diff -Naur libreswan-3.29-orig/lib/libswan/ike_alg_aes.c libreswan-3.29/lib/libswan/ike_alg_aes.c

--- libreswan-3.29-orig/lib/libswan/ike_alg_aes.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/lib/libswan/ike_alg_aes.c	2019-08-11 13:31:13.849294693 -0400

@@ -23,14 +23,21 @@

 #include "constants.h"		/* for BYTES_FOR_BITS() */

 #include "ietf_constants.h"

+

 #include "ike_alg.h"

+#include "ike_alg_encrypt.h"

+#include "ike_alg_integ.h"

+#include "ike_alg_prf.h"

+

 #include "ike_alg_encrypt_nss_cbc_ops.h"

 #include "ike_alg_encrypt_nss_ctr_ops.h"

 #include "ike_alg_encrypt_nss_gcm_ops.h"

+#ifdef CKM_AES_XCBC_MAC

+#include "ike_alg_prf_nss_ops.h"

+#else

 #include "ike_alg_prf_nss_xcbc_ops.h"

-#include "ike_alg_encrypt.h"

-#include "ike_alg_integ.h"

-#include "ike_alg_prf.h"

+#endif

+

 #include "sadb.h"

 const struct encrypt_desc ike_alg_encrypt_aes_cbc = {

@@ -313,6 +320,7 @@

 	.encrypt_kernel_audit_name = "AES_CCM_C",

 };

+#ifdef USE_PRF_AES_XCBC

 const struct prf_desc ike_alg_prf_aes_xcbc = {

 	.common = {

 		.name = "aes_xcbc",

@@ -326,14 +334,23 @@

 		},

 		.fips = false,

 	},

+#ifdef CKM_AES_XCBC_MAC

+	.nss = {

+		.mechanism = CKM_AES_XCBC_MAC,

+	},

+	.prf_ops = &ike_alg_prf_nss_ops,

+#else

+	/* XXX: NSS encryption algorithm used by custom XCBC */

 	.nss = {

 		.mechanism = CKM_AES_ECB,

 	},

+	.prf_ops = &ike_alg_prf_nss_xcbc_ops,

+#endif

 	.prf_key_size = BYTES_FOR_BITS(128),

 	.prf_output_size = BYTES_FOR_BITS(128),

-	.prf_ops = &ike_alg_prf_nss_xcbc_ops,

 	.prf_ike_audit_name = "aes_xcbc",

 };

+#endif

 const struct integ_desc ike_alg_integ_aes_xcbc = {

 	.common = {

@@ -351,7 +368,7 @@

 	.integ_keymat_size = AES_XCBC_DIGEST_SIZE,

 	.integ_output_size = AES_XCBC_DIGEST_SIZE_TRUNC, /* XXX 96 */

 	.integ_ikev1_ah_transform = AH_AES_XCBC_MAC,

-#ifdef USE_XCBC

+#ifdef USE_PRF_AES_XCBC

 	.prf = &ike_alg_prf_aes_xcbc,

 #endif

 #ifdef SADB_X_AALG_AES_XCBC_MAC

diff -Naur libreswan-3.29-orig/lib/libswan/ike_alg.c libreswan-3.29/lib/libswan/ike_alg.c

--- libreswan-3.29-orig/lib/libswan/ike_alg.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/lib/libswan/ike_alg.c	2019-08-11 13:31:13.850294706 -0400

@@ -478,7 +478,7 @@

 	&ike_alg_prf_sha2_384,

 	&ike_alg_prf_sha2_512,

 #endif

-#ifdef USE_XCBC

+#ifdef USE_PRF_AES_XCBC

 	&ike_alg_prf_aes_xcbc,

 #endif

 };

diff -Naur libreswan-3.29-orig/lib/libswan/ike_alg_md5.c libreswan-3.29/lib/libswan/ike_alg_md5.c

--- libreswan-3.29-orig/lib/libswan/ike_alg_md5.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/lib/libswan/ike_alg_md5.c	2019-08-11 13:31:13.851294720 -0400

