppler/Decrypt.cc
50092c
+++ b/poppler/Decrypt.cc
50092c
@@ -39,17 +39,33 @@
50092c
 #include "goo/grandom.h"
50092c
 #include "Decrypt.h"
50092c
 #include "Error.h"
50092c
-
50092c
+#ifdef ENABLE_NSS3
50092c
+#include <nss.h>
50092c
+#include <prerror.h>
50092c
+#include <sechash.h>
50092c
+#endif
50092c
+
50092c
+#ifdef ENABLE_NSS3
50092c
+static PK11Context *rc4InitContext(const unsigned char *key, int keyLen);
50092c
+static unsigned char rc4DecryptByte(PK11Context *context, unsigned char c);
50092c
+#else
50092c
 static void rc4InitKey(const unsigned char *key, int keyLen, unsigned char *state);
50092c
 static unsigned char rc4DecryptByte(unsigned char *state, unsigned char *x, unsigned char *y, unsigned char c);
50092c
+#endif
50092c
 
50092c
 static bool aesReadBlock(Stream *str, unsigned char *in, bool addPadding);
50092c
 
50092c
+#ifdef ENABLE_NSS3
50092c
+static PK11Context *aesInitContext(unsigned char *in, unsigned char *objKey, int objKeyLength, bool decrypt);
50092c
+#else
50092c
 static void aesKeyExpansion(DecryptAESState *s, const unsigned char *objKey, int objKeyLen, bool decrypt);
50092c
+#endif
50092c
 static void aesEncryptBlock(DecryptAESState *s, const unsigned char *in);
50092c
 static void aesDecryptBlock(DecryptAESState *s, const unsigned char *in, bool last);
50092c
 
50092c
+#ifndef ENABLE_NSS3
50092c
 static void aes256KeyExpansion(DecryptAES256State *s, const unsigned char *objKey, int objKeyLen, bool decrypt);
50092c
+#endif
50092c
 static void aes256EncryptBlock(DecryptAES256State *s, const unsigned char *in);
50092c
 static void aes256DecryptBlock(DecryptAES256State *s, const unsigned char *in, bool last);
50092c
 
50092c
@@ -70,6 +86,31 @@ static const unsigned char passwordPad[32] = {
50092c
 // Decrypt
50092c
 //------------------------------------------------------------------------
50092c
 
50092c
+#ifdef ENABLE_NSS3
50092c
+static void shutdownNSS()
50092c
+{
50092c
+    if (NSS_Shutdown() != SECSuccess) {
50092c
+        error(errInternal, -1, "NSS shutdown failed: {0:s}",
50092c
+              PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
50092c
+    }
50092c
+}
50092c
+
50092c
+static bool initNSS() {
50092c
+    if (NSS_IsInitialized()) {
50092c
+        return true;
50092c
+    } else {
50092c
+        if (NSS_NoDB_Init(".") != SECSuccess) {
50092c
+            error(errInternal, -1, "NSS initialization failed: {0:s}",
50092c
+                  PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
50092c
+            return false;
50092c
+        } else {
50092c
+            atexit(shutdownNSS);
50092c
+            return true;
50092c
+        }
50092c
+    }
50092c
+}
50092c
+#endif
50092c
+
50092c
 bool Decrypt::makeFileKey(int encVersion, int encRevision, int keyLength, const GooString *ownerKey, const GooString *userKey, const GooString *ownerEnc, const GooString *userEnc, int permissions, const GooString *fileID,
50092c
                           const GooString *ownerPassword, const GooString *userPassword, unsigned char *fileKey, bool encryptMetadata, bool *ownerPasswordOk)
50092c
 {
50092c
@@ -80,13 +121,21 @@ bool Decrypt::makeFileKey(int encVersio
50092c
     DecryptAES256State state;
50092c
     unsigned char test[127 + 56], test2[32];
50092c
     GooString *userPassword2;
50092c
-    unsigned char fState[256];
50092c
     unsigned char tmpKey[16];
50092c
-    unsigned char fx, fy;
50092c
     int len, i, j;
50092c
+#ifdef ENABLE_NSS3
50092c
+    PK11Context *rc4Context;
50092c
+#else
50092c
+    unsigned char fState[256];
50092c
+    unsigned char fx, fy;
50092c
+#endif
50092c
 
50092c
     *ownerPasswordOk = false;
50092c
 
50092c
+#ifdef ENABLE_NSS3
50092c
+    initNSS();
50092c
+#endif
50092c
+
50092c
     if (encRevision == 5 || encRevision == 6) {
50092c
 
50092c
         // check the owner password
50092c
@@ -115,14 +164,26 @@ bool Decrypt::makeFileKey(int encVersio
50092c
                     // test contains the initial SHA-256 hash input K.
50092c
                     revision6Hash(ownerPassword, test, userKey->c_str());
50092c
                 }
50092c
+#ifndef ENABLE_NSS3
50092c
                 aes256KeyExpansion(&state, test, 32, true);
50092c
+#endif
50092c
                 for (i = 0; i < 16; ++i) {
50092c
                     state.cbc[i] = 0;
50092c
                 }
50092c
+#ifdef ENABLE_NSS3
50092c
+                state.context = aesInitContext(state.cbc, test, 32, true);
50092c
+                if (state.context) {
50092c
+#endif
50092c
                 aes256DecryptBlock(&state, (unsigned char *)ownerEnc->c_str(), false);
50092c
                 memcpy(fileKey, state.buf, 16);
50092c
                 aes256DecryptBlock(&state, (unsigned char *)ownerEnc->c_str() + 16, false);
50092c
                 memcpy(fileKey + 16, state.buf, 16);
50092c
+#ifdef ENABLE_NSS3
50092c
+                PK11_DestroyContext(state.context, PR_TRUE);
50092c
+                } else {
50092c
+                    return false;
50092c
+                }
50092c
+#endif
50092c
 
