Bug 1558549 - Update to NSS_3_44_1_RTM. a=ritu UPGRADE_NSS_RELEASE
authorJ.C. Jones <jjones@mozilla.com>
Mon, 24 Jun 2019 10:01:40 +0200
changeset 533996 fd384ae3e04ea04fada7a72d9b2362862c0a3898
parent 533995 2bee7577b5a687ef6da1cd27852da85d28af2395
child 533997 4174d76d91945a7261f81d7666eee4b2b35cb027
push id11488
push userjcristau@mozilla.com
push dateMon, 24 Jun 2019 08:10:20 +0000
treeherdermozilla-beta@3d562db5d1ed [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersritu
bugs1558549
milestone68.0
Bug 1558549 - Update to NSS_3_44_1_RTM. a=ritu UPGRADE_NSS_RELEASE
old-configure.in
security/nss/.taskcluster.yml
security/nss/TAG-INFO
security/nss/automation/taskcluster/graph/src/queue.js
security/nss/automation/taskcluster/scripts/check_abi.sh
security/nss/build.sh
security/nss/cmd/fipstest/README
security/nss/cmd/fipstest/aes.sh
security/nss/cmd/fipstest/aesgcm.sh
security/nss/cmd/fipstest/dsa.sh
security/nss/cmd/fipstest/ecdsa.sh
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/fipstest/hmac.sh
security/nss/cmd/fipstest/kas.sh
security/nss/cmd/fipstest/rng.sh
security/nss/cmd/fipstest/rsa.sh
security/nss/cmd/fipstest/runtest.sh
security/nss/cmd/fipstest/sha.sh
security/nss/cmd/fipstest/tdea.sh
security/nss/cmd/fipstest/tls.sh
security/nss/cmd/fipstest/validate.sh
security/nss/cmd/fipstest/validate1.sh
security/nss/coreconf/coreconf.dep
security/nss/doc/certutil.xml
security/nss/gtests/pk11_gtest/manifest.mn
security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
security/nss/gtests/pk11_gtest/pk11_import_unittest.cc
security/nss/gtests/ssl_gtest/Makefile
security/nss/gtests/ssl_gtest/manifest.mn
security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
security/nss/gtests/ssl_gtest/ssl_gtest.gyp
security/nss/gtests/ssl_gtest/ssl_keylog_unittest.cc
security/nss/help.txt
security/nss/lib/cryptohi/seckey.c
security/nss/lib/freebl/crypto_primitives.c
security/nss/lib/freebl/dh.c
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/ecl/ecp_25519.c
security/nss/lib/freebl/fipsfreebl.c
security/nss/lib/freebl/intel-gcm-wrap.c
security/nss/lib/freebl/mpi/mpi.c
security/nss/lib/freebl/pqg.c
security/nss/lib/freebl/rijndael.c
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11akey.c
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11mech.c
security/nss/lib/pk11wrap/pk11pk12.c
security/nss/lib/pk11wrap/pk11priv.h
security/nss/lib/pk11wrap/pk11skey.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/legacydb/lgattr.c
security/nss/lib/softoken/lowkey.c
security/nss/lib/softoken/manifest.mn
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11i.h
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/sftkike.c
security/nss/lib/softoken/softkver.h
security/nss/lib/softoken/softoken.gyp
security/nss/lib/ssl/ssl.gyp
security/nss/lib/ssl/ssl3con.c
security/nss/lib/util/nssutil.h
security/nss/lib/util/pkcs11n.h
security/nss/lib/util/pkcs11t.h
security/nss/lib/util/quickder.c
security/nss/tests/common/init.sh
security/nss/tests/fips/cavs_samples/AES/fax/CBCGFSbox128.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCGFSbox192.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCGFSbox256.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCKeySbox128.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCKeySbox192.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCKeySbox256.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCMCT128.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCMCT192.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCMCT256.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCMMT128.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCMMT192.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCMMT256.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCVarKey128.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCVarKey192.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCVarKey256.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCVarTxt128.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCVarTxt192.fax
security/nss/tests/fips/cavs_samples/AES/fax/CBCVarTxt256.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBGFSbox128.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBGFSbox192.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBGFSbox256.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBKeySbox128.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBKeySbox192.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBKeySbox256.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBMCT128.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBMCT192.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBMCT256.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBMMT128.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBMMT192.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBMMT256.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBVarKey128.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBVarKey192.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBVarKey256.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBVarTxt128.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBVarTxt192.fax
security/nss/tests/fips/cavs_samples/AES/fax/ECBVarTxt256.fax
security/nss/tests/fips/cavs_samples/AES/req/CBCGFSbox128.req
security/nss/tests/fips/cavs_samples/AES/req/CBCGFSbox192.req
security/nss/tests/fips/cavs_samples/AES/req/CBCGFSbox256.req
security/nss/tests/fips/cavs_samples/AES/req/CBCKeySbox128.req
security/nss/tests/fips/cavs_samples/AES/req/CBCKeySbox192.req
security/nss/tests/fips/cavs_samples/AES/req/CBCKeySbox256.req
security/nss/tests/fips/cavs_samples/AES/req/CBCMCT128.req
security/nss/tests/fips/cavs_samples/AES/req/CBCMCT192.req
security/nss/tests/fips/cavs_samples/AES/req/CBCMCT256.req
security/nss/tests/fips/cavs_samples/AES/req/CBCMMT128.req
security/nss/tests/fips/cavs_samples/AES/req/CBCMMT192.req
security/nss/tests/fips/cavs_samples/AES/req/CBCMMT256.req
security/nss/tests/fips/cavs_samples/AES/req/CBCVarKey128.req
security/nss/tests/fips/cavs_samples/AES/req/CBCVarKey192.req
