diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk

--- a/lib/freebl/config.mk

+++ b/lib/freebl/config.mk

@@ -85,9 +85,13 @@ EXTRA_SHARED_LIBS += \

 	$(NULL)

 endif

 endif

 ifeq ($(OS_ARCH), Darwin)

 EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib

 endif

+ifdef NSS_FIPS_140_3

+DEFINES += -DNSS_FIPS_140_3

 endif

+

+endif

diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c

--- a/lib/freebl/unix_urandom.c

+++ b/lib/freebl/unix_urandom.c

@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void)

     if (!numBytes) {

         /* error is set */

         return;

     }

     RNG_RandomUpdate(bytes, numBytes);

     PORT_Memset(bytes, 0, sizeof bytes);

 }

+#ifdef NSS_FIPS_140_3

+#include <sys/random.h>

+#include "prinit.h"

+

+static int rng_grndFlags= 0;

+static PRCallOnceType rng_KernelFips;

+

+static PRStatus

+rng_getKernelFips()

+{

+#ifdef LINUX

+    FILE *f;

+    char d;

+    size_t size;

+

+    f = fopen("/proc/sys/crypto/fips_enabled", "r");

+    if (!f)

+        return PR_FAILURE;

+

+    size = fread(&d, 1, 1, f);

+    fclose(f);

+    if (size != 1)

+        return PR_SUCCESS;

+    if (d != '1')

+        return PR_SUCCESS;

+    /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */

+    rng_grndFlags = GRND_RANDOM;

+#endif /* LINUX */

+    return PR_SUCCESS;

+}

+#endif

+

 size_t

 RNG_SystemRNG(void *dest, size_t maxLen)

 {

+    size_t fileBytes = 0;

+    unsigned char *buffer = dest;

+#ifndef NSS_FIPS_140_3

     int fd;

     int bytes;

-    size_t fileBytes = 0;

-    unsigned char *buffer = dest;

+#else

+    PR_CallOnce(&rng_KernelFips, rng_getKernelFips);

+#endif

 #if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))

     int result;

-

     while (fileBytes < maxLen) {

         size_t getBytes = maxLen - fileBytes;

         if (getBytes > GETENTROPY_MAX_BYTES) {

             getBytes = GETENTROPY_MAX_BYTES;

         }

+#ifdef NSS_FIPS_140_3

+        /* FIP 140-3 requires full kernel reseeding for chained entropy sources

+         * so we need to use getrandom with GRND_RANDOM.

+         * getrandom returns -1 on failure, otherwise returns

+         * the number of bytes, which can be less than getBytes */

+        result = getrandom(buffer, getBytes, rng_grndFlags);

+        if (result < 0) {

+            break;

+        }

+        fileBytes += result;

+        buffer += result;

+#else

+        /* get entropy returns 0 on success and always return

+         * getBytes on success */

         result = getentropy(buffer, getBytes);

         if (result == 0) { /* success */

             fileBytes += getBytes;

             buffer += getBytes;

         } else {

             break;

         }

+#endif

     }

     if (fileBytes == maxLen) { /* success */

         return maxLen;

     }

+#ifdef NSS_FIPS_140_3

+    /* in FIPS 104-3 we don't fallback, just fail */

+    PORT_SetError(SEC_ERROR_NEED_RANDOM);

+    return 0;

+#else

     /* If we failed with an error other than ENOSYS, it means the destination

      * buffer is not writeable. We don't need to try writing to it again. */

     if (errno != ENOSYS) {

         PORT_SetError(SEC_ERROR_NEED_RANDOM);

         return 0;

     }

+#endif /*!NSS_FIPS_140_3 */

+#endif /* platorm has getentropy */

+#ifndef NSS_FIPS_140_3

     /* ENOSYS means the kernel doesn't support getentropy()/getrandom().

      * Reset the number of bytes to get and fall back to /dev/urandom. */

     fileBytes = 0;

-#endif

     fd = open("/dev/urandom", O_RDONLY);

     if (fd < 0) {

         PORT_SetError(SEC_ERROR_NEED_RANDOM);

         return 0;

     }

     while (fileBytes < maxLen) {

         bytes = read(fd, buffer, maxLen - fileBytes);

         if (bytes <= 0) {

@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)

         buffer += bytes;

     }

     (void)close(fd);

     if (fileBytes != maxLen) {

         PORT_SetError(SEC_ERROR_NEED_RANDOM);

         return 0;

     }

     return fileBytes;