50092c
                 *ownerPasswordOk = true;
50092c
                 return true;
50092c
@@ -156,14 +217,26 @@ bool Decrypt::makeFileKey(int encVersio
50092c
                     // user key is not used in computing intermediate user key.
50092c
                     revision6Hash(userPassword, test, nullptr);
50092c
                 }
50092c
+#ifndef ENABLE_NSS3
50092c
                 aes256KeyExpansion(&state, test, 32, true);
50092c
+#endif
50092c
                 for (i = 0; i < 16; ++i) {
50092c
                     state.cbc[i] = 0;
50092c
                 }
50092c
+#ifdef ENABLE_NSS3
50092c
+                state.context = aesInitContext(state.cbc, test, 32, true);
50092c
+                if (state.context) {
50092c
+#endif
50092c
                 aes256DecryptBlock(&state, (unsigned char *)userEnc->c_str(), false);
50092c
                 memcpy(fileKey, state.buf, 16);
50092c
                 aes256DecryptBlock(&state, (unsigned char *)userEnc->c_str() + 16, false);
50092c
                 memcpy(fileKey + 16, state.buf, 16);
50092c
+#ifdef ENABLE_NSS3
50092c
+                PK11_DestroyContext(state.context, PR_TRUE);
50092c
+                } else {
50092c
+                    return false;
50092c
+                }
50092c
+#endif
50092c
 
50092c
                 return true;
50092c
             }
50092c
@@ -189,22 +262,41 @@ bool Decrypt::makeFileKey(int encVersio
50092c
                 }
50092c
             }
50092c
             if (encRevision == 2) {
50092c
+#ifdef ENABLE_NSS3
50092c
+                rc4Context = rc4InitContext(test, keyLength);
50092c
+                if (rc4Context) {
50092c
+                    for (i = 0; i < 32; ++i)
50092c
+                        test2[i] = rc4DecryptByte(rc4Context, ownerKey->getChar(i));
50092c
+                    PK11_DestroyContext(rc4Context, PR_TRUE);
50092c
+                }
50092c
+#else
50092c
                 rc4InitKey(test, keyLength, fState);
50092c
                 fx = fy = 0;
50092c
                 for (i = 0; i < 32; ++i) {
50092c
                     test2[i] = rc4DecryptByte(fState, &fx, &fy, ownerKey->getChar(i));
50092c
                 }
50092c
+#endif
50092c
             } else {
50092c
                 memcpy(test2, ownerKey->c_str(), 32);
50092c
                 for (i = 19; i >= 0; --i) {
50092c
                     for (j = 0; j < keyLength; ++j) {
50092c
                         tmpKey[j] = test[j] ^ i;
50092c
                     }
50092c
+#ifdef ENABLE_NSS3
50092c
+                    rc4Context = rc4InitContext(tmpKey, keyLength);
50092c
+                    if (rc4Context) {
50092c
+                        for (j = 0; j < 32; ++j) {
50092c
+                            test2[j] = rc4DecryptByte(rc4Context, test2[j]);
50092c
+                        }
50092c
+                        PK11_DestroyContext(rc4Context, PR_TRUE);
50092c
+                    }
50092c
+#else
50092c
                     rc4InitKey(tmpKey, keyLength, fState);
50092c
                     fx = fy = 0;
50092c
                     for (j = 0; j < 32; ++j) {
50092c
                         test2[j] = rc4DecryptByte(fState, &fx, &fy, test2[j]);
50092c
                     }
50092c
+#endif
50092c
                 }
50092c
             }
50092c
             userPassword2 = new GooString((char *)test2, 32);
50092c
@@ -232,11 +324,15 @@ bool Decrypt::makeFileKey2(int encVersi
50092c
 {
50092c
     unsigned char *buf;
50092c
     unsigned char test[32];
50092c
-    unsigned char fState[256];
50092c
     unsigned char tmpKey[16];
50092c
-    unsigned char fx, fy;
50092c
     int len, i, j;
50092c
-    bool ok;
50092c
+    bool ok = true;
50092c
+#ifdef ENABLE_NSS3
50092c
+    PK11Context *rc4Context;
50092c
+#else
50092c
+    unsigned char fState[256];
50092c
+    unsigned char fx, fy;
50092c
+#endif
50092c
 
50092c
     // generate file key
50092c
     buf = (unsigned char *)gmalloc(72 + fileID->getLength());
50092c
@@ -273,28 +369,52 @@ bool Decrypt::makeFileKey2(int encVersi
50092c
 