security/nss/tests/fips/cavs_samples/AES/req/CBCVarKey256.req
security/nss/tests/fips/cavs_samples/AES/req/CBCVarTxt128.req
security/nss/tests/fips/cavs_samples/AES/req/CBCVarTxt192.req
security/nss/tests/fips/cavs_samples/AES/req/CBCVarTxt256.req
security/nss/tests/fips/cavs_samples/AES/req/ECBGFSbox128.req
security/nss/tests/fips/cavs_samples/AES/req/ECBGFSbox192.req
security/nss/tests/fips/cavs_samples/AES/req/ECBGFSbox256.req
security/nss/tests/fips/cavs_samples/AES/req/ECBKeySbox128.req
security/nss/tests/fips/cavs_samples/AES/req/ECBKeySbox192.req
security/nss/tests/fips/cavs_samples/AES/req/ECBKeySbox256.req
security/nss/tests/fips/cavs_samples/AES/req/ECBMCT128.req
security/nss/tests/fips/cavs_samples/AES/req/ECBMCT192.req
security/nss/tests/fips/cavs_samples/AES/req/ECBMCT256.req
security/nss/tests/fips/cavs_samples/AES/req/ECBMMT128.req
security/nss/tests/fips/cavs_samples/AES/req/ECBMMT192.req
security/nss/tests/fips/cavs_samples/AES/req/ECBMMT256.req
security/nss/tests/fips/cavs_samples/AES/req/ECBVarKey128.req
security/nss/tests/fips/cavs_samples/AES/req/ECBVarKey192.req
security/nss/tests/fips/cavs_samples/AES/req/ECBVarKey256.req
security/nss/tests/fips/cavs_samples/AES/req/ECBVarTxt128.req
security/nss/tests/fips/cavs_samples/AES/req/ECBVarTxt192.req
security/nss/tests/fips/cavs_samples/AES/req/ECBVarTxt256.req
security/nss/tests/fips/cavs_samples/AES/sample/CBCGFSbox128.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCGFSbox192.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCGFSbox256.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCKeySbox128.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCKeySbox192.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCKeySbox256.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCMCT128.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCMCT192.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCMCT256.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCMMT128.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCMMT192.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCMMT256.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCVarKey128.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCVarKey192.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCVarKey256.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCVarTxt128.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCVarTxt192.sam
security/nss/tests/fips/cavs_samples/AES/sample/CBCVarTxt256.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBGFSbox128.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBGFSbox192.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBGFSbox256.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBKeySbox128.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBKeySbox192.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBKeySbox256.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBMCT128.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBMCT192.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBMCT256.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBMMT128.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBMMT192.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBMMT256.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBVarKey128.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBVarKey192.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBVarKey256.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBVarTxt128.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBVarTxt192.sam
security/nss/tests/fips/cavs_samples/AES/sample/ECBVarTxt256.sam
security/nss/tests/fips/cavs_samples/AES_GCM/fax/gcmDecrypt128.fax
security/nss/tests/fips/cavs_samples/AES_GCM/fax/gcmDecrypt192.fax
security/nss/tests/fips/cavs_samples/AES_GCM/fax/gcmDecrypt256.fax
security/nss/tests/fips/cavs_samples/AES_GCM/fax/gcmEncryptExtIV128.fax
security/nss/tests/fips/cavs_samples/AES_GCM/fax/gcmEncryptExtIV192.fax
security/nss/tests/fips/cavs_samples/AES_GCM/fax/gcmEncryptExtIV256.fax
security/nss/tests/fips/cavs_samples/AES_GCM/req/gcmDecrypt128.req
security/nss/tests/fips/cavs_samples/AES_GCM/req/gcmDecrypt192.req
security/nss/tests/fips/cavs_samples/AES_GCM/req/gcmDecrypt256.req
security/nss/tests/fips/cavs_samples/AES_GCM/req/gcmEncryptExtIV128.req
security/nss/tests/fips/cavs_samples/AES_GCM/req/gcmEncryptExtIV192.req
security/nss/tests/fips/cavs_samples/AES_GCM/req/gcmEncryptExtIV256.req
security/nss/tests/fips/cavs_samples/AES_GCM/sample/gcmDecrypt128.sam
security/nss/tests/fips/cavs_samples/AES_GCM/sample/gcmDecrypt192.sam
security/nss/tests/fips/cavs_samples/AES_GCM/sample/gcmDecrypt256.sam
security/nss/tests/fips/cavs_samples/AES_GCM/sample/gcmEncryptExtIV128.sam
security/nss/tests/fips/cavs_samples/AES_GCM/sample/gcmEncryptExtIV192.sam
security/nss/tests/fips/cavs_samples/AES_GCM/sample/gcmEncryptExtIV256.sam
security/nss/tests/fips/cavs_samples/DRBG800-90A/fax/Hash_DRBG.fax
security/nss/tests/fips/cavs_samples/DRBG800-90A/req/Hash_DRBG.req
security/nss/tests/fips/cavs_samples/DRBG800-90A/sample/Hash_DRBG.sam
security/nss/tests/fips/cavs_samples/DSA2/fax/KeyPair.fax
security/nss/tests/fips/cavs_samples/DSA2/fax/PQGGen.fax
security/nss/tests/fips/cavs_samples/DSA2/fax/PQGVer1863.fax
security/nss/tests/fips/cavs_samples/DSA2/fax/SigGen.fax
security/nss/tests/fips/cavs_samples/DSA2/fax/SigVer.fax
security/nss/tests/fips/cavs_samples/DSA2/req/KeyPair.req
security/nss/tests/fips/cavs_samples/DSA2/req/PQGGen.req
security/nss/tests/fips/cavs_samples/DSA2/req/PQGVer1863.req
security/nss/tests/fips/cavs_samples/DSA2/req/SigGen.req
security/nss/tests/fips/cavs_samples/DSA2/req/SigVer.req
security/nss/tests/fips/cavs_samples/DSA2/sample/KeyPair.sam
security/nss/tests/fips/cavs_samples/DSA2/sample/PQGVer1863.sam
security/nss/tests/fips/cavs_samples/DSA2/sample/SigGen.sam
security/nss/tests/fips/cavs_samples/DSA2/sample/SigVer.sam
security/nss/tests/fips/cavs_samples/ECDSA2/fax/KeyPair.fax
security/nss/tests/fips/cavs_samples/ECDSA2/fax/PKV.fax