@@ -26,7 +26,7 @@

 #include "ike_alg_hash.h"

 #include "ike_alg_prf.h"

 #include "ike_alg_hash_nss_ops.h"

-#include "ike_alg_prf_hmac_ops.h"

+#include "ike_alg_prf_nss_ops.h"

 #include "sadb.h"

 const struct hash_desc ike_alg_hash_md5 = {

@@ -63,10 +63,13 @@

 			[IKEv2_ALG_ID] = IKEv2_PRF_HMAC_MD5,

 		},

 	},

+	.nss = {

+		.mechanism = CKM_MD5_HMAC,

+	},

 	.prf_key_size = MD5_DIGEST_SIZE,

 	.prf_output_size = MD5_DIGEST_SIZE,

 	.hasher = &ike_alg_hash_md5,

-	.prf_ops = &ike_alg_prf_hmac_ops,

+	.prf_ops = &ike_alg_prf_nss_ops,

 	.prf_ike_audit_name = "md5",

 };

diff -Naur libreswan-3.29-orig/mk/config.mk libreswan-3.29/mk/config.mk

--- libreswan-3.29-orig/mk/config.mk	2019-08-11 13:30:45.756906229 -0400

+++ libreswan-3.29/mk/config.mk	2019-08-11 13:31:13.852294734 -0400

@@ -239,6 +239,18 @@

 NSS_UTIL_LDFLAGS ?= -lnssutil3

 NSPR_LDFLAGS ?= -lnspr4

+# Use the NSS Key Derivation Function (KDF) instead of using the NSS

+# secure hash functions to build our own PRF. With this enabled,

+# libreswan itself no longer needs to be FIPS validated.

+# Requires NSS >= 3.44

+USE_NSS_PRF?=false

+ifeq ($(USE_NSS_PRF),true)

+NSSFLAGS+=-DUSE_NSS_PRF

+USE_NSS_AVA_COPY=false

+endif

+

+#

+#

 # Use local copy of nss function CERT_CompareAVA

 # See https://bugzilla.mozilla.org/show_bug.cgi?id=1336487

 # This work-around is needed with nss versions before 3.30.

diff -Naur libreswan-3.29-orig/mk/userland-cflags.mk libreswan-3.29/mk/userland-cflags.mk

--- libreswan-3.29-orig/mk/userland-cflags.mk	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/mk/userland-cflags.mk	2019-08-11 13:31:13.853294748 -0400

@@ -269,9 +269,10 @@

 LIBTWOFISH= ${OBJDIRTOP}/lib/libcrypto/libtwofish/libtwofish.a

 endif

-USE_XCBC ?= true

-ifeq ($(USE_XCBC),true)

-USERLAND_CFLAGS += -DUSE_XCBC

+# Requires NSS >= 3.44 or backport

+USE_PRF_AES_XCBC ?= true

+ifeq ($(USE_PRF_AES_XCBC),true)

+USERLAND_CFLAGS += -DUSE_PRF_AES_XCBC

 endif

 #

diff -Naur libreswan-3.29-orig/programs/pluto/crypt_symkey.c libreswan-3.29/programs/pluto/crypt_symkey.c

--- libreswan-3.29-orig/programs/pluto/crypt_symkey.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/programs/pluto/crypt_symkey.c	2019-08-11 13:31:13.854294762 -0400

@@ -15,7 +15,6 @@

  * for more details.

