GitLab

Hi, I was asked by our security team to implement crypto methods used in poppler by a FIPS validated crypto module. One of the main reasons is validation of the implementation of those algorithms. If it is implemented using already validated module then we don't need to validate the implementation in poppler.

This is related to the ongoing effort "Fedora Crypto Consolidation" (see https://fedoraproject.org/wiki/Fedora_Crypto_Consolidation). There are listed 4 crypto libraries on the page: NSS, GnuTLS, OpenSSL and libgcrypt. I've chosen NSS for this task since poppler already uses it (as discussed in https://bugs.freedesktop.org/show_bug.cgi?id=16770).

The original implementation is still available if you build poppler without NSS.

I have to note that NSS is the only library which does not reject non-approved algorithms in FIPS mode so they still work even in FIPS mode (which can change in the future).

I should also note why I don't NSS_Shutdown() the NSS database. Because the shutdown takes some time and if you do it e.g. 20 times for different objects then there is quite some delay even for 1 page document. Could GlobalParams be used for this? E.g. a function for initialization of the NSS database as a method there and the shutdown in GlobalParams' destructor?