security/nss/tests/fips/cavs_samples/ECDSA2/fax/SigGen.fax
security/nss/tests/fips/cavs_samples/ECDSA2/fax/SigVer.fax
security/nss/tests/fips/cavs_samples/ECDSA2/req/KeyPair.req
security/nss/tests/fips/cavs_samples/ECDSA2/req/PKV.req
security/nss/tests/fips/cavs_samples/ECDSA2/req/SigGen.req
security/nss/tests/fips/cavs_samples/ECDSA2/req/SigVer.req
security/nss/tests/fips/cavs_samples/ECDSA2/sample/KeyPair.sam
security/nss/tests/fips/cavs_samples/ECDSA2/sample/PKV.sam
security/nss/tests/fips/cavs_samples/ECDSA2/sample/SigGen.sam
security/nss/tests/fips/cavs_samples/ECDSA2/sample/SigVer.sam
security/nss/tests/fips/cavs_samples/HMAC/fax/HMAC.fax
security/nss/tests/fips/cavs_samples/HMAC/req/HMAC.req
security/nss/tests/fips/cavs_samples/HMAC/sample/HMAC.sam
security/nss/tests/fips/cavs_samples/IKE/fax/README
security/nss/tests/fips/cavs_samples/IKE/fax/ikev1_dsa.fax
security/nss/tests/fips/cavs_samples/IKE/fax/ikev1_psk.fax
security/nss/tests/fips/cavs_samples/IKE/fax/ikev2.fax
security/nss/tests/fips/cavs_samples/IKE/req/ikev1_dsa.req
security/nss/tests/fips/cavs_samples/IKE/req/ikev1_dsa.req_orig
security/nss/tests/fips/cavs_samples/IKE/req/ikev1_psk.req
security/nss/tests/fips/cavs_samples/IKE/req/ikev2.req
security/nss/tests/fips/cavs_samples/KAS/fax/KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.fax
security/nss/tests/fips/cavs_samples/KAS/fax/KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.fax
security/nss/tests/fips/cavs_samples/KAS/fax/KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.fax
security/nss/tests/fips/cavs_samples/KAS/fax/KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.fax
security/nss/tests/fips/cavs_samples/KAS/fax/KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.fax
security/nss/tests/fips/cavs_samples/KAS/fax/KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.fax
security/nss/tests/fips/cavs_samples/KAS/fax/KASValidityTest_FFCEphem_NOKC_ZZOnly_init.fax
security/nss/tests/fips/cavs_samples/KAS/fax/KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.fax
security/nss/tests/fips/cavs_samples/KAS/req/KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
security/nss/tests/fips/cavs_samples/KAS/req/KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
security/nss/tests/fips/cavs_samples/KAS/req/KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req
security/nss/tests/fips/cavs_samples/KAS/req/KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req
security/nss/tests/fips/cavs_samples/KAS/req/KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
security/nss/tests/fips/cavs_samples/KAS/req/KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
security/nss/tests/fips/cavs_samples/KAS/req/KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req
security/nss/tests/fips/cavs_samples/KAS/req/KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
security/nss/tests/fips/cavs_samples/KDF135/fax/tls.fax
security/nss/tests/fips/cavs_samples/KDF135/req/tls.req
security/nss/tests/fips/cavs_samples/KDF135/sample/tls.sam
security/nss/tests/fips/cavs_samples/RSA2/fax/KeyGen3_3_KAT.fax
security/nss/tests/fips/cavs_samples/RSA2/fax/KeyGen_RandomProbablyPrime3_3.fax
security/nss/tests/fips/cavs_samples/RSA2/fax/SigGen15_186-3.fax
security/nss/tests/fips/cavs_samples/RSA2/fax/SigGen931_186-3.fax
security/nss/tests/fips/cavs_samples/RSA2/fax/SigGenPSS_186-3.fax
security/nss/tests/fips/cavs_samples/RSA2/fax/SigVer15_186-3.fax
security/nss/tests/fips/cavs_samples/RSA2/fax/SigVer931_186-3.fax
security/nss/tests/fips/cavs_samples/RSA2/fax/SigVerPSS_186-3.fax
security/nss/tests/fips/cavs_samples/RSA2/req/KeyGen3_3_KAT.req
security/nss/tests/fips/cavs_samples/RSA2/req/KeyGenRSA1862.req
security/nss/tests/fips/cavs_samples/RSA2/req/KeyGen_186-3.req
security/nss/tests/fips/cavs_samples/RSA2/req/KeyGen_RandomProbablyPrime3_3.req
security/nss/tests/fips/cavs_samples/RSA2/req/SigGen15_186-3.req
security/nss/tests/fips/cavs_samples/RSA2/req/SigGen931_186-3.req
security/nss/tests/fips/cavs_samples/RSA2/req/SigGenPSS_186-3.req
security/nss/tests/fips/cavs_samples/RSA2/req/SigVer15_186-3.req
security/nss/tests/fips/cavs_samples/RSA2/req/SigVer931_186-3.req
security/nss/tests/fips/cavs_samples/RSA2/req/SigVerPSS_186-3.req
security/nss/tests/fips/cavs_samples/RSA2/sample/SigGen15_186-3.sam
security/nss/tests/fips/cavs_samples/RSA2/sample/SigVer15_186-3.sam
security/nss/tests/fips/cavs_samples/SHA/fax/SHA1LongMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA1Monte.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA1ShortMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA224LongMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA224Monte.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA224ShortMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA256LongMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA256Monte.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA256ShortMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA384LongMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA384Monte.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA384ShortMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA512LongMsg.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA512Monte.fax
security/nss/tests/fips/cavs_samples/SHA/fax/SHA512ShortMsg.fax
security/nss/tests/fips/cavs_samples/SHA/req/SHA1LongMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA1Monte.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA1ShortMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA224LongMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA224Monte.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA224ShortMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA256LongMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA256Monte.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA256ShortMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA384LongMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA384Monte.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA384ShortMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA512LongMsg.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA512Monte.req