+#endif

 }

diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk

--- a/lib/softoken/config.mk

+++ b/lib/softoken/config.mk

@@ -58,8 +58,12 @@ endif

 ifdef NSS_ENABLE_FIPS_INDICATORS

 DEFINES += -DNSS_ENABLE_FIPS_INDICATORS

 endif

 ifdef NSS_FIPS_MODULE_ID

 DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"

 endif

+ifdef NSS_FIPS_140_3

+DEFINES += -DNSS_FIPS_140_3

+endif

+

diff --git a/lib/softoken/fips_algorithms.h b/lib/softoken/fips_algorithms.h

--- a/lib/softoken/fips_algorithms.h

+++ b/lib/softoken/fips_algorithms.h

@@ -49,33 +49,46 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] 

 #define CKF_KEK (CKF_WRAP | CKF_UNWRAP)

 #define CKF_KEA CKF_DERIVE

 #define CKF_KDF CKF_DERIVE

 #define CKF_HSH CKF_DIGEST

 #define CK_MAX 0xffffffffUL

 /* mechanisms using the same key types share the same key type

  * limits */

 #define RSA_FB_KEY 2048, 4096 /* min, max */

-#define RSA_FB_STEP 1024

+#define RSA_FB_STEP 1

+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */

+#define RSA_LEGACY_FB_STEP 256

+

 #define DSA_FB_KEY 2048, 4096 /* min, max */

 #define DSA_FB_STEP 1024

 #define DH_FB_KEY 2048, 4096 /* min, max */

 #define DH_FB_STEP 1024

 #define EC_FB_KEY 256, 521 /* min, max */

 #define EC_FB_STEP 1       /* key limits handled by special operation */

 #define AES_FB_KEY 128, 256

 #define AES_FB_STEP 64

     { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },

+    { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+

     /* -------------- RSA Multipart Signing Operations -------------------- */

     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

+    { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },

     { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

     /* ------------------------- DSA Operations --------------------------- */

     { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },

     { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },

     { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },

@@ -95,76 +108,73 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] 

     { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },

     { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },

     { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },

     /* ------------------------- RC2 Operations --------------------------- */

     /* ------------------------- AES Operations --------------------------- */

     { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

-    { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },

-    { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },

     { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

     { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },

-    { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone },

-    { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone },

     /* ------------------------- Hashing Operations ----------------------- */

     { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },

     { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },

     { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },

     { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },

-    { CKM_SHA256_HMAC, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },

-    { CKM_SHA256_HMAC_GENERAL, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },

     { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },

-    { CKM_SHA384_HMAC, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },

-    { CKM_SHA384_HMAC_GENERAL, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },

     { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },

-    { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },

-    { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },

     /* --------------------- Secret Key Operations ------------------------ */

-    { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone },

+    { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },

     /* ---------------------- SSL/TLS operations ------------------------- */

     { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_SHA384_KEY_DERIVATION, { 192, 284, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_SHA256_KEY_DERIVATION, { 112, 256, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_SHA384_KEY_DERIVATION, { 112, 284, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_SHA512_KEY_DERIVATION, { 112, 512, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },

     { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },

     { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },

     { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },

-    { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },

+    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },

     /* sigh, is this algorithm really tested. ssl doesn't seem to have a

      * way of turning the extension off */

     { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },

     { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },

     /* ------------------------- HKDF Operations -------------------------- */

-    { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },

     { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },

     { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },

     /* ------------------ NIST 800-108 Key Derivations  ------------------- */

-    { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },

     /* --------------------IPSEC ----------------------- */

-    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },

-    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_NSS_IKE_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_NSS_IKE1_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },

+    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },

     /* ------------------ PBE Key Derivations  ------------------- */

-    { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone },

+    { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },

     { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone },

     { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone },

     { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },

     { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone }

 };

 const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);

diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c

--- a/lib/softoken/lowpbe.c

+++ b/lib/softoken/lowpbe.c

@@ -1765,27 +1765,29 @@ SECStatus

 sftk_fips_pbkdf_PowerUpSelfTests(void)

 {

     SECItem *result;

     SECItem inKey;

     NSSPKCS5PBEParameter pbe_params;

     unsigned char iteration_count = 5;

     unsigned char keyLen = 64;

     char *inKeyData = TEST_KEY;

-    static const unsigned char saltData[] =

-        { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };

+    static const unsigned char saltData[] = {

+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,

+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f

+    };

     static const unsigned char pbkdf_known_answer[] = {

-        0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,

-        0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,

-        0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,

-        0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,

-        0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,

-        0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,

-        0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,

-        0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5

+        0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4,

+        0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b,

+        0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a,

+        0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5,

+        0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06,

+        0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90,

+        0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8,

+        0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33

     };

     sftk_PBELockInit();

     inKey.data = (unsigned char *)inKeyData;

     inKey.len = sizeof(TEST_KEY) - 1;

     pbe_params.salt.data = (unsigned char *)saltData;

diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c

--- a/lib/softoken/pkcs11c.c

+++ b/lib/softoken/pkcs11c.c

@@ -4609,16 +4609,17 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi

         goto loser;

     }

     /* make sure we don't have any class, key_type, or value fields */

     sftk_DeleteAttributeType(key, CKA_CLASS);

     sftk_DeleteAttributeType(key, CKA_KEY_TYPE);

     sftk_DeleteAttributeType(key, CKA_VALUE);

+

     /* Now Set up the parameters to generate the key (based on mechanism) */

     key_gen_type = nsc_bulk; /* bulk key by default */

     switch (pMechanism->mechanism) {

         case CKM_CDMF_KEY_GEN:

         case CKM_DES_KEY_GEN:

         case CKM_DES2_KEY_GEN:

         case CKM_DES3_KEY_GEN:

             checkWeak = PR_TRUE;

@@ -4812,16 +4813,19 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi

     crv = sftk_handleObject(key, session);

     sftk_FreeSession(session);

     if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {

         crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));

     }

     if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {

         crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));

     }

+    /* we need to do this check at the end, so we can check the generated key length against

+     * fips requirements */

+    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);

     if (crv == CKR_OK) {

         *phKey = key->handle;

     }

 loser:

     PORT_Memset(buf, 0, sizeof buf);

     sftk_FreeObject(key);

     return crv;

 }

@@ -5780,16 +5784,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS

     if (crv != CKR_OK) {

         NSC_DestroyObject(hSession, publicKey->handle);

         sftk_FreeObject(publicKey);

         NSC_DestroyObject(hSession, privateKey->handle);

         sftk_FreeObject(privateKey);

         return crv;

     }

+    /* we need to do this check at the end to make sure the generated key meets the key length requirements */

+    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);

+    publicKey->isFIPS = privateKey->isFIPS;

     *phPrivateKey = privateKey->handle;

     *phPublicKey = publicKey->handle;

     sftk_FreeObject(publicKey);

     sftk_FreeObject(privateKey);

     return CKR_OK;

 }

@@ -6990,16 +6997,17 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_

     }

     /* HKDF-Extract(salt, base key value) */

     if (params->bExtract) {

         CK_BYTE *salt;

         CK_ULONG saltLen;

         HMACContext *hmac;

         unsigned int bufLen;

+        SFTKSource saltKeySource = SFTK_SOURCE_DEFAULT;

         switch (params->ulSaltType) {

             case CKF_HKDF_SALT_NULL:

                 saltLen = hashLen;

                 salt = hashbuf;

                 memset(salt, 0, saltLen);

                 break;

             case CKF_HKDF_SALT_DATA:

@@ -7026,29 +7034,54 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_

                 if (isFIPS && (key->isFIPS == 0) && (saltKey->isFIPS == 1)) {

                     CK_MECHANISM mech;

                     mech.mechanism = CKM_HKDF_DERIVE;

                     mech.pParameter = params;

                     mech.ulParameterLen = sizeof(*params);

                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,

                                                        CKA_DERIVE, saltKey);

                 }

+                saltKeySource = saltKey->source;

                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);

                 if (saltKey_att == NULL) {

                     sftk_FreeObject(saltKey);

                     return CKR_KEY_HANDLE_INVALID;

                 }

                 /* save the resulting salt */

                 salt = saltKey_att->attrib.pValue;

                 saltLen = saltKey_att->attrib.ulValueLen;

                 break;

             default:

                 return CKR_MECHANISM_PARAM_INVALID;

                 break;

         }

+        /* only TLS style usage is FIPS approved,

+         * turn off the FIPS indicator for other usages */

+        if (isFIPS && key && sourceKey) {

+            PRBool fipsOK = PR_FALSE;

+            /* case one: mix the kea with a previous or default

+             * salt */

+            if ((sourceKey->source == SFTK_SOURCE_KEA) &&

+                (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&

+                (saltLen == rawHash->length)) {

+                fipsOK = PR_TRUE;