  */

-#include "libreswan.h"

 #include "lswalloc.h"

 #include "lswlog.h"

 #include "ike_alg.h"

@@ -23,6 +22,7 @@

 #include "crypto.h"

 #include "lswfips.h"

 #include "lswnss.h"

+#include "crypt_prf.h"		/* hack */

 #define SPACES "    "

@@ -590,9 +590,51 @@

 PK11SymKey *prf_key_from_symkey_bytes(const char *name,

 				      const struct prf_desc *prf,

-				      size_t symkey_start_byte, size_t sizeof_symkey,

+				      size_t symkey_start_byte, size_t symkey_size,

 				      PK11SymKey *source_key)

 {

+#ifdef CKM_AES_XCBC_MAC

+	if (prf->nss.mechanism == CKM_AES_XCBC_MAC &&

+	    symkey_size != prf->prf_key_size) {

+		PK11SymKey *tmp = symkey_from_symkey("tmp", source_key,

+						     CKM_VENDOR_DEFINED, /*flags*/0,

+						     symkey_start_byte, symkey_size);

+		/*

+		 * code lifted from ike_alg_prf_nss_xcbc_ops.c

+		 */

+		size_t dkey_sz = sizeof_symkey(tmp);

+		if (dkey_sz < prf->prf_key_size) {

+			DBGF(DBG_CRYPT, "XCBC: Key %zd<%zd too small, padding with zeros",

+			     dkey_sz, prf->prf_key_size);

+			/*

+			 * right pad with zeros

+			 */

+			chunk_t zeros = alloc_chunk(prf->prf_key_size - dkey_sz, "zeros");

+			append_symkey_chunk(&tmp, zeros);

+			freeanychunk(zeros);

+		} else {

+			pexpect(dkey_sz > prf->prf_key_size);

+			DBGF(DBG_CRYPT, "XCBC: Key %zd>%zd too big, rehashing to size",

+			     dkey_sz, prf->prf_key_size);

+			/*

+			 * put the key through the mac with a zero

+			 * key; recursive

+			 */

+			chunk_t zeros = alloc_chunk(prf->prf_key_size, "zeros");

+			PK11SymKey *zero_key = prf_key_from_bytes("zeros", prf, zeros.ptr, zeros.len);

+			freeanychunk(zeros);

+			struct crypt_prf *xmac = crypt_prf_init_symkey("xmac", prf, "zero", zero_key);

+			crypt_prf_update_symkey(xmac, "tmp", tmp);

+			PK11SymKey *tmp2 = crypt_prf_final_symkey(&xmac;;

+			release_symkey(name, "tmp2", &tmp);

+			tmp = tmp2;

+		}

+		PK11SymKey *key = symkey_from_symkey(name, tmp, CKM_AES_XCBC_MAC, CKF_SIGN,

+						     0, prf->prf_key_size);

+		release_symkey(name, "tmp", &tmp);

+		return key;

+	}

+#endif

 	/*

 	 * NSS expects a key's mechanism to match the NSS algorithm

 	 * the key is intended for.  If this is wrong then the

@@ -614,7 +656,7 @@

 		mechanism = prf->nss.mechanism;

 	}

 	return symkey_from_symkey(name, source_key, mechanism, flags,

-				  symkey_start_byte, sizeof_symkey);

+				  symkey_start_byte, symkey_size);

 }

 /*

@@ -656,9 +698,13 @@

 PK11SymKey *key_from_symkey_bytes(PK11SymKey *source_key,

 				  size_t next_byte, size_t sizeof_key)

 {

-	return symkey_from_symkey("result", source_key,

-				  CKM_EXTRACT_KEY_FROM_KEY,

-				  0, next_byte, sizeof_key);

+	if (sizeof_key == 0) {

+		return NULL;

+	} else {

+		return symkey_from_symkey("result", source_key,

+					  CKM_EXTRACT_KEY_FROM_KEY,

+					  0, next_byte, sizeof_key);

+	}

 }

 /*

diff -Naur libreswan-3.29-orig/programs/pluto/ikev1_prf.c libreswan-3.29/programs/pluto/ikev1_prf.c

--- libreswan-3.29-orig/programs/pluto/ikev1_prf.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/programs/pluto/ikev1_prf.c	2019-08-11 13:31:13.855294776 -0400

@@ -17,8 +17,11 @@

  * for more details.

