Blob Blame History Raw
diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk
--- a/lib/freebl/config.mk
+++ b/lib/freebl/config.mk
@@ -85,9 +85,13 @@ EXTRA_SHARED_LIBS += \
 	$(NULL)
 endif
 endif
 
 ifeq ($(OS_ARCH), Darwin)
 EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib
 endif
 
+ifdef NSS_FIPS_140_3
+DEFINES += -DNSS_FIPS_140_3
 endif
+
+endif
diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
--- a/lib/freebl/unix_urandom.c
+++ b/lib/freebl/unix_urandom.c
@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void)
     if (!numBytes) {
         /* error is set */
         return;
     }
     RNG_RandomUpdate(bytes, numBytes);
     PORT_Memset(bytes, 0, sizeof bytes);
 }
 
+#ifdef NSS_FIPS_140_3
+#include <sys/random.h>
+#include "prinit.h"
+
+static int rng_grndFlags= 0;
+static PRCallOnceType rng_KernelFips;
+
+static PRStatus
+rng_getKernelFips()
+{
+#ifdef LINUX
+    FILE *f;
+    char d;
+    size_t size;
+
+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
+    if (!f)
+        return PR_FAILURE;
+
+    size = fread(&d, 1, 1, f);
+    fclose(f);
+    if (size != 1)
+        return PR_SUCCESS;
+    if (d != '1')
+        return PR_SUCCESS;
+    /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */
+    rng_grndFlags = GRND_RANDOM;
+#endif /* LINUX */
+    return PR_SUCCESS;
+}
+#endif
+
 size_t
 RNG_SystemRNG(void *dest, size_t maxLen)
 {
+    size_t fileBytes = 0;
+    unsigned char *buffer = dest;
+#ifndef NSS_FIPS_140_3
     int fd;
     int bytes;
-    size_t fileBytes = 0;
-    unsigned char *buffer = dest;
+#else
+    PR_CallOnce(&rng_KernelFips, rng_getKernelFips);
+#endif
 
 #if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
     int result;
-
     while (fileBytes < maxLen) {
         size_t getBytes = maxLen - fileBytes;
         if (getBytes > GETENTROPY_MAX_BYTES) {
             getBytes = GETENTROPY_MAX_BYTES;
         }
+#ifdef NSS_FIPS_140_3
+        /* FIP 140-3 requires full kernel reseeding for chained entropy sources
+         * so we need to use getrandom with GRND_RANDOM.
+         * getrandom returns -1 on failure, otherwise returns
+         * the number of bytes, which can be less than getBytes */
+        result = getrandom(buffer, getBytes, rng_grndFlags);
+        if (result < 0) {
+            break;
+        }
+        fileBytes += result;
+        buffer += result;
+#else
+        /* get entropy returns 0 on success and always return
+         * getBytes on success */
         result = getentropy(buffer, getBytes);
         if (result == 0) { /* success */
             fileBytes += getBytes;
             buffer += getBytes;
         } else {
             break;
         }
+#endif
     }
     if (fileBytes == maxLen) { /* success */
         return maxLen;
     }
+#ifdef NSS_FIPS_140_3
+    /* in FIPS 104-3 we don't fallback, just fail */
+    PORT_SetError(SEC_ERROR_NEED_RANDOM);
+    return 0;
+#else
     /* If we failed with an error other than ENOSYS, it means the destination
      * buffer is not writeable. We don't need to try writing to it again. */
     if (errno != ENOSYS) {
         PORT_SetError(SEC_ERROR_NEED_RANDOM);
         return 0;
     }
+#endif /*!NSS_FIPS_140_3 */
+#endif /* platorm has getentropy */
+#ifndef NSS_FIPS_140_3
     /* ENOSYS means the kernel doesn't support getentropy()/getrandom().
      * Reset the number of bytes to get and fall back to /dev/urandom. */
     fileBytes = 0;
-#endif
     fd = open("/dev/urandom", O_RDONLY);
     if (fd < 0) {
         PORT_SetError(SEC_ERROR_NEED_RANDOM);
         return 0;
     }
     while (fileBytes < maxLen) {
         bytes = read(fd, buffer, maxLen - fileBytes);
         if (bytes <= 0) {
@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
         buffer += bytes;
     }
     (void)close(fd);
     if (fileBytes != maxLen) {
         PORT_SetError(SEC_ERROR_NEED_RANDOM);
         return 0;
     }
     return fileBytes;
+#endif
 }
diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
--- a/lib/softoken/config.mk
+++ b/lib/softoken/config.mk
@@ -58,8 +58,12 @@ endif
 ifdef NSS_ENABLE_FIPS_INDICATORS
 DEFINES += -DNSS_ENABLE_FIPS_INDICATORS
 endif
 
 ifdef NSS_FIPS_MODULE_ID
 DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"
 endif
 