+            }

+            /* case two: restart, remix the previous secret as a salt */

+            if ((sourceKey->objclass == CKO_DATA) &&

+                (NSS_SecureMemcmpZero(sourceKeyBytes, sourceKeyLen) == 0) &&

+                (sourceKeyLen == rawHash->length) &&

+                (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&

+                (saltLen == rawHash->length)) {

+                fipsOK = PR_TRUE;

+            }

+            if (!fipsOK) {

+                key->isFIPS = PR_FALSE;

+            }

+        }

+        if (key) key->source = SFTK_SOURCE_HKDF_EXTRACT;

         hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS);

         if (saltKey_att) {

             sftk_FreeAttribute(saltKey_att);

         }

         if (saltKey) {

             sftk_FreeObject(saltKey);

         }

@@ -7076,16 +7109,40 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_

         /* T(1) = HMAC-Hash(prk, "" | info | 0x01)

          * T(n) = HMAC-Hash(prk, T(n-1) | info | n

          * key material = T(1) | ... | T(n)

          */

         HMACContext *hmac;

         CK_BYTE bi;

         unsigned iterations;

+        /* only TLS style usage is FIPS approved,

+         * turn off the FIPS indicator for other usages */

+        if (isFIPS && key && key->isFIPS && sourceKey) {

+            unsigned char *info=&params->pInfo[3];

+            /* only one case,

+             *  1) Expand only

+             *  2) with a key whose source was

+             *  SFTK_SOURCE_HKDF_EXPAND or SFTK_SOURCE_HKDF_EXTRACT

+             *  3) source key length == rawHash->length

+             *  4) Info has tls or dtls

+             * If any of those conditions aren't met, then we turn

+             * off the fips indicator */

+            if (params->bExtract ||

+               ((sourceKey->source != SFTK_SOURCE_HKDF_EXTRACT) &&

+                (sourceKey->source != SFTK_SOURCE_HKDF_EXPAND)) ||

+               (sourceKeyLen != rawHash->length) ||

+               (params->ulInfoLen < 7) ||

+               ((PORT_Memcmp(info,"tls",3) != 0) &&

+               (PORT_Memcmp(info,"dtls",4) != 0))) {

+               key->isFIPS = PR_FALSE;

+            }

+        }

+        if (key) key->source = SFTK_SOURCE_HKDF_EXPAND;

+

         genLen = PR_ROUNDUP(keySize, hashLen);

         iterations = genLen / hashLen;

         if (genLen > sizeof(keyBlock)) {

             keyBlockAlloc = PORT_Alloc(genLen);

             if (keyBlockAlloc == NULL) {

                 return CKR_HOST_MEMORY;

             }

@@ -8434,16 +8491,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession

             /* calculate private value - oct */

             rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize);

             SECITEM_ZfreeItem(&dhPrime, PR_FALSE);

             SECITEM_ZfreeItem(&dhValue, PR_FALSE);

             if (rv == SECSuccess) {

+                key->source = SFTK_SOURCE_KEA;

                 sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);

                 SECITEM_ZfreeItem(&derived, PR_FALSE);

                 crv = CKR_OK;

             } else

                 crv = CKR_HOST_MEMORY;

             break;

         }

@@ -8564,16 +8622,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession

                     }

                     PORT_Memcpy(&keyData[keySize - secretlen], secret, secretlen);

                     secret = keyData;

                 } else {

                     secret += (secretlen - keySize);

                 }

                 secretlen = keySize;

             }

+            key->source = SFTK_SOURCE_KEA;

             sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);

             PORT_ZFree(tmp.data, tmp.len);

             if (keyData) {

                 PORT_ZFree(keyData, keySize);

             }

             break;

diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h

--- a/lib/softoken/pkcs11i.h

+++ b/lib/softoken/pkcs11i.h

@@ -147,16 +147,26 @@ typedef enum {

  */

 typedef enum {

     SFTK_DestroyFailure,

     SFTK_Destroyed,

     SFTK_Busy

 } SFTKFreeStatus;

 /*

+ * Source of various objects

+ */

+typedef enum {

+    SFTK_SOURCE_DEFAULT=0,

+    SFTK_SOURCE_KEA,

+    SFTK_SOURCE_HKDF_EXPAND,

+    SFTK_SOURCE_HKDF_EXTRACT

+} SFTKSource;

+

+/*

  * attribute values of an object.