security/nss/tests/fips/cavs_samples/SHA/req/SHA512ShortMsg.req
security/nss/tests/fips/cavs_samples/SHA/sample/SHA1LongMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA1Monte.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA1ShortMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA224LongMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA224Monte.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA224ShortMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA256LongMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA256Monte.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA256ShortMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA384LongMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA384Monte.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA384ShortMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA512LongMsg.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA512Monte.sam
security/nss/tests/fips/cavs_samples/SHA/sample/SHA512ShortMsg.sam
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCMMT1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCMMT2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCMMT3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCMonte1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCMonte2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCMonte3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCinvperm.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCpermop.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCsubtab.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCvarkey.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCBCvartext.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1MMT1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1MMT2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1MMT3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1Monte1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1Monte2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1Monte3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1invperm.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1permop.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1subtab.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1varkey.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB1vartext.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64MMT1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64MMT2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64MMT3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64Monte1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64Monte2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64Monte3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64invperm.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64permop.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64subtab.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64varkey.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB64vartext.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8MMT1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8MMT2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8MMT3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8Monte1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8Monte2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8Monte3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8invperm.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8permop.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8subtab.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8varkey.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TCFB8vartext.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBMMT1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBMMT2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBMMT3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBMonte1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBMonte2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBMonte3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBinvperm.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBpermop.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBsubtab.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBvarkey.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TECBvartext.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBMMT1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBMMT2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBMMT3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBMonte1.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBMonte2.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBMonte3.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBinvperm.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBpermop.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBsubtab.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBvarkey.fax
security/nss/tests/fips/cavs_samples/TDES/fax/TOFBvartext.fax
security/nss/tests/fips/cavs_samples/TDES/req/TCBCMMT1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCMMT2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCMMT3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCMonte1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCMonte2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCMonte3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCinvperm.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCpermop.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCsubtab.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCvarkey.req