50092c
     // test user password
50092c
     if (encRevision == 2) {
50092c
+#ifdef ENABLE_NSS3
50092c
+        rc4Context = rc4InitContext(fileKey, keyLength);
50092c
+        if (rc4Context) {
50092c
+            for (i = 0; i < 32; ++i)
50092c
+                test[i] = rc4DecryptByte(rc4Context, userKey->getChar(i));
50092c
+            PK11_DestroyContext(rc4Context, PR_TRUE);
50092c
+        } else {
50092c
+            ok = false;
50092c
+        }
50092c
+#else
50092c
         rc4InitKey(fileKey, keyLength, fState);
50092c
         fx = fy = 0;
50092c
         for (i = 0; i < 32; ++i) {
50092c
             test[i] = rc4DecryptByte(fState, &fx, &fy, userKey->getChar(i));
50092c
         }
50092c
-        ok = memcmp(test, passwordPad, 32) == 0;
50092c
+#endif
50092c
+        if (ok)
50092c
+            ok = memcmp(test, passwordPad, 32) == 0;
50092c
     } else if (encRevision == 3) {
50092c
         memcpy(test, userKey->c_str(), 32);
50092c
         for (i = 19; i >= 0; --i) {
50092c
             for (j = 0; j < keyLength; ++j) {
50092c
                 tmpKey[j] = fileKey[j] ^ i;
50092c
             }
50092c
+#ifdef ENABLE_NSS3
50092c
+            rc4Context = rc4InitContext(tmpKey, keyLength);
50092c
+            if (rc4Context) {
50092c
+                for (j = 0; j < 32; ++j)
50092c
+                    test[j] = rc4DecryptByte(rc4Context, test[j]);
50092c
+                PK11_DestroyContext(rc4Context, PR_TRUE);
50092c
+            } else {
50092c
+                ok = false;
50092c
+            }
50092c
+#else
50092c
             rc4InitKey(tmpKey, keyLength, fState);
50092c
             fx = fy = 0;
50092c
             for (j = 0; j < 32; ++j) {
50092c
                 test[j] = rc4DecryptByte(fState, &fx, &fy, test[j]);
50092c
             }
50092c
+#endif
50092c
         }
50092c
         memcpy(buf, passwordPad, 32);
50092c
         memcpy(buf + 32, fileID->c_str(), fileID->getLength());
50092c
         md5(buf, 32 + fileID->getLength(), buf);
50092c
-        ok = memcmp(test, buf, 16) == 0;
50092c
+        if (ok)
50092c
+            ok = memcmp(test, buf, 16) == 0;
50092c
     } else {
50092c
         ok = false;
50092c
     }
50092c
@@ -334,6 +454,9 @@ BaseCryptStream::BaseCryptStream(Stream
50092c
         if ((objKeyLength = keyLength + 5) > 16) {
50092c
             objKeyLength = 16;
50092c
         }
50092c
+#ifdef ENABLE_NSS3
50092c
+        state.rc4.context = nullptr;
50092c
+#endif
50092c
         break;
50092c
     case cryptAES:
50092c
         objKey[keyLength] = refA.num & 0xff;
50092c
@@ -349,9 +472,15 @@ BaseCryptStream::BaseCryptStream(Stream
50092c
         if ((objKeyLength = keyLength + 5) > 16) {
50092c
             objKeyLength = 16;
50092c
         }
50092c
+#ifdef ENABLE_NSS3
50092c
+        state.aes.context = nullptr;
50092c
+#endif
50092c
         break;
50092c
     case cryptAES256:
50092c
         objKeyLength = keyLength;
50092c
+#ifdef ENABLE_NSS3
50092c
+        state.aes256.context = nullptr;
50092c
+#endif
50092c
         break;
50092c
     case cryptNone:
50092c
         break;
50092c
@@ -359,10 +488,33 @@ BaseCryptStream::BaseCryptStream(Stream
50092c
     charactersRead = 0;
50092c
     nextCharBuff = EOF;
50092c
     autoDelete = true;
50092c
+
50092c
+#ifdef ENABLE_NSS3
50092c
+    initNSS();
50092c
+#endif
50092c
 }
50092c
 
50092c
 BaseCryptStream::~BaseCryptStream()
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    switch (algo) {
50092c
+    case cryptRC4:
50092c
+        if (state.rc4.context)
50092c
+            PK11_DestroyContext(state.rc4.context, PR_TRUE);
50092c
+        break;
50092c
+    case cryptAES:
50092c
+        if (state.aes.context)
50092c
+            PK11_DestroyContext(state.aes.context, PR_TRUE);
50092c
+        break;
50092c
+    case cryptAES256:
50092c
+        if (state.aes256.context)
50092c
+            PK11_DestroyContext(state.aes256.context, PR_TRUE);
50092c
+        break;
50092c
+    default:
50092c
+        break;
50092c
+    }
50092c
+#endif
50092c
+
50092c
     if (autoDelete) {
50092c
         delete str;
50092c
     }
50092c
@@ -424,18 +576,40 @@ void EncryptStream::reset() {
50092c
 