  */

 struct SFTKAttributeStr {

     SFTKAttribute *next;

     SFTKAttribute *prev;

     PRBool freeAttr;

     PRBool freeData;

     /*must be called handle to make sftkqueue_find work */

@@ -189,16 +199,17 @@ struct SFTKObjectStr {

     CK_OBJECT_CLASS objclass;

     CK_OBJECT_HANDLE handle;

     int refCount;

     PZLock *refLock;

     SFTKSlot *slot;

     void *objectInfo;

     SFTKFree infoFree;

     PRBool isFIPS;

+    SFTKSource source;

 };

 struct SFTKTokenObjectStr {

     SFTKObject obj;

     SECItem dbKey;

 };

 struct SFTKSessionObjectStr {

diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c

--- a/lib/softoken/pkcs11u.c

+++ b/lib/softoken/pkcs11u.c

@@ -1090,16 +1090,17 @@ sftk_NewObject(SFTKSlot *slot)

         sessObject->attrList[i].freeData = PR_FALSE;

     }

     sessObject->optimizeSpace = slot->optimizeSpace;

     object->handle = 0;

     object->next = object->prev = NULL;

     object->slot = slot;

     object->isFIPS = sftk_isFIPS(slot->slotID);

+    object->source = SFTK_SOURCE_DEFAULT;

     object->refCount = 1;

     sessObject->sessionList.next = NULL;

     sessObject->sessionList.prev = NULL;

     sessObject->sessionList.parent = object;

     sessObject->session = NULL;

     sessObject->wasDerived = PR_FALSE;

     if (!hasLocks)

@@ -1674,16 +1675,17 @@ fail:

 CK_RV

 sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject)

 {

     SFTKAttribute *attribute;

     SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject);

     unsigned int i;

     destObject->isFIPS = srcObject->isFIPS;

+    destObject->source = srcObject->source;

     if (src_so == NULL) {

         return sftk_CopyTokenObject(destObject, srcObject);

     }

     PZ_Lock(src_so->attributeLock);

     for (i = 0; i < src_so->hashSize; i++) {

         attribute = src_so->head[i];

         do {

@@ -2059,16 +2061,17 @@ sftk_NewTokenObject(SFTKSlot *slot, SECI

     /* every object must have a class, if we can't get it, the object

      * doesn't exist */

     crv = handleToClass(slot, handle, &object->objclass);

     if (crv != CKR_OK) {

         goto loser;

     }

     object->slot = slot;

     object->isFIPS = sftk_isFIPS(slot->slotID);

+    object->source = SFTK_SOURCE_DEFAULT;

     object->objectInfo = NULL;

     object->infoFree = NULL;

     if (!hasLocks) {

         object->refLock = PZ_NewLock(nssILockRefLock);

     }

     if (object->refLock == NULL) {

         goto loser;

     }

@@ -2225,16 +2228,25 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE 

             break;

         case CKA_DERIVE:

             flags = CKF_DERIVE;

             break;

         /* fake attribute to select digesting */

         case CKA_DIGEST:

             flags = CKF_DIGEST;

             break;

+        /* fake attribute to select key gen */

+         case CKA_NSS_GENERATE:

+            flags = CKF_GENERATE;

+            break;

+        /* fake attribute to select key pair gen */

+        case CKA_NSS_GENERATE_KEY_PAIR:

+            flags = CKF_GENERATE_KEY_PAIR;

+            break;

+        /* fake attributes to to handle MESSAGE* flags */

         case CKA_NSS_MESSAGE | CKA_ENCRYPT:

             flags = CKF_MESSAGE_ENCRYPT;

             break;

         case CKA_NSS_MESSAGE | CKA_DECRYPT:

             flags = CKF_MESSAGE_DECRYPT;

             break;

         case CKA_NSS_MESSAGE | CKA_SIGN:

             flags = CKF_MESSAGE_SIGN;

@@ -2278,17 +2290,17 @@ sftk_quickGetECCCurveOid(SFTKObject *sou

 }

 /* This function currently only returns valid lengths for

  * FIPS approved ECC curves. If we want to make this generic

  * in the future, that Curve determination can be done in

  * the sftk_handleSpecial. Since it's currently only used

  * in FIPS indicators, it's currently only compiled with

  * the FIPS indicator code */

-static int

+static CK_ULONG

 sftk_getKeyLength(SFTKObject *source)

 {

     CK_KEY_TYPE keyType = CK_INVALID_HANDLE;

     CK_ATTRIBUTE_TYPE keyAttribute;

     CK_ULONG keyLength = 0;

     SFTKAttribute *attribute;

     CK_RV crv;