  */

+#include "lswlog.h"	/* for LSWLOG_PEXPECT() */

+

 #include "ikev1_prf.h"

+#include "ike_alg.h"

 #include "crypt_prf.h"

 #include "crypt_symkey.h"

@@ -32,6 +35,25 @@

 				   const chunk_t Nr,

 				   /*const*/ PK11SymKey *dh_secret /* NSS doesn't do const */)

 {

+#ifdef USE_NSS_PRF

+	CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf_params = {

+		.prfMechanism = prf_desc->nss.mechanism,

+		.bDataAsKey = CK_TRUE,

+		.bRekey = CK_FALSE,

+		.pNi = Ni.ptr,

+		.ulNiLen = Ni.len,

+		.pNr = Nr.ptr,

+		.ulNrLen = Nr.len,

+	};

+	SECItem params = {

+		.data = (unsigned char *)&ike_prf_params,

+		.len = sizeof(ike_prf_params),

+	};

+

+        return PK11_Derive(dh_secret, CKM_NSS_IKE_PRF_DERIVE, &params,

+			    CKM_NSS_IKE1_PRF_DERIVE, CKA_DERIVE,

+			     0);

+#else

 	/* key = Ni|Nr */

 	chunk_t key = clone_chunk_chunk(Ni, Nr, "key = Ni|Nr");

 	struct crypt_prf *prf = crypt_prf_init_chunk("SKEYID sig",

@@ -42,6 +64,7 @@

 	crypt_prf_update_symkey(prf, "g^xy", dh_secret);

 	/* generate */

 	return crypt_prf_final_symkey(&prf;;

+#endif

 }

 /*

@@ -51,6 +74,33 @@

 					chunk_t pre_shared_key,

 					chunk_t Ni, chunk_t Nr)

 {

+#ifdef USE_NSS_PRF

+	PK11SymKey *psk = prf_key_from_bytes("psk", prf_desc,

+                                     pre_shared_key.ptr, pre_shared_key.len);

+	PK11SymKey *skeyid;

+	if (psk == NULL) {

+		return NULL;

+	}

+

+	CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf_params = {

+		.prfMechanism = prf_desc->nss.mechanism,

+		.bDataAsKey = CK_FALSE,

+		.bRekey = CK_FALSE,

+		.pNi = Ni.ptr,

+		.ulNiLen = Ni.len,

+		.pNr = Nr.ptr,

+		.ulNrLen = Nr.len,

+	};

+	SECItem params = {

+		.data = (unsigned char *)&ike_prf_params,

+		.len = sizeof(ike_prf_params),

+	};

+	skeyid = PK11_Derive(psk, CKM_NSS_IKE_PRF_DERIVE, &params,

+			      CKM_NSS_IKE1_PRF_DERIVE, CKA_DERIVE,

+			      0 );

+	release_symkey("SKEYID psk", "psk", &psk;;

+	return skeyid;

+#else

 	/* key = pre-shared-key */

 	struct crypt_prf *prf = crypt_prf_init_chunk("SKEYID psk", prf_desc,

 						     "psk", pre_shared_key);

@@ -59,6 +109,7 @@

 	crypt_prf_update_chunk(prf, "Nr", Nr);

 	/* generate */

 	return crypt_prf_final_symkey(&prf;;

+#endif

 }

 /*

@@ -69,6 +120,26 @@

 			   PK11SymKey *dh_secret,

 			   chunk_t cky_i, chunk_t cky_r)

 {

+#ifdef USE_NSS_PRF

+	CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf_params = {

+		.prfMechanism = prf_desc->nss.mechanism,

+		.bHasPrevKey = CK_FALSE,

+		.hKeygxy = PK11_GetSymKeyHandle(dh_secret),

+		.pCKYi = cky_i.ptr,

+		.ulCKYiLen = cky_i.len,

+		.pCKYr = cky_r.ptr,

+		.ulCKYrLen = cky_r.len,

+		.keyNumber = 0,

+	};

+	SECItem params = {

+		.data = (unsigned char *)&ike1_prf_params,

+		.len = sizeof(ike1_prf_params),

+	};