+ifdef NSS_FIPS_140_3
+DEFINES += -DNSS_FIPS_140_3
+endif
+
diff --git a/lib/softoken/fips_algorithms.h b/lib/softoken/fips_algorithms.h
--- a/lib/softoken/fips_algorithms.h
+++ b/lib/softoken/fips_algorithms.h
@@ -49,33 +49,46 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] 
 #define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
 #define CKF_KEA CKF_DERIVE
 #define CKF_KDF CKF_DERIVE
 #define CKF_HSH CKF_DIGEST
 #define CK_MAX 0xffffffffUL
 /* mechanisms using the same key types share the same key type
  * limits */
 #define RSA_FB_KEY 2048, 4096 /* min, max */
-#define RSA_FB_STEP 1024
+#define RSA_FB_STEP 1
+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
+#define RSA_LEGACY_FB_STEP 256
+
 #define DSA_FB_KEY 2048, 4096 /* min, max */
 #define DSA_FB_STEP 1024
 #define DH_FB_KEY 2048, 4096 /* min, max */
 #define DH_FB_STEP 1024
 #define EC_FB_KEY 256, 521 /* min, max */
 #define EC_FB_STEP 1       /* key limits handled by special operation */
 #define AES_FB_KEY 128, 256
 #define AES_FB_STEP 64
     { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },
+    { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+
     /* -------------- RSA Multipart Signing Operations -------------------- */
     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
     { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     /* ------------------------- DSA Operations --------------------------- */
     { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
     { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
     { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
@@ -95,76 +108,73 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] 
     { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
     { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
     { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
     /* ------------------------- RC2 Operations --------------------------- */
     /* ------------------------- AES Operations --------------------------- */
     { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },
     { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone },
     /* ------------------------- Hashing Operations ----------------------- */
     { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
     { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
     { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
     { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
-    { CKM_SHA256_HMAC, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA256_HMAC_GENERAL, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
     { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
-    { CKM_SHA384_HMAC, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA384_HMAC_GENERAL, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
     { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
-    { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
     /* --------------------- Secret Key Operations ------------------------ */
-    { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone },
+    { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
     /* ---------------------- SSL/TLS operations ------------------------- */
     { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_SHA384_KEY_DERIVATION, { 192, 284, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SHA256_KEY_DERIVATION, { 112, 256, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SHA384_KEY_DERIVATION, { 112, 284, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SHA512_KEY_DERIVATION, { 112, 512, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
     { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
     { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
     { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
     /* sigh, is this algorithm really tested. ssl doesn't seem to have a
      * way of turning the extension off */
     { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },
     { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },
 
     /* ------------------------- HKDF Operations -------------------------- */
-    { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
     { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
     { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
     /* ------------------ NIST 800-108 Key Derivations  ------------------- */
-    { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
     /* --------------------IPSEC ----------------------- */
-    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_IKE_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_IKE1_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
     /* ------------------ PBE Key Derivations  ------------------- */
-    { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone },
+    { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
     { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone },
     { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone },
     { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
     { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone }
 };
 const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
--- a/lib/softoken/lowpbe.c
+++ b/lib/softoken/lowpbe.c
@@ -1765,27 +1765,29 @@ SECStatus
 sftk_fips_pbkdf_PowerUpSelfTests(void)
 {
     SECItem *result;
     SECItem inKey;
     NSSPKCS5PBEParameter pbe_params;
     unsigned char iteration_count = 5;
     unsigned char keyLen = 64;
     char *inKeyData = TEST_KEY;
-    static const unsigned char saltData[] =
-        { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+    static const unsigned char saltData[] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+    };
     static const unsigned char pbkdf_known_answer[] = {
-        0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
-        0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
-        0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
-        0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
-        0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
-        0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
-        0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
-        0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
+        0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4,
+        0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b,
+        0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a,
+        0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5,
+        0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06,
+        0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90,
+        0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8,
+        0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33
     };
 
     sftk_PBELockInit();
 
     inKey.data = (unsigned char *)inKeyData;
     inKey.len = sizeof(TEST_KEY) - 1;
 
     pbe_params.salt.data = (unsigned char *)saltData;
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -4609,16 +4609,17 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
         goto loser;
     }
 