50092c
     switch (algo) {
50092c
     case cryptRC4:
50092c
+#ifdef ENABLE_NSS3
50092c
+        if (state.rc4.context)
50092c
+            PK11_DestroyContext(state.rc4.context, PR_TRUE);
50092c
+        state.rc4.context = rc4InitContext(objKey, objKeyLength);
50092c
+#else
50092c
         state.rc4.x = state.rc4.y = 0;
50092c
         rc4InitKey(objKey, objKeyLength, state.rc4.state);
50092c
+#endif
50092c
         break;
50092c
     case cryptAES:
50092c
+#ifdef ENABLE_NSS3
50092c
+        memcpy(state.aes.buf, state.aes.cbc, 16); // Copy CBC IV to buf
50092c
+        if (state.aes.context)
50092c
+            PK11_DestroyContext(state.aes.context, PR_TRUE);
50092c
+        state.aes.context = aesInitContext(state.aes.cbc, objKey, objKeyLength,
50092c
+                                           false);
50092c
+#else
50092c
         aesKeyExpansion(&state.aes, objKey, objKeyLength, false);
50092c
         memcpy(state.aes.buf, state.aes.cbc, 16); // Copy CBC IV to buf
50092c
+#endif
50092c
         state.aes.bufIdx = 0;
50092c
         state.aes.paddingReached = false;
50092c
         break;
50092c
     case cryptAES256:
50092c
+#ifdef ENABLE_NSS3
50092c
+        memcpy(state.aes256.buf, state.aes256.cbc, 16); // Copy CBC IV to buf
50092c
+        if (state.aes256.context)
50092c
+            PK11_DestroyContext(state.aes256.context, PR_TRUE);
50092c
+        state.aes256.context = aesInitContext(state.aes256.cbc, objKey, objKeyLength,
50092c
+                                              false);
50092c
+#else
50092c
         aes256KeyExpansion(&state.aes256, objKey, objKeyLength, false);
50092c
         memcpy(state.aes256.buf, state.aes256.cbc, 16); // Copy CBC IV to buf
50092c
+#endif
50092c
         state.aes256.bufIdx = 0;
50092c
         state.aes256.paddingReached = false;
50092c
         break;
50092c
@@ -456,7 +630,11 @@ int EncryptStream::lookChar() {
50092c
     case cryptRC4:
50092c
         if ((c = str->getChar()) != EOF) {
50092c
             // RC4 is XOR-based: the decryption algorithm works for encryption too
50092c
+#ifdef ENABLE_NSS3
50092c
+            c = rc4DecryptByte(state.rc4.context, (unsigned char)c);
50092c
+#else
50092c
             c = rc4DecryptByte(state.rc4.state, &state.rc4.x, &state.rc4.y, (unsigned char)c);
50092c
+#endif
50092c
         }
50092c
         break;
50092c
     case cryptAES:
50092c
@@ -506,21 +684,47 @@ void DecryptStream::reset() {
50092c
 
50092c
     switch (algo) {
50092c
     case cryptRC4:
50092c
+#ifdef ENABLE_NSS3
50092c
+        if (state.rc4.context)
50092c
+            PK11_DestroyContext(state.rc4.context, PR_TRUE);
50092c
+        state.rc4.context = rc4InitContext(objKey, objKeyLength);
50092c
+#else
50092c
         state.rc4.x = state.rc4.y = 0;
50092c
         rc4InitKey(objKey, objKeyLength, state.rc4.state);
50092c
+#endif
50092c
         break;
50092c
     case cryptAES:
50092c
+#ifdef ENABLE_NSS3
50092c
+        if (state.aes.context)
50092c
+            PK11_DestroyContext(state.aes.context, PR_TRUE);
50092c
+        for (i = 0; i < 16; ++i) {
50092c
+            state.aes.cbc[i] = str->getChar();
50092c
+        }
50092c
+        state.aes.context = aesInitContext(state.aes.cbc, objKey, objKeyLength,
50092c
+                                           true);
50092c
+#else
50092c
         aesKeyExpansion(&state.aes, objKey, objKeyLength, true);
50092c
         for (i = 0; i < 16; ++i) {
50092c
             state.aes.cbc[i] = str->getChar();
50092c
         }
50092c
+#endif
50092c
         state.aes.bufIdx = 16;
50092c
         break;
50092c
     case cryptAES256:
50092c
+#ifdef ENABLE_NSS3
50092c
+        if (state.aes256.context)
50092c
+            PK11_DestroyContext(state.aes256.context, PR_TRUE);
50092c
+        for (i = 0; i < 16; ++i) {
50092c
+            state.aes256.cbc[i] = str->getChar();
50092c
+        }
50092c
+        state.aes256.context = aesInitContext(state.aes256.cbc, objKey, objKeyLength,
50092c
+                                              true);
50092c
+#else
50092c
         aes256KeyExpansion(&state.aes256, objKey, objKeyLength, true);
50092c
         for (i = 0; i < 16; ++i) {
50092c
             state.aes256.cbc[i] = str->getChar();
50092c
         }
50092c
+#endif
50092c
         state.aes256.bufIdx = 16;
50092c
         break;
50092c
     case cryptNone:
50092c
@@ -539,10 +743,21 @@ int DecryptStream::lookChar() {
50092c
     switch (algo) {
50092c
     case cryptRC4:
50092c
         if ((c = str->getChar()) != EOF) {
50092c
+#ifdef ENABLE_NSS3
50092c
+            if (unlikely(state.rc4.context == nullptr))
50092c
+                c = EOF;
50092c
+            else
50092c
+                c = rc4DecryptByte(state.rc4.context, (unsigned char)c);
50092c
+#else
50092c
             c = rc4DecryptByte(state.rc4.state, &state.rc4.x, &state.rc4.y, (unsigned char)c);
50092c
+#endif
50092c
         }
50092c
         break;
50092c
     case cryptAES:
50092c
+#ifdef ENABLE_NSS3
50092c
+        if (unlikely(state.aes.context == nullptr))
50092c
+            break;
50092c
+#endif
50092c
         if (state.aes.bufIdx == 16) {
50092c
             if (aesReadBlock(str, in, false)) {
50092c
                 aesDecryptBlock(&state.aes, in, str->lookChar() == EOF);
50092c
@@ -555,6 +770,10 @@ int DecryptStream::lookChar() {
50092c
         }
50092c
         break;
50092c
     case cryptAES256:
50092c
+#ifdef ENABLE_NSS3
50092c
+        if (unlikely(state.aes256.context == nullptr))
50092c
+            break;
50092c
+#endif
50092c
         if (state.aes256.bufIdx == 16) {
50092c
             if (aesReadBlock(str, in, false)) {
50092c
                 aes256DecryptBlock(&state.aes256, in, str->lookChar() == EOF);
50092c
@@ -576,7 +795,176 @@ int DecryptStream::lookChar() {
50092c
 // RC4-compatible decryption
50092c
 //------------------------------------------------------------------------
50092c
 