+

+	return PK11_Derive(skeyid, CKM_NSS_IKE1_PRF_DERIVE, &params,

+			    CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE,

+			    0);

+#else

 	/* key = SKEYID */

 	struct crypt_prf *prf = crypt_prf_init_symkey("SKEYID_d", prf_desc,

 						      "SKEYID", skeyid);

@@ -79,6 +150,7 @@

 	crypt_prf_update_byte(prf, "0", 0);

 	/* generate */

 	return crypt_prf_final_symkey(&prf;;

+#endif

 }

 /*

@@ -89,6 +161,27 @@

 			   PK11SymKey *skeyid_d, PK11SymKey *dh_secret,

 			   chunk_t cky_i, chunk_t cky_r)

 {

+#ifdef USE_NSS_PRF

+	CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf_params = {

+		.prfMechanism = prf_desc->nss.mechanism,

+		.bHasPrevKey = CK_TRUE,

+		.hKeygxy = PK11_GetSymKeyHandle(dh_secret),

+		.hPrevKey = PK11_GetSymKeyHandle(skeyid_d),

+		.pCKYi = cky_i.ptr,

+		.ulCKYiLen = cky_i.len,

+		.pCKYr = cky_r.ptr,

+		.ulCKYrLen = cky_r.len,

+		.keyNumber = 1,

+	};

+	SECItem params = {

+		.data = (unsigned char *)&ike1_prf_params,

+		.len = sizeof(ike1_prf_params),

+	};

+

+	return PK11_Derive(skeyid, CKM_NSS_IKE1_PRF_DERIVE, &params,

+			    CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE,

+			    0);

+#else

 	/* key = SKEYID */

 	struct crypt_prf *prf = crypt_prf_init_symkey("SKEYID_a", prf_desc,

 						      "SKEYID", skeyid);

@@ -100,6 +193,7 @@

 	crypt_prf_update_byte(prf, "1", 1);

 	/* generate */

 	return crypt_prf_final_symkey(&prf;;

+#endif

 }

 /*

@@ -110,6 +204,27 @@

 			   PK11SymKey *skeyid_a, PK11SymKey *dh_secret,

 			   chunk_t cky_i, chunk_t cky_r)

 {

+#ifdef USE_NSS_PRF

+	CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf_params = {

+		.prfMechanism = prf_desc->nss.mechanism,

+		.bHasPrevKey = CK_TRUE,

+		.hKeygxy = PK11_GetSymKeyHandle(dh_secret),

+		.hPrevKey = PK11_GetSymKeyHandle(skeyid_a),

+		.pCKYi = cky_i.ptr,

+		.ulCKYiLen = cky_i.len,

+		.pCKYr = cky_r.ptr,

+		.ulCKYrLen = cky_r.len,

+		.keyNumber = 2,

+	};

+	SECItem params = {

+		.data = (unsigned char *)&ike1_prf_params,

+		.len = sizeof(ike1_prf_params),

+	};

+

+	return PK11_Derive(skeyid, CKM_NSS_IKE1_PRF_DERIVE, &params,

+			    CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE,

+			    0);

+#else

 	/* key = SKEYID */

 	struct crypt_prf *prf = crypt_prf_init_symkey("SKEYID_e", prf_desc,

 						      "SKEYID", skeyid);

@@ -121,6 +236,7 @@

 	crypt_prf_update_byte(prf, "2", 2);

 	/* generate */

 	return crypt_prf_final_symkey(&prf;;

+#endif

 }

 PK11SymKey *appendix_b_keymat_e(const struct prf_desc *prf_desc,

@@ -128,6 +244,20 @@

 				PK11SymKey *skeyid_e,

 				unsigned required_keymat)

 {

+#ifdef USE_NSS_PRF

+	CK_MECHANISM_TYPE mechanism = prf_desc->nss.mechanism;

+	CK_MECHANISM_TYPE target = encrypter->nss.mechanism;

+	SECItem params = {

+		.data = (unsigned char *)&mechanism,

+		.len = sizeof(mechanism),

+	};