     /* make sure we don't have any class, key_type, or value fields */
     sftk_DeleteAttributeType(key, CKA_CLASS);
     sftk_DeleteAttributeType(key, CKA_KEY_TYPE);
     sftk_DeleteAttributeType(key, CKA_VALUE);
 
+
     /* Now Set up the parameters to generate the key (based on mechanism) */
     key_gen_type = nsc_bulk; /* bulk key by default */
     switch (pMechanism->mechanism) {
         case CKM_CDMF_KEY_GEN:
         case CKM_DES_KEY_GEN:
         case CKM_DES2_KEY_GEN:
         case CKM_DES3_KEY_GEN:
             checkWeak = PR_TRUE;
@@ -4812,16 +4813,19 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
     crv = sftk_handleObject(key, session);
     sftk_FreeSession(session);
     if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
         crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
     }
     if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
         crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
     }
+    /* we need to do this check at the end, so we can check the generated key length against
+     * fips requirements */
+    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
     if (crv == CKR_OK) {
         *phKey = key->handle;
     }
 loser:
     PORT_Memset(buf, 0, sizeof buf);
     sftk_FreeObject(key);
     return crv;
 }
@@ -5780,16 +5784,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
 
     if (crv != CKR_OK) {
         NSC_DestroyObject(hSession, publicKey->handle);
         sftk_FreeObject(publicKey);
         NSC_DestroyObject(hSession, privateKey->handle);
         sftk_FreeObject(privateKey);
         return crv;
     }
+    /* we need to do this check at the end to make sure the generated key meets the key length requirements */
+    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
+    publicKey->isFIPS = privateKey->isFIPS;
 
     *phPrivateKey = privateKey->handle;
     *phPublicKey = publicKey->handle;
     sftk_FreeObject(publicKey);
     sftk_FreeObject(privateKey);
 
     return CKR_OK;
 }
@@ -6990,16 +6997,17 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
     }
 
     /* HKDF-Extract(salt, base key value) */
     if (params->bExtract) {
         CK_BYTE *salt;
         CK_ULONG saltLen;
         HMACContext *hmac;
         unsigned int bufLen;
+        SFTKSource saltKeySource = SFTK_SOURCE_DEFAULT;
 
         switch (params->ulSaltType) {
             case CKF_HKDF_SALT_NULL:
                 saltLen = hashLen;
                 salt = hashbuf;
                 memset(salt, 0, saltLen);
                 break;
             case CKF_HKDF_SALT_DATA:
@@ -7026,29 +7034,54 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
                 if (isFIPS && (key->isFIPS == 0) && (saltKey->isFIPS == 1)) {
                     CK_MECHANISM mech;
                     mech.mechanism = CKM_HKDF_DERIVE;
                     mech.pParameter = params;
                     mech.ulParameterLen = sizeof(*params);
                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
                                                        CKA_DERIVE, saltKey);
                 }
+                saltKeySource = saltKey->source;
                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
                 if (saltKey_att == NULL) {
                     sftk_FreeObject(saltKey);
                     return CKR_KEY_HANDLE_INVALID;
                 }
                 /* save the resulting salt */
                 salt = saltKey_att->attrib.pValue;
                 saltLen = saltKey_att->attrib.ulValueLen;
                 break;
             default:
                 return CKR_MECHANISM_PARAM_INVALID;
                 break;
         }
+        /* only TLS style usage is FIPS approved,
+         * turn off the FIPS indicator for other usages */
+        if (isFIPS && key && sourceKey) {
+            PRBool fipsOK = PR_FALSE;
+            /* case one: mix the kea with a previous or default
+             * salt */
+            if ((sourceKey->source == SFTK_SOURCE_KEA) &&
+                (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&
+                (saltLen == rawHash->length)) {
+                fipsOK = PR_TRUE;
+            }
+            /* case two: restart, remix the previous secret as a salt */
+            if ((sourceKey->objclass == CKO_DATA) &&
+                (NSS_SecureMemcmpZero(sourceKeyBytes, sourceKeyLen) == 0) &&
+                (sourceKeyLen == rawHash->length) &&
+                (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&
+                (saltLen == rawHash->length)) {
+                fipsOK = PR_TRUE;
+            }
+            if (!fipsOK) {
+                key->isFIPS = PR_FALSE;
+            }
+        }
+        if (key) key->source = SFTK_SOURCE_HKDF_EXTRACT;
 
         hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS);
         if (saltKey_att) {
             sftk_FreeAttribute(saltKey_att);
         }
         if (saltKey) {
             sftk_FreeObject(saltKey);
         }
@@ -7076,16 +7109,40 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
         /* T(1) = HMAC-Hash(prk, "" | info | 0x01)
          * T(n) = HMAC-Hash(prk, T(n-1) | info | n
          * key material = T(1) | ... | T(n)
          */
         HMACContext *hmac;
         CK_BYTE bi;
         unsigned iterations;
 