security/nss/tests/fips/cavs_samples/TDES/req/TCBCvartext.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1MMT1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1MMT2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1MMT3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1Monte1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1Monte2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1Monte3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1invperm.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1permop.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1subtab.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1varkey.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB1vartext.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64MMT1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64MMT2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64MMT3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64Monte1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64Monte2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64Monte3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64invperm.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64permop.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64subtab.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64varkey.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB64vartext.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8MMT1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8MMT2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8MMT3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8Monte1.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8Monte2.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8Monte3.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8invperm.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8permop.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8subtab.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8varkey.req
security/nss/tests/fips/cavs_samples/TDES/req/TCFB8vartext.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBMMT1.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBMMT2.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBMMT3.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBMonte1.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBMonte2.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBMonte3.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBinvperm.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBpermop.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBsubtab.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBvarkey.req
security/nss/tests/fips/cavs_samples/TDES/req/TECBvartext.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBMMT1.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBMMT2.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBMMT3.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBMonte1.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBMonte2.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBMonte3.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBinvperm.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBpermop.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBsubtab.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBvarkey.req
security/nss/tests/fips/cavs_samples/TDES/req/TOFBvartext.req
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCMMT2.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCMMT3.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCMonte2.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCMonte3.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCinvperm.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCpermop.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCsubtab.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCvarkey.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TCBCvartext.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBMMT2.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBMMT3.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBMonte2.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBMonte3.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBinvperm.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBpermop.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBsubtab.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBvarkey.sam
security/nss/tests/fips/cavs_samples/TDES/sample/TECBvartext.sam
security/nss/tests/fips/cavs_scripts/README
security/nss/tests/fips/cavs_scripts/aes.sh
security/nss/tests/fips/cavs_scripts/aesgcm.sh
security/nss/tests/fips/cavs_scripts/dsa.sh
security/nss/tests/fips/cavs_scripts/ecdsa.sh
security/nss/tests/fips/cavs_scripts/hmac.sh
security/nss/tests/fips/cavs_scripts/ike.sh
security/nss/tests/fips/cavs_scripts/kas.sh
security/nss/tests/fips/cavs_scripts/rng.sh
security/nss/tests/fips/cavs_scripts/rsa.sh
security/nss/tests/fips/cavs_scripts/runtest.sh
security/nss/tests/fips/cavs_scripts/sha.sh
security/nss/tests/fips/cavs_scripts/tdea.sh
security/nss/tests/fips/cavs_scripts/tls.sh
security/nss/tests/fips/cavs_scripts/validate.sh
security/nss/tests/fips/cavs_scripts/validate1.sh
security/nss/tests/fips/fips.sh
--- a/old-configure.in
+++ b/old-configure.in
@@ -1532,17 +1532,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.44, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.44.1, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
 if test -z "$MOZ_SYSTEM_NSS"; then
    case "${OS_ARCH}" in
         # Only few platforms have been tested with GYP
         WINNT|Darwin|Linux|DragonFly|FreeBSD|NetBSD|OpenBSD|SunOS)
             ;;
--- a/security/nss/.taskcluster.yml
+++ b/security/nss/.taskcluster.yml
@@ -16,20 +16,22 @@ tasks:
         $if: '"@" in push.owner'
         then: '${push.owner}'
         else: '${push.owner}@noreply.mozilla.org'
       # ensure there's no trailing `/` on the repo URL
       repoUrl:
         $if: 'repository.url[-1] == "/"'
         then: {$eval: 'repository.url[:-1]'}
         else: {$eval: 'repository.url'}
+      # scheduler id
+      schedulerId: 'nss-level-${repository.level}'
     in:
       taskId: '${ownTaskId}'
       taskGroupId: '${ownTaskId}'
-      schedulerId: 'nss-level-${repository.level}'
+      schedulerId: '${schedulerId}'
       created: {$fromNow: ''}
       deadline: {$fromNow: '1 day'}
       expires: {$fromNow: '14 days'}
 