+	/* for when ENCRYPTER isn't NSS */

+	if (target == 0) target = CKM_EXTRACT_KEY_FROM_KEY;

+

+	return PK11_DeriveWithFlags(skeyid_e, CKM_NSS_IKE1_APP_B_PRF_DERIVE,

+			    &params, target, CKA_ENCRYPT,

+			    required_keymat, CKF_DECRYPT);

+#else

 	if (sizeof_symkey(skeyid_e) >= required_keymat) {

 		return encrypt_key_from_symkey_bytes("keymat", encrypter,

 						     0, required_keymat,

@@ -160,4 +290,5 @@

 							     keymat);

 	release_symkey(__func__, "keymat", &keymat);

 	return cryptkey;

+#endif

 }

diff -Naur libreswan-3.29-orig/programs/pluto/ikev2_prf.c libreswan-3.29/programs/pluto/ikev2_prf.c

--- libreswan-3.29-orig/programs/pluto/ikev2_prf.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/programs/pluto/ikev2_prf.c	2019-08-11 13:33:13.680951735 -0400

@@ -32,12 +32,44 @@

 /*

  * IKEv2 - RFC4306 2.14 SKEYSEED - calculation.

  */

+#ifdef USE_NSS_PRF

+static PK11SymKey *ikev2_prfplus_key_data(

+					  const struct prf_desc *prf_desc,

+					  PK11SymKey *key,

+					  PK11SymKey *seed_key,

+					  chunk_t    seed_data,

+					  size_t required_keymat)

+{

+	CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS ike_prf_plus_params = {

+		.pSeedData = seed_data.ptr,

+		.ulSeedDataLen = seed_data.len,

+		.prfMechanism = prf_desc->nss.mechanism,

+	};

+	if (seed_key == NULL) {

+		ike_prf_plus_params.bHasSeedKey = CK_FALSE;

+	} else {

+		ike_prf_plus_params.bHasSeedKey = CK_TRUE;

+		ike_prf_plus_params.hSeedKey = PK11_GetSymKeyHandle(seed_key);

+	}

+	SECItem params = {

+		.data = (unsigned char *)&ike_prf_plus_params,

+		.len = sizeof(ike_prf_plus_params),

+	};

+

+        return PK11_Derive(key, CKM_NSS_IKE_PRF_PLUS_DERIVE, &params,

+			    CKM_EXTRACT_KEY_FROM_KEY, CKA_DERIVE,

+			    required_keymat);

+}

+#endif

 PK11SymKey *ikev2_prfplus(const struct prf_desc *prf_desc,

 			PK11SymKey *key,

 			PK11SymKey *seed,

 			size_t required_keymat)

 {

+#ifdef USE_NSS_PRF

+	return ikev2_prfplus_key_data(prf_desc, key, seed, empty_chunk, required_keymat);

+#else

 	uint8_t count = 1;

 	/* T1(prfplus) = prf(KEY, SEED|1) */

@@ -66,6 +98,7 @@

 	}

 	release_symkey(__func__, "old_t[final]", &old_t);

 	return prfplus;

+#endif

 }

 /*

@@ -77,6 +110,33 @@

 				  const chunk_t Ni, const chunk_t Nr,

 				  PK11SymKey *dh_secret)

 {

+

+#ifdef USE_NSS_PRF

+	int is_aes_prf = 0;

+	switch (prf_desc->common.id[IKEv2_ALG_ID]) {

+	case IKEv2_PRF_AES128_CMAC:

+	case IKEv2_PRF_AES128_XCBC:

+		is_aes_prf = 1;

+	}

+

+	CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf_params = {

+		.prfMechanism = prf_desc->nss.mechanism,

+		.bDataAsKey = CK_TRUE,

+		.bRekey = CK_FALSE,

+		.pNi = Ni.ptr,

+		.ulNiLen = is_aes_prf ? BYTES_FOR_BITS(64) : Ni.len,

+		.pNr = Nr.ptr,

+		.ulNrLen = is_aes_prf ? BYTES_FOR_BITS(64) : Nr.len,

+	};