+        /* only TLS style usage is FIPS approved,
+         * turn off the FIPS indicator for other usages */
+        if (isFIPS && key && key->isFIPS && sourceKey) {
+            unsigned char *info=&params->pInfo[3];
+            /* only one case,
+             *  1) Expand only
+             *  2) with a key whose source was
+             *  SFTK_SOURCE_HKDF_EXPAND or SFTK_SOURCE_HKDF_EXTRACT
+             *  3) source key length == rawHash->length
+             *  4) Info has tls or dtls
+             * If any of those conditions aren't met, then we turn
+             * off the fips indicator */
+            if (params->bExtract ||
+               ((sourceKey->source != SFTK_SOURCE_HKDF_EXTRACT) &&
+                (sourceKey->source != SFTK_SOURCE_HKDF_EXPAND)) ||
+               (sourceKeyLen != rawHash->length) ||
+               (params->ulInfoLen < 7) ||
+               ((PORT_Memcmp(info,"tls",3) != 0) &&
+               (PORT_Memcmp(info,"dtls",4) != 0))) {
+               key->isFIPS = PR_FALSE;
+            }
+        }
+        if (key) key->source = SFTK_SOURCE_HKDF_EXPAND;
+
         genLen = PR_ROUNDUP(keySize, hashLen);
         iterations = genLen / hashLen;
 
         if (genLen > sizeof(keyBlock)) {
             keyBlockAlloc = PORT_Alloc(genLen);
             if (keyBlockAlloc == NULL) {
                 return CKR_HOST_MEMORY;
             }
@@ -8434,16 +8491,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
 
             /* calculate private value - oct */
             rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize);
 
             SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
             SECITEM_ZfreeItem(&dhValue, PR_FALSE);
 
             if (rv == SECSuccess) {
+                key->source = SFTK_SOURCE_KEA;
                 sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
                 SECITEM_ZfreeItem(&derived, PR_FALSE);
                 crv = CKR_OK;
             } else
                 crv = CKR_HOST_MEMORY;
 
             break;
         }
@@ -8564,16 +8622,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
                     }
                     PORT_Memcpy(&keyData[keySize - secretlen], secret, secretlen);
                     secret = keyData;
                 } else {
                     secret += (secretlen - keySize);
                 }
                 secretlen = keySize;
             }
+            key->source = SFTK_SOURCE_KEA;
 
             sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);
             PORT_ZFree(tmp.data, tmp.len);
             if (keyData) {
                 PORT_ZFree(keyData, keySize);
             }
             break;
 
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -147,16 +147,26 @@ typedef enum {
  */
 typedef enum {
     SFTK_DestroyFailure,
     SFTK_Destroyed,
     SFTK_Busy
 } SFTKFreeStatus;
 
 /*
+ * Source of various objects
+ */
+typedef enum {
+    SFTK_SOURCE_DEFAULT=0,
+    SFTK_SOURCE_KEA,
+    SFTK_SOURCE_HKDF_EXPAND,
+    SFTK_SOURCE_HKDF_EXTRACT
+} SFTKSource;
+
+/*
  * attribute values of an object.
  */
 struct SFTKAttributeStr {
     SFTKAttribute *next;
     SFTKAttribute *prev;
     PRBool freeAttr;
     PRBool freeData;
     /*must be called handle to make sftkqueue_find work */
@@ -189,16 +199,17 @@ struct SFTKObjectStr {
     CK_OBJECT_CLASS objclass;
     CK_OBJECT_HANDLE handle;
     int refCount;
     PZLock *refLock;
     SFTKSlot *slot;
     void *objectInfo;
     SFTKFree infoFree;
     PRBool isFIPS;
+    SFTKSource source;
 };
 
 struct SFTKTokenObjectStr {
     SFTKObject obj;
     SECItem dbKey;
 };
 