       metadata:
         owner: mozilla-taskcluster-maintenance@mozilla.com
         source: "${repository.url}"
         name: "NSS Decision Task"
@@ -51,16 +53,17 @@ tasks:
       payload:
         # TODO: use nssdev org , not djmitche, once the image is pushed there
         image: djmitche/nss-decision:0.0.3
 
         env:
           TC_OWNER: "${push.owner}"
           TC_SOURCE: "${repository.url}"
           TC_PROJECT: ${repository.project}
+          TC_SCHEDULER_ID: "${schedulerId}"
           NSS_PUSHLOG_ID: '${push.pushlog_id}'
           NSS_HEAD_REPOSITORY: '${repository.url}'
           NSS_HEAD_REVISION: '${push.revision}'
 
         maxRunTime: 1800
 
         command:
           - bash
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_44_RTM
+NSS_3_44_1_RTM
--- a/security/nss/automation/taskcluster/graph/src/queue.js
+++ b/security/nss/automation/taskcluster/graph/src/queue.js
@@ -130,17 +130,18 @@ function convertTask(def) {
     if (payload.features.allowPtrace) {
       scopes.push("docker-worker:feature:allowPtrace");
     }
   }
 
   return {
     provisionerId: def.provisioner || "aws-provisioner-v1",
     workerType: def.workerType || "hg-worker",
-    schedulerId: "task-graph-scheduler",
+    schedulerId: process.env.TC_SCHEDULER_ID,
+    taskGroupId: process.env.TASK_ID,
 
     scopes,
     created: fromNow(0),
     deadline: fromNow(24),
 
     dependencies,
     routes: parseRoutes(def.routes || []),
 
--- a/security/nss/automation/taskcluster/scripts/check_abi.sh
+++ b/security/nss/automation/taskcluster/scripts/check_abi.sh
@@ -98,16 +98,17 @@ abi_diff()
       fi
       abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
           $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
           > ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
       RET=$?
       cat ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt \
           | grep -v "^Functions changes summary:" \
           | grep -v "^Variables changes summary:" \
+          | sed -e 's/__anonymous_enum__[0-9]*/__anonymous_enum__/g' \
           > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt
       rm -f ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
 
       ABIDIFF_ERROR=$((($RET & 0x01) != 0))
       ABIDIFF_USAGE_ERROR=$((($RET & 0x02) != 0))
       ABIDIFF_ABI_CHANGE=$((($RET & 0x04) != 0))
       ABIDIFF_ABI_INCOMPATIBLE_CHANGE=$((($RET & 0x08) != 0))
       ABIDIFF_UNKNOWN_BIT_SET=$((($RET & 0xf0) != 0))
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -45,16 +45,17 @@ clean=0
 rebuild_gyp=0
 rebuild_nspr=0
 target=Debug
 verbose=0
 fuzz=0
 fuzz_tls=0
 fuzz_oss=0
 no_local_nspr=0
+sslkeylogfile=1
 
 gyp_params=(--depth="$cwd" --generator-output=".")
 ninja_params=()
 
 # Assume that the target architecture is the same as the host by default.
 host_arch=$(python "$cwd"/coreconf/detect_host_arch.py)
 target_arch=$host_arch
 
@@ -99,30 +100,33 @@ while [ $# -gt 0 ]; do
         --ct-verif) gyp_params+=(-Dct_verif=1) ;;
         --nspr) nspr_clean; rebuild_nspr=1 ;;
         --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
         --system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
         --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
         --enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
         --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
         --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
+        --disable-keylog) sslkeylogfile=0 ;;
 	-D*) gyp_params+=("$1") ;;
         *) show_help; exit 2 ;;
     esac
     shift
 done
 
 # Set the target architecture and build type.
 gyp_params+=(-Dtarget_arch="$target_arch")
 if [ "$opt_build" = 1 ]; then
     target=Release
 else
     target=Debug
 fi
 