50092c
+#ifdef ENABLE_NSS3
50092c
+/*
50092c
+ * This function turns given key into token key (compared to a session key
50092c
+ * which is prohibited in FIPS mode).
50092c
+ */
50092c
+static PK11SymKey *tokenizeKey(const unsigned char *key, int keyLen,
50092c
+                               CK_ATTRIBUTE_TYPE operation) {
50092c
+    CK_MECHANISM_TYPE  cipherMech = CKM_AES_CBC_PAD;
50092c
+    PK11SlotInfo      *slot;
50092c
+    PK11SymKey        *wrappingKey = nullptr;
50092c
+    PK11SymKey        *symKey = nullptr;
50092c
+    PK11SymKey        *token = nullptr;
50092c
+    SECStatus          retval;
50092c
+    SECItem           *secParam = nullptr;
50092c
+    SECItem            ivItem, wrappedKey;
50092c
+    unsigned char      output[48];   // Buffer to hold 256 bit key + padding
50092c
+    unsigned char      iv[16];       // Initialization vector for AES
50092c
+    unsigned int       outputLength;
50092c
+    int                i;
50092c
+
50092c
+    slot = PK11_GetBestSlot(CKM_AES_KEY_GEN, nullptr);
50092c
+    if (slot == nullptr) {
50092c
+        error(errInternal, -1, "Unable to find security device (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    // Generate random key for wrapping of given key by AES-256
50092c
+    wrappingKey = PK11_KeyGen(slot, CKM_AES_KEY_GEN, nullptr, 32, nullptr);
50092c
+    if (wrappingKey == nullptr) {
50092c
+        error(errInternal, -1, "Failed to generate wrapping key (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    for (i = 0; i < 16; i++)
50092c
+        iv[i] = i;
50092c
+
50092c
+    ivItem.type = siBuffer;
50092c
+    ivItem.data = iv;
50092c
+    ivItem.len = 16;
50092c
+
50092c
+    secParam = PK11_ParamFromIV(cipherMech, &ivItem);
50092c
+    if (secParam == nullptr) {
50092c
+        error(errInternal, -1, "Failed to set up PKCS11 param (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    // Encrypt given key
50092c
+    retval = PK11_Encrypt(wrappingKey,
50092c
+                          cipherMech,
50092c
+                          secParam,
50092c
+                          output,
50092c
+                          &outputLength,
50092c
+                          sizeof(output),
50092c
+                          key,
50092c
+                          keyLen);
50092c
+    if (retval != SECSuccess) {
50092c
+        error(errInternal, -1, "Failed to encrypt key (err {0:d})",
50092c
+              PR_GetError());
50092c
+    }
50092c
+
50092c
+    wrappedKey.type = siBuffer;
50092c
+    wrappedKey.data = output;
50092c
+    wrappedKey.len = outputLength;
50092c
+
50092c
+    // Unwrap the wrapped key to token so it can be used in FIPS mode
50092c
+    token = PK11_UnwrapSymKey(wrappingKey,
50092c
+                              cipherMech,
50092c
+                              &ivItem,
50092c
+                              &wrappedKey,
50092c
+                              operation,
50092c
+                              CKA_UNWRAP,
50092c
+                              keyLen);
50092c
+
50092c
+    if (token == nullptr) {
50092c
+        error(errInternal, -1, "Failed to unwrap symmetric key (err {0:d})",
50092c
+              PR_GetError());
50092c
+    }
50092c
+
50092c
+err:
50092c
+    if (secParam != nullptr)
50092c
+        SECITEM_FreeItem(secParam, PR_TRUE);
50092c
+
50092c
+    if (wrappingKey != nullptr)
50092c
+        PK11_FreeSymKey(wrappingKey);
50092c
+
50092c
+    if (symKey != nullptr)
50092c
+        PK11_FreeSymKey(symKey);
50092c
+
50092c
+    if (slot != nullptr)
50092c
+        PK11_FreeSlot(slot);
50092c
+
50092c
+    return token;
50092c
+}
50092c
+
50092c
+static PK11Context *rc4InitContext(const unsigned char *key, int keyLen) {
50092c
+    CK_MECHANISM_TYPE  cipherMech = CKM_RC4;
50092c
+    PK11SlotInfo      *slot = nullptr;
50092c
+    PK11SymKey        *symKey = nullptr;
50092c
+    SECItem           *secParam = nullptr;
50092c
+    PK11Context       *context = nullptr;
50092c
+
50092c
+    slot = PK11_GetBestSlot(cipherMech, nullptr);
50092c
+    if (slot == nullptr) {
50092c
+        error(errInternal, -1, "Unable to find security device (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    symKey = tokenizeKey(key, keyLen, cipherMech);
50092c
+    if (symKey == nullptr) {
50092c
+        error(errInternal, -1, "Failed to create token from key (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    secParam = PK11_ParamFromIV(cipherMech, nullptr);
50092c
+    if (secParam == nullptr) {
50092c
+        error(errInternal, -1, "Failed to set up PKCS11 param (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    context = PK11_CreateContextBySymKey(cipherMech,
50092c
+                                         CKA_DECRYPT,
50092c
+                                         symKey,
50092c
+                                         secParam);
50092c
+    if (context == nullptr) {
50092c
+        error(errInternal, -1, "Failed to create context (err {0:d})",
50092c
+              PR_GetError());
50092c
+    }
50092c
+
50092c
+err:
50092c
+    if (secParam != nullptr)
50092c
+        SECITEM_FreeItem(secParam, PR_TRUE);
50092c
+
50092c
+    if (symKey != nullptr)
50092c
+        PK11_FreeSymKey(symKey);
50092c
+
50092c
+    if (slot != nullptr)
50092c
+        PK11_FreeSlot(slot);
50092c
+
50092c
+    return context;
50092c
+}
50092c
+
50092c
+static unsigned char rc4DecryptByte(PK11Context *context, unsigned char c) {
50092c
+    unsigned char outputChar = 0;
50092c
+    SECStatus     retval;
50092c
+    int           outputLength;
50092c
+
50092c
+    retval = PK11_CipherOp(context,
50092c
+                           &outputChar,
50092c
+                           &outputLength,
50092c
+                           1,
50092c
+                           &c,
50092c
+                           1);
50092c
+
50092c
+    if (retval != SECSuccess) {
50092c
+        error(errInternal, -1, "Failed to decrypt byte (err {0:d})",
50092c
+              PR_GetError());
50092c
+    }
50092c
+
50092c
+    return outputChar;
50092c
+}
50092c
+
50092c
+#else
50092c
+
50092c
 static void rc4InitKey(const unsigned char *key, int keyLen, unsigned char *state)
50092c
 {
50092c
     unsigned char index1, index2;
50092c
     unsigned char t;
50092c
@@ -609,6 +997,8 @@ static unsigned char rc4DecryptByte(unsigned char *sta
50092c
     return c ^ state[(tx + ty) % 256];
50092c
 }
50092c
 