 struct SFTKSessionObjectStr {
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -1090,16 +1090,17 @@ sftk_NewObject(SFTKSlot *slot)
         sessObject->attrList[i].freeData = PR_FALSE;
     }
     sessObject->optimizeSpace = slot->optimizeSpace;
 
     object->handle = 0;
     object->next = object->prev = NULL;
     object->slot = slot;
     object->isFIPS = sftk_isFIPS(slot->slotID);
+    object->source = SFTK_SOURCE_DEFAULT;
 
     object->refCount = 1;
     sessObject->sessionList.next = NULL;
     sessObject->sessionList.prev = NULL;
     sessObject->sessionList.parent = object;
     sessObject->session = NULL;
     sessObject->wasDerived = PR_FALSE;
     if (!hasLocks)
@@ -1674,16 +1675,17 @@ fail:
 CK_RV
 sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject)
 {
     SFTKAttribute *attribute;
     SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject);
     unsigned int i;
 
     destObject->isFIPS = srcObject->isFIPS;
+    destObject->source = srcObject->source;
     if (src_so == NULL) {
         return sftk_CopyTokenObject(destObject, srcObject);
     }
 
     PZ_Lock(src_so->attributeLock);
     for (i = 0; i < src_so->hashSize; i++) {
         attribute = src_so->head[i];
         do {
@@ -2059,16 +2061,17 @@ sftk_NewTokenObject(SFTKSlot *slot, SECI
     /* every object must have a class, if we can't get it, the object
      * doesn't exist */
     crv = handleToClass(slot, handle, &object->objclass);
     if (crv != CKR_OK) {
         goto loser;
     }
     object->slot = slot;
     object->isFIPS = sftk_isFIPS(slot->slotID);
+    object->source = SFTK_SOURCE_DEFAULT;
     object->objectInfo = NULL;
     object->infoFree = NULL;
     if (!hasLocks) {
         object->refLock = PZ_NewLock(nssILockRefLock);
     }
     if (object->refLock == NULL) {
         goto loser;
     }
@@ -2225,16 +2228,25 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE 
             break;
         case CKA_DERIVE:
             flags = CKF_DERIVE;
             break;
         /* fake attribute to select digesting */
         case CKA_DIGEST:
             flags = CKF_DIGEST;
             break;
+        /* fake attribute to select key gen */
+         case CKA_NSS_GENERATE:
+            flags = CKF_GENERATE;
+            break;
+        /* fake attribute to select key pair gen */
+        case CKA_NSS_GENERATE_KEY_PAIR:
+            flags = CKF_GENERATE_KEY_PAIR;
+            break;
+        /* fake attributes to to handle MESSAGE* flags */
         case CKA_NSS_MESSAGE | CKA_ENCRYPT:
             flags = CKF_MESSAGE_ENCRYPT;
             break;
         case CKA_NSS_MESSAGE | CKA_DECRYPT:
             flags = CKF_MESSAGE_DECRYPT;
             break;
         case CKA_NSS_MESSAGE | CKA_SIGN:
             flags = CKF_MESSAGE_SIGN;
@@ -2278,17 +2290,17 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
 }
 
 /* This function currently only returns valid lengths for
  * FIPS approved ECC curves. If we want to make this generic
  * in the future, that Curve determination can be done in
  * the sftk_handleSpecial. Since it's currently only used
  * in FIPS indicators, it's currently only compiled with
  * the FIPS indicator code */
-static int
+static CK_ULONG
 sftk_getKeyLength(SFTKObject *source)
 {
     CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
     CK_ATTRIBUTE_TYPE keyAttribute;
     CK_ULONG keyLength = 0;
     SFTKAttribute *attribute;
     CK_RV crv;
 
diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
--- a/lib/util/pkcs11n.h
+++ b/lib/util/pkcs11n.h
@@ -58,16 +58,18 @@
 /*
  * NSS-defined certificate types
  *
  */
 #define CKC_NSS (CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
 
 /* FAKE PKCS #11 defines */
 #define CKA_DIGEST 0x81000000L
+#define CKA_NSS_GENERATE 0x81000001L
+#define CKA_NSS_GENERATE_KEY_PAIR 0x81000002L
 #define CKA_NSS_MESSAGE 0x82000000L
 #define CKA_NSS_MESSAGE_MASK 0xff000000L
 #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */
 
 /*
  * NSS-defined object attributes
  *
  */