+gyp_params+=(-Denable_sslkeylogfile="$sslkeylogfile")
+
 # Do special setup.
 if [ "$fuzz" = 1 ]; then
     source "$cwd"/coreconf/fuzz.sh
 fi
 nspr_set_flags $sanitizer_flags
 if [ ! -z "$sanitizer_flags" ]; then
     gyp_params+=(-Dsanitizer_flags="$sanitizer_flags")
 fi
new file mode 100644
--- /dev/null
+++ b/security/nss/cmd/fipstest/README
@@ -0,0 +1,1 @@
+The scripts have been moved to tests/fips/cavs_scripts
deleted file mode 100644
--- a/security/nss/cmd/fipstest/aes.sh
+++ /dev/null
@@ -1,112 +0,0 @@
-#!/bin/sh
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-#
-# A Bourne shell script for running the NIST AES Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/AES
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-cbc_kat_requests="
-CBCGFSbox128.req
-CBCGFSbox192.req
-CBCGFSbox256.req
-CBCKeySbox128.req
-CBCKeySbox192.req
-CBCKeySbox256.req
-CBCVarKey128.req
-CBCVarKey192.req
-CBCVarKey256.req
-CBCVarTxt128.req
-CBCVarTxt192.req
-CBCVarTxt256.req
-"
-
-cbc_mct_requests="
-CBCMCT128.req
-CBCMCT192.req
-CBCMCT256.req
-"
-
-cbc_mmt_requests="
-CBCMMT128.req
-CBCMMT192.req
-CBCMMT256.req
-"
-
-ecb_kat_requests="
-ECBGFSbox128.req
-ECBGFSbox192.req
-ECBGFSbox256.req
-ECBKeySbox128.req
-ECBKeySbox192.req
-ECBKeySbox256.req
-ECBVarKey128.req
-ECBVarKey192.req
-ECBVarKey256.req
-ECBVarTxt128.req
-ECBVarTxt192.req
-ECBVarTxt256.req
-"
-
-ecb_mct_requests="
-ECBMCT128.req
-ECBMCT192.req
-ECBMCT256.req
-"
-
-ecb_mmt_requests="
-ECBMMT128.req
-ECBMMT192.req
-ECBMMT256.req
-"
-
-if [ ${COMMAND} = "verify" ]; then
-    for request in $cbc_kat_requests $cbc_mct_requests $cbc_mmt_requests $ecb_kat_requests $ecb_mct_requests $ecb_mmt_requests; do
-	sh ./validate1.sh ${TESTDIR} $request
-    done
-    exit 0
-fi
-
-for request in $cbc_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes kat cbc ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $cbc_mct_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mct cbc ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $cbc_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $ecb_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes kat ecb ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $ecb_mct_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mct ecb ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $ecb_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response
-done
deleted file mode 100644
--- a/security/nss/cmd/fipstest/aesgcm.sh
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST AES Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/AES_GCM
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-gcm_decrypt_requests="
-gcmDecrypt128.req
-gcmDecrypt192.req
-gcmDecrypt256.req
-"
-
-gcm_encrypt_extiv_requests="
-gcmEncryptExtIV128.req
-gcmEncryptExtIV192.req
-gcmEncryptExtIV256.req
-"
-gcm_encrypt_intiv_requests="
-"
-
-#gcm_encrypt_intiv_requests="
-#gcmEncryptIntIV128.req
-#gcmEncryptIntIV192.req
-#gcmEncryptIntIV256.req
-#"
-
-if [ ${COMMAND} = "verify" ]; then
-    for request in $gcm_decrypt_requests $gcm_encrypt_extiv_requests; do
-	sh ./validate1.sh ${TESTDIR} $request ' ' '-e /Reason:/d'
-    done
-    for request in $gcm_encrypt_intiv_requests; do
-	name=`basename $request .req`
-    	echo ">>>>>  $name"
-        fipstest aes gcm decrypt ${RSPDIR}/$name.rsp | grep FAIL
-    done
-    exit 0
-fi
-
-for request in $gcm_decrypt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes gcm decrypt ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $gcm_encrypt_intiv_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes gcm encrypt_intiv ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $gcm_encrypt_extiv_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest aes gcm encrypt_extiv ${REQDIR}/$request > ${RSPDIR}/$response
-done
deleted file mode 100755
--- a/security/nss/cmd/fipstest/dsa.sh
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST DSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/DSA2
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-
-#
-# several of the DSA tests do use known answer tests to verify the result.
-# in those cases, feed generated tests back into the fipstest tool and
-# see if we can verify those value. NOTE: th PQGVer and SigVer tests verify
-# the dsa pqgver and dsa sigver functions, so we know they can detect errors
-# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular.
-#
-if [ ${COMMAND} = "verify" ]; then
-# verify generated keys
-    name=KeyPair
-    echo ">>>>>  $name"
-    fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-# verify generated pqg values
-    name=PQGGen
-    echo ">>>>>  $name"
-    fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-# verify PQGVer with known answer
-#    sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
-# verify signatures
-    name=SigGen
-    echo ">>>>>  $name"
-    fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-# verify SigVer with known answer
-    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
-    exit 0
-fi
-
-request=KeyPair.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=PQGGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa pqggen ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=PQGVer1863.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa pqgver ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=SigGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=SigVer.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dsa sigver ${REQDIR}/$request > ${RSPDIR}/$response
deleted file mode 100644
--- a/security/nss/cmd/fipstest/ecdsa.sh
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST ECDSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/ECDSA2
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-#
-# several of the ECDSA tests do not use known answer tests to verify the result.
-# In those cases, feed generated tests back into the fipstest tool and
-# see if we can verify those value. NOTE:  PQGVer and SigVer tests verify
-# the dsa pqgver and dsa sigver functions, so we know they can detect errors
-# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular.
-#
-if [ ${COMMAND} = "verify" ]; then
-# verify generated keys
-    name=KeyPair
-    echo ">>>>>  $name"
-    fipstest ecdsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-    sh ./validate1.sh ${TESTDIR} PKV.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
-# verify signatures
-    name=SigGen
-    echo ">>>>>  $name"
-    fipstest ecdsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-# verify SigVer with known answer
-    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
-    exit 0
-fi
-
-request=KeyPair.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=PKV.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa pkv ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=SigGen.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=SigVer.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdsa sigver ${REQDIR}/$request > ${RSPDIR}/$response
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -29,16 +29,21 @@
 #undef CK_PKCS11_FUNCTION_INFO
 #undef CK_NEED_ARG_LIST
 #undef __PASTE
 #define SSL3_RANDOM_LENGTH 32
 