+	SECItem params = {

+		.data = (unsigned char *)&ike_prf_params,

+		.len = sizeof(ike_prf_params),

+	};

+

+	return PK11_Derive(dh_secret, CKM_NSS_IKE_PRF_DERIVE, &params,

+			    CKM_NSS_IKE_PRF_PLUS_DERIVE, CKA_DERIVE,

+			    0);

+#else

 	/*

 	 * 2.14.  Generating Keying Material for the IKE SA

 	 *

@@ -117,6 +177,7 @@

 	crypt_prf_update_symkey(prf, "g^ir", dh_secret);

 	/* generate */

 	return crypt_prf_final_symkey(&prf;;

+#endif

 }

 /*

@@ -127,6 +188,26 @@

 					PK11SymKey *new_dh_secret,

 					const chunk_t Ni, const chunk_t Nr)

 {

+#ifdef USE_NSS_PRF

+	CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf_params = {

+		.prfMechanism = prf_desc->nss.mechanism,

+		.bDataAsKey = CK_FALSE,

+		.bRekey = CK_TRUE,

+		.hNewKey = PK11_GetSymKeyHandle(new_dh_secret),

+		.pNi = Ni.ptr,

+		.ulNiLen = Ni.len,

+		.pNr = Nr.ptr,

+		.ulNrLen = Nr.len,

+	};

+	SECItem params = {

+		.data = (unsigned char *)&ike_prf_params,

+		.len = sizeof(ike_prf_params),

+	};

+

+	return PK11_Derive(SK_d_old, CKM_NSS_IKE_PRF_DERIVE, &params,

+			    CKM_NSS_IKE_PRF_PLUS_DERIVE, CKA_DERIVE,

+			    0);

+#else

 	/* key = SK_d (old) */

 	struct crypt_prf *prf = crypt_prf_init_symkey("ike sa rekey skeyseed", prf_desc,

 						      "SK_d (old)", SK_d_old);

@@ -141,6 +222,7 @@

 	crypt_prf_update_chunk(prf, "Nr", Nr);

 	/* generate */

 	return crypt_prf_final_symkey(&prf;;

+#endif

 }

 /*

@@ -152,6 +234,17 @@

 				const ike_spis_t *SPIir,

 				size_t required_bytes)

 {

+#ifdef USE_NSS_PRF

+	chunk_t seed_data;

+	PK11SymKey *prf_plus;

+

+	seed_data = clone_chunk_chunk(Ni, Nr, "seed_data = Ni || Nr");

+	append_chunk_bytes("seed_data = Nir || SPIi", &seed_data, &SPIir->initiator, sizeof(SPIir->initiator));

+	append_chunk_bytes("seed_data = Nir || SPIir", &seed_data, &SPIir->responder, sizeof(SPIir->responder));

+	prf_plus = ikev2_prfplus_key_data(prf_desc, skeyseed, NULL, seed_data, required_bytes);

+	freeanychunk(seed_data);

+	return prf_plus;

+#else

 	PK11SymKey *data = symkey_from_chunk("data", Ni);

 	append_symkey_chunk(&data, Nr);

 	append_symkey_bytes(&data, &SPIir->initiator, sizeof(SPIir->initiator));

@@ -161,6 +254,7 @@

 					    required_bytes);

 	release_symkey(__func__, "data", &data);

 	return prfplus;

+#endif

 }

 /*

@@ -172,6 +266,24 @@

 				  const chunk_t Ni, const chunk_t Nr,

 				  size_t required_bytes)

 {

+	if (required_bytes == 0) {

+		/*

+		 * For instance esp=null-none.  Caller should

+		 * interpret NULL to mean empty (NSS doesn't create

+		 * zero length keys).

