diff -up nss/cmd/fipstest/fipstest.c.1212106 nss/cmd/fipstest/fipstest.c

--- nss/cmd/fipstest/fipstest.c.1212106	2015-04-28 15:10:27.428991019 -0700

+++ nss/cmd/fipstest/fipstest.c	2015-04-28 15:14:18.281661223 -0700

@@ -5746,12 +5746,13 @@ tls(char *reqfn)

     CK_MECHANISM master_mech = { CKM_TLS_MASTER_KEY_DERIVE , NULL, 0 };

     CK_MECHANISM key_block_mech = { CKM_TLS_KEY_AND_MAC_DERIVE , NULL, 0};

-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;

-    CK_SSL3_KEY_MAT_PARAMS key_block_params;

+    CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;

+    CK_TLS12_KEY_MAT_PARAMS key_block_params;

     CK_SSL3_KEY_MAT_OUT key_material;

     CK_RV crv;

     /* set up PKCS #11 parameters */

+    master_params.prfHashMechanism = CKM_SHA256;

     master_params.pVersion = NULL;

     master_params.RandomInfo.pClientRandom = clientHello_random;

     master_params.RandomInfo.ulClientRandomLen = sizeof(clientHello_random);

@@ -5759,6 +5760,7 @@ tls(char *reqfn)

     master_params.RandomInfo.ulServerRandomLen = sizeof(serverHello_random);

     master_mech.pParameter = (void *) &master_params;

     master_mech.ulParameterLen = sizeof(master_params);

+    key_block_params.prfHashMechanism = CKM_SHA256;

     key_block_params.ulMacSizeInBits = 0;

     key_block_params.ulKeySizeInBits = 0;

     key_block_params.ulIVSizeInBits = 0;

@@ -5801,14 +5803,35 @@ tls(char *reqfn)

         /* [Xchange - SHA1] */

         if (buf[0] == '[') {

             if (strncmp(buf, "[TLS", 4)  == 0) {

-		if (buf[7] == '0') {

-    		    master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE;

-    		    key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE;

-		} else if (buf[7] == '2') {

-    		    master_mech.mechanism = 

-					CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;

-    		    key_block_mech.mechanism = 

-					CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;

+                if (buf[7] == '0') {

+                    master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE;

+                    key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE;

+                    master_mech.ulParameterLen = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);

+                    key_block_mech.ulParameterLen = sizeof(CK_SSL3_KEY_MAT_PARAMS);

+                } else if (buf[7] == '2') {

+                    if (strncmp(&buf[10], "SHA-1", 5) == 0) {

+		       master_params.prfHashMechanism = CKM_SHA_1;

+		       key_block_params.prfHashMechanism = CKM_SHA_1;

+                    } else if (strncmp(&buf[10], "SHA-224", 7) == 0) {

+		       master_params.prfHashMechanism = CKM_SHA224;

+		       key_block_params.prfHashMechanism = CKM_SHA224;

+		    } else if (strncmp(&buf[10], "SHA-256", 7) == 0) {

+		       master_params.prfHashMechanism = CKM_SHA256;

+		       key_block_params.prfHashMechanism = CKM_SHA256;

+		    } else if (strncmp(&buf[10], "SHA-384", 7)== 0) {

+		       master_params.prfHashMechanism = CKM_SHA384;

+		       key_block_params.prfHashMechanism = CKM_SHA384;

+                    } else if (strncmp(&buf[10], "SHA-512", 7) == 0) {

+		       master_params.prfHashMechanism = CKM_SHA512;

+		       key_block_params.prfHashMechanism = CKM_SHA512;

+                    } else {

+                        fprintf(tlsresp, "ERROR: Unable to find prf Hash type");

+                        goto loser;

+                    }

+                    master_mech.mechanism = CKM_TLS12_MASTER_KEY_DERIVE;

+                    key_block_mech.mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE;

+                    master_mech.ulParameterLen = sizeof(master_params);

+                    key_block_mech.ulParameterLen = sizeof(key_block_params);

 		} else {

 		    fprintf(stderr, "Unknown TLS type %x\n", buf);

 		    goto loser;

@@ -6121,6 +6144,11 @@ int main(int argc, char **argv)

     } else if (strcmp(argv[1], "ddrbg") == 0) {

 	debug = 1;

 	drbg(argv[2]);

+    /*************/

+    /*   TLS     */

+    /*************/

+    } else if (strcmp(argv[1], "tls") == 0) {

+        tls(argv[2]);

     }

     return 0;

 }