50092c
+#endif
50092c
+
50092c
 //------------------------------------------------------------------------
50092c
 // AES decryption
50092c
 //------------------------------------------------------------------------
50092c
@@ -639,6 +1029,178 @@ static bool aesReadBlock(Stream *str, G
50092c
     }
50092c
 }
50092c
 
50092c
+#ifdef ENABLE_NSS3
50092c
+
50092c
+static PK11Context *aesInitContext(unsigned char *in, unsigned char *objKey,
50092c
+                                   int objKeyLength, bool decrypt) {
50092c
+    CK_MECHANISM_TYPE  cipherMech = CKM_AES_CBC;
50092c
+    CK_ATTRIBUTE_TYPE  operationType = decrypt ? CKA_DECRYPT : CKA_ENCRYPT;
50092c
+    PK11SlotInfo      *slot;
50092c
+    PK11SymKey        *symKey = nullptr;
50092c
+    SECItem           *secParam = nullptr;
50092c
+    PK11Context       *context = nullptr;
50092c
+    SECItem            ivItem;
50092c
+
50092c
+    slot = PK11_GetBestSlot(cipherMech, nullptr);
50092c
+    if (slot == nullptr) {
50092c
+        error(errInternal, -1, "Unable to find security device (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    symKey = tokenizeKey(objKey, objKeyLength, cipherMech);
50092c
+    if (symKey == nullptr) {
50092c
+        error(errInternal, -1, "Failed to create token from key (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    ivItem.type = siBuffer;
50092c
+    ivItem.data = in;
50092c
+    ivItem.len = 16;
50092c
+
50092c
+    secParam = PK11_ParamFromIV(cipherMech, &ivItem);
50092c
+    if (secParam == nullptr) {
50092c
+        error(errInternal, -1, "Failed to set up PKCS11 param (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    context = PK11_CreateContextBySymKey(cipherMech,
50092c
+                                         operationType,
50092c
+                                         symKey,
50092c
+                                         secParam);
50092c
+
50092c
+err:
50092c
+    if (secParam != nullptr)
50092c
+        SECITEM_FreeItem(secParam, PR_TRUE);
50092c
+
50092c
+    if (symKey != nullptr)
50092c
+        PK11_FreeSymKey(symKey);
50092c
+
50092c
+    if (slot != nullptr)
50092c
+        PK11_FreeSlot(slot);
50092c
+
50092c
+    return context;
50092c
+}
50092c
+
50092c
+static void aesEncryptBlock(DecryptAESState *s, const unsigned char *in) {
50092c
+    SECStatus rv;
50092c
+    int       outputLength;
50092c
+
50092c
+    rv = PK11_CipherOp(s->context,
50092c
+                       s->buf,
50092c
+                       &outputLength,
50092c
+                       16,
50092c
+                       in,
50092c
+                       16);
50092c
+
50092c
+    if (rv != SECSuccess) {
50092c
+        error(errInternal, -1, "Failed to encrypt input block (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    s->bufIdx = 0;
50092c
+
50092c
+err:
50092c
+    return;
50092c
+}
50092c
+
50092c
+static void aesDecryptBlock(DecryptAESState *s, const unsigned char *in, bool last) {
50092c
+    SECStatus rv1;
50092c
+    int       outputLen;
50092c
+    int       n, i;
50092c
+
50092c
+    rv1 = PK11_CipherOp(s->context,
50092c
+                        s->buf,
50092c
+                        &outputLen,
50092c
+                        16,
50092c
+                        in,
50092c
+                        16);
50092c
+
50092c
+    if (rv1 != SECSuccess) {
50092c
+        error(errInternal, -1, "Failed to decrypt input block (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    s->bufIdx = 0;
50092c
+    if (last) {
50092c
+        n = s->buf[15];
50092c
+        if (n < 1 || n > 16) { // this should never happen
50092c
+            n = 16;
50092c
+        }
50092c
+        for (i = 15; i >= n; --i) {
50092c
+            s->buf[i] = s->buf[i-n];
50092c
+        }
50092c
+        s->bufIdx = n;
50092c
+    }
50092c
+
50092c
+err:
50092c
+    return;
50092c
+}
50092c
+
50092c
+static void aes256EncryptBlock(DecryptAES256State *s, const unsigned char *in) {
50092c
+    SECStatus rv;
50092c
+    int       outputLength;
50092c
+
50092c
+    rv = PK11_CipherOp(s->context,
50092c
+                       s->buf,
50092c
+                       &outputLength,
50092c
+                       16,
50092c
+                       in,
50092c
+                       16);
50092c
+
50092c
+    if (rv != SECSuccess) {
50092c
+        error(errInternal, -1, "Failed to encrypt input block (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    s->bufIdx = 0;
50092c
+
50092c
+err:
50092c
+    return;
50092c
+}
50092c
+
50092c
+static void aes256DecryptBlock(DecryptAES256State *s, const unsigned char *in,
50092c
+                               bool last) {
50092c
+    SECStatus rv1;
50092c
+    int       outputLen;
50092c
+    int       n, i;
50092c
+
50092c
+    rv1 = PK11_CipherOp(s->context,
50092c
+                        s->buf,
50092c
+                        &outputLen,
50092c
+                        16,
50092c
+                        in,
50092c
+                        16);
50092c
+
50092c
+    if (rv1 != SECSuccess) {
50092c
+        error(errInternal, -1, "Failed to decrypt input block (err {0:d})",
50092c
+              PR_GetError());
50092c
+        goto err;
50092c
+    }
50092c
+
50092c
+    s->bufIdx = 0;
50092c
+    if (last) {
50092c
+        n = s->buf[15];
50092c
+        if (n < 1 || n > 16) { // this should never happen
50092c
+            n = 16;
50092c
+        }
50092c
+        for (i = 15; i >= n; --i) {
50092c
+            s->buf[i] = s->buf[i-n];
50092c
+        }
50092c
+        s->bufIdx = n;
50092c
+    }
50092c
+
50092c
+err:
50092c
+    return;
50092c
+}
50092c
+
50092c
+#else
50092c
+
50092c
 static const unsigned char sbox[256] = { 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
50092c
                                          0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
50092c
                                          0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
50092c
@@ -1121,10 +1683,33 @@ static void aes256DecryptBlock(DecryptAE
50092c
     }
50092c
 }
50092c
 