+		 */

+		dbg("No CHILD SA KEMAT is required");

+		return NULL;

+	}

+#ifdef USE_NSS_PRF

+	chunk_t seed_data;

+	PK11SymKey *prf_plus;

+

+	seed_data = clone_chunk_chunk(Ni, Nr, "seed_data = Ni || Nr");

+	prf_plus = ikev2_prfplus_key_data(prf_desc, SK_d, new_dh_secret, seed_data, required_bytes);

+	freeanychunk(seed_data);

+	return prf_plus;

+#else

 	PK11SymKey *data;

 	if (new_dh_secret == NULL) {

 		data = symkey_from_chunk("data", Ni);

@@ -185,4 +297,5 @@

 					    required_bytes);

 	release_symkey(__func__, "data", &data);

 	return prfplus;

+#endif

 }

diff -Naur libreswan-3.29-orig/programs/pluto/ikev2_psk.c libreswan-3.29/programs/pluto/ikev2_psk.c

--- libreswan-3.29-orig/programs/pluto/ikev2_psk.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/programs/pluto/ikev2_psk.c	2019-08-11 13:31:13.858294817 -0400

@@ -181,6 +181,36 @@

 	PK11SymKey *prf_psk;

 	{

+		static const char psk_key_pad_str[] = "Key Pad for IKEv2";  /* RFC 4306  2:15 */

+#ifdef USE_NSS_PRF

+		CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf_params;

+		SECItem params;

+		CK_MECHANISM_TYPE prf_mech = st->st_oakley.ta_prf->nss.mechanism;

+		PK11SymKey *pss_key = prf_key_from_bytes("pss", st->st_oakley.ta_prf,

+                                     pss->ptr, pss->len);

+		if (pss_key == NULL) {

+			if (libreswan_fipsmode()) {

+				PASSERT_FAIL("FIPS: failure creating %s PRF context for digesting PSK",

+					     st->st_oakley.ta_prf->common.name);

+			}

+			loglog(RC_LOG_SERIOUS,

+			       "failure creating %s PRF context for digesting PSK",

+			       st->st_oakley.ta_prf->common.name);

+			return FALSE;

+		}

+

+		ike_prf_params.prfMechanism = prf_mech;

+		ike_prf_params.bDataAsKey = CK_FALSE;

+		ike_prf_params.bRekey = CK_FALSE;

+		ike_prf_params.pNi = (CK_BYTE_PTR) psk_key_pad_str;

+		ike_prf_params.ulNiLen = sizeof(psk_key_pad_str) - 1;

+		ike_prf_params.pNr = NULL;

+		ike_prf_params.ulNrLen = 0;

+		params.data = (unsigned char *)&ike_prf_params;

+		params.len = sizeof(ike_prf_params);

+		prf_psk = PK11_Derive(pss_key, CKM_NSS_IKE_PRF_DERIVE, &params, prf_mech, CKA_SIGN, 0);

+		release_symkey("psk pss_key", "pss_key", &pss_key);

+#else

 		struct crypt_prf *prf =

 			crypt_prf_init_chunk("<prf-psk> = prf(<psk>,\"Key Pad for IKEv2\")",

 					     st->st_oakley.ta_prf,

@@ -196,12 +226,11 @@

 			return FALSE;

 		}

-		static const char psk_key_pad_str[] = "Key Pad for IKEv2";  /* RFC 4306  2:15 */

-

 		crypt_prf_update_bytes(prf, psk_key_pad_str, /* name */

 				       psk_key_pad_str,

 				       sizeof(psk_key_pad_str) - 1);

 		prf_psk = crypt_prf_final_symkey(&prf;;

+#endif

 	}

 	/* calculate outer prf */

diff -Naur libreswan-3.29-orig/programs/pluto/plutomain.c libreswan-3.29/programs/pluto/plutomain.c

--- libreswan-3.29-orig/programs/pluto/plutomain.c	2019-06-10 10:22:04.000000000 -0400

+++ libreswan-3.29/programs/pluto/plutomain.c	2019-08-11 13:31:13.859294831 -0400

@@ -189,6 +189,11 @@