50092c
+#endif
50092c
+
50092c
 //------------------------------------------------------------------------
50092c
 // MD5 message digest
50092c
 //------------------------------------------------------------------------
50092c
 
50092c
+#ifdef ENABLE_NSS3
50092c
+static void hashFunc(const unsigned char *msg, int msgLen, unsigned char *hash,
50092c
+                     HASH_HashType type) {
50092c
+    HASHContext *context;
50092c
+    unsigned int hashLen = 0;
50092c
+
50092c
+    if (!initNSS())
50092c
+        return;
50092c
+
50092c
+    context = HASH_Create(type);
50092c
+    if (context == nullptr)
50092c
+        return;
50092c
+
50092c
+    HASH_Begin(context);
50092c
+    HASH_Update(context, msg, msgLen);
50092c
+    HASH_End(context, hash, &hashLen, HASH_ResultLen(type));
50092c
+    HASH_Destroy(context);
50092c
+}
50092c
+
50092c
+#else
50092c
+
50092c
 // this works around a bug in older Sun compilers
50092c
 static inline unsigned long rotateLeft(unsigned long x, int r)
50092c
 {
50092c
@@ -1151,8 +1736,13 @@ static inline unsigned long md5Round4(unsigned long a,
50092c
     state->digest[15] = (unsigned char)(state->d >> 24);
50092c
 }
50092c
 
50092c
+#endif
50092c
+
50092c
 void md5(const unsigned char *msg, int msgLen, unsigned char *digest)
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    hashFunc(msg, msgLen, digest, HASH_AlgMD5);
50092c
+#else
50092c
     if (msgLen < 0) {
50092c
         return;
50092c
     }
50092c
@@ -1296,12 +1886,14 @@ void md5(unsigned char *msg, int msgLen, unsigned char
50092c
     for (int i = 0; i < 16; ++i) {
50092c
         digest[i] = state.digest[i];
50092c
     }
50092c
+#endif
50092c
 }
50092c
 
50092c
 //------------------------------------------------------------------------
50092c
 // SHA-256 hash
50092c
 //------------------------------------------------------------------------
50092c
 
50092c
+#ifndef ENABLE_NSS3
50092c
 static const unsigned int sha256K[64] = { 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
50092c
                                           0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
50092c
                                           0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
50092c
@@ -1400,9 +1992,13 @@ static void sha256HashBlock(unsigned char *blk,
50092c
     H[6] += g;
50092c
     H[7] += h;
50092c
 }
50092c
+#endif
50092c
 
50092c
 static void sha256(unsigned char *msg, int msgLen, unsigned char *hash)
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    hashFunc(msg, msgLen, hash, HASH_AlgSHA256);
50092c
+#else
50092c
     unsigned char blk[64];
50092c
     unsigned int H[8];
50092c
     int blkLen, i;
50092c
@@ -1453,7 +2049,10 @@ static void sha256(unsigned char *msg, int msgL
50092c
         hash[i * 4 + 2] = (unsigned char)(H[i] >> 8);
50092c
         hash[i * 4 + 3] = (unsigned char)H[i];
50092c
     }
50092c
+#endif
50092c
 }
50092c
+
50092c
+#ifndef ENABLE_NSS3
50092c
 //------------------------------------------------------------------------
50092c
 // SHA-512 hash (see FIPS 180-4)
50092c
 //------------------------------------------------------------------------
50092c
@@ -1557,9 +2156,13 @@ static void sha512HashBlock(unsigned char *blk,
50092c
     H[6] += g;
50092c
     H[7] += h;
50092c
 }
50092c
+#endif
50092c
 
50092c
 static void sha512(unsigned char *msg, int msgLen, unsigned char *hash)
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    hashFunc(msg, msgLen, hash, HASH_AlgSHA512);
50092c
+#else
50092c
     unsigned char blk[128];
50092c
     uint64_t H[8];
50092c
     int blkLen = 0, i;
50092c
@@ -1622,6 +2225,7 @@ static void sha512(unsigned char *msg, int msgL
50092c
         hash[i * 8 + 6] = (unsigned char)(H[i] >> 8);
50092c
         hash[i * 8 + 7] = (unsigned char)H[i];
50092c
     }
50092c
+#endif
50092c
 }
50092c
 
50092c
 //------------------------------------------------------------------------
50092c
@@ -1631,6 +2235,9 @@ static void sha512(unsigned char *msg, int msgL
50092c
 // 2.A 384 bit message digest is obtained by truncating the final hash value.
50092c
 static void sha384(unsigned char *msg, int msgLen, unsigned char *hash)
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    hashFunc(msg, msgLen, hash, HASH_AlgSHA384);
50092c
+#else
50092c
     unsigned char blk[128];
50092c
     uint64_t H[8];
50092c
     int blkLen, i;
50092c
@@ -1696,6 +2303,7 @@ static void sha384(unsigned char *msg, int msgL
50092c
         hash[i * 8 + 6] = (unsigned char)(H[i] >> 8);
50092c
         hash[i * 8 + 7] = (unsigned char)H[i];
50092c
     }
50092c
+#endif
50092c
 }
50092c
 
50092c
 //------------------------------------------------------------------------
50092c
@@ -1735,7 +2344,11 @@ static void revision6Hash(GooString *inp
50092c
         memcpy(state.buf, state.cbc, 16); // Copy CBC IV to buf
50092c
         state.bufIdx = 0;
50092c
         state.paddingReached = false;
50092c
+#ifdef ENABLE_NSS3
50092c
+        state.context = aesInitContext(state.cbc, aesKey, 16, false);
50092c
+#else
50092c
         aesKeyExpansion(&state, aesKey, 16, false);
50092c
+#endif
50092c
 
50092c
         for (int i = 0; i < (4 * sequenceLength); i++) {
50092c
             aesEncryptBlock(&state, K1 + (16 * i));
50092c
@@ -1776,6 +2389,9 @@ static void revision6Hash(GooString *inp
50092c
             sha512(E, totalLength, K);
50092c
         }
50092c
         rounds++;
50092c
+#ifdef ENABLE_NSS3
50092c
+        PK11_DestroyContext(state.context, PR_TRUE);
50092c
+#endif
50092c
     }
50092c
     // the first 32 bytes of the final K are the output of the function.
50092c
 }
50092c
diff --git a/poppler/Decrypt.h b/poppler/Decrypt.h
50092c
index d4667c8c..16fa9830 100644
50092c
--- a/poppler/Decrypt.h
50092c
+++ b/poppler/Decrypt.h
50092c
@@ -31,6 +32,9 @@
50092c
 #include "goo/GooString.h"
50092c
 #include "Object.h"
50092c
 #include "Stream.h"
50092c
+#ifdef ENABLE_NSS3
50092c
+#include <pk11pub.h>
50092c
+#endif
50092c
 
50092c
 //------------------------------------------------------------------------
50092c
 // Decrypt
50092c
@@ -73,14 +77,22 @@ private:
50092c
  * case of encryption. */
50092c
 struct DecryptRC4State
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    PK11Context *context;
50092c
+#else
50092c
     unsigned char state[256];
50092c
     unsigned char x, y;
50092c
+#endif
50092c
 };
50092c
 
50092c
 struct DecryptAESState
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    PK11Context *context;
50092c
+#else
50092c
     unsigned int w[44];
50092c
     unsigned char state[16];
50092c
+#endif
50092c
     unsigned char cbc[16];
50092c
     unsigned char buf[16];
50092c
     bool paddingReached; // encryption only
50092c
@@ -87,8 +99,12 @@ struct DecryptAESState {
50092c
 
50092c
 struct DecryptAES256State
50092c
 {
50092c
+#ifdef ENABLE_NSS3
50092c
+    PK11Context *context;
50092c
+#else
50092c
     unsigned int w[60];
50092c
     unsigned char state[16];
50092c
+#endif
50092c
     unsigned char cbc[16];
50092c
     unsigned char buf[16];
50092c
     bool paddingReached; // encryption only
50092c
diff --git a/poppler/poppler-config.h.cmake b/poppler/poppler-config.h.cmake
50092c
index f0a5a1a0..dcaade6f 100644
50092c
--- a/poppler/poppler-config.h.cmake
50092c
+++ b/poppler/poppler-config.h.cmake
50092c
@@ -115,6 +115,12 @@
50092c
 #cmakedefine HAVE_SPLASH 1
50092c
 #endif
50092c
 
50092c
+/* Build against libnss3 for digital signature validation and
50092c
+   implementation of encryption/decryption. */
50092c
+#ifndef ENABLE_NSS3
50092c
+#cmakedefine ENABLE_NSS3 1
50092c
+#endif
50092c
+
50092c
 //------------------------------------------------------------------------
50092c
 // version
50092c
 //------------------------------------------------------------------------