 #if 0
 #include "../../lib/freebl/mpi/mpi.h"
 #endif
+#define MATCH_OPENSSL 1
+/*#define MATCH_NIST 1 */
+#ifdef MATCH_NIST
+#define VERBOSE_REASON 1
+#endif
 
 extern SECStatus
 EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
 extern SECStatus
 EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
               const ECParams *srcParams);
 
 #define ENCRYPT 1
@@ -3164,16 +3169,20 @@ ecdh_functional(char *reqfn, PRBool resp
                 fprintf(stderr, "generate key had invalid public value len\n");
                 goto loser;
             }
             uit_len = (uit_len - 1) / 2;
             if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
                 fprintf(stderr, "generate key was compressed\n");
                 goto loser;
             }
+            fputs("deIUT = ", ecdhresp);
+            to_hex_str(buf, ecpriv->privateValue.data, ecpriv->privateValue.len);
+            fputs(buf, ecdhresp);
+            fputc('\n', ecdhresp);
             fputs("QeIUTx = ", ecdhresp);
             to_hex_str(buf, &ecpriv->publicValue.data[1], uit_len);
             fputs(buf, ecdhresp);
             fputc('\n', ecdhresp);
             fputs("QeIUTy = ", ecdhresp);
             to_hex_str(buf, &ecpriv->publicValue.data[1 + uit_len], uit_len);
             fputs(buf, ecdhresp);
             fputc('\n', ecdhresp);
@@ -3210,17 +3219,16 @@ loser:
         }
     }
     if (pubkey.data != NULL) {
         PORT_Free(pubkey.data);
     }
     fclose(ecdhreq);
 }
 
-#define MATCH_OPENSSL 1
 /*
  * Perform the ECDH Validity Test.
  *
  * reqfn is the pathname of the REQUEST file.
  *
  * The output RESPONSE file is written to stdout.
  */
 void
@@ -3403,42 +3411,47 @@ ecdh_verify(char *reqfn, PRBool response
         if (strncmp(buf, "QeIUTx", 6) == 0) {
             fputs(buf, ecdhresp);
             continue;
         }
         if (strncmp(buf, "QeIUTy", 6) == 0) {
             fputs(buf, ecdhresp);
             continue;
         }
-        if (strncmp(buf, "CAVSHashZZ", 10) == 0) {
+        if ((strncmp(buf, "CAVSHashZZ", 10) == 0) ||
+            (strncmp(buf, "HashZZ", 6) == 0)) {
             fputs(buf, ecdhresp);
-            i = 10;
+            i = (buf[0] == 'C') ? 10 : 6;
             while (isspace(buf[i]) || buf[i] == '=') {
                 i++;
             }
             from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]);
             if (current_ecparams == NULL) {
                 fprintf(stderr, "no curve defined for type defined\n");
                 goto loser;
             }
             /* validate CAVS public key */
             if (EC_ValidatePublicKey(current_ecparams, &pubkey) != SECSuccess) {
-#ifdef MATCH_OPENSSL
+#ifdef VERBOSE_REASON
+                fprintf(ecdhresp, "Result = F # key didn't validate\n");
+#else
                 fprintf(ecdhresp, "Result = F\n");
-#else
-                fprintf(ecdhresp, "Result = F # key didn't validate\n");
 #endif
                 continue;
             }
 
             /* ECDH */
             if (ECDH_Derive(&pubkey, current_ecparams, &private_value,
                             PR_FALSE, &ZZ) != SECSuccess) {
-                fprintf(stderr, "Derive failed\n");
-                goto loser;
+#ifdef VERBOSE_REASON
+                fprintf(ecdhresp, "Result = F # derive failure\n");
+#else
+                fprintf(ecdhresp, "Result = F\n");
+#endif
+                continue;
             }
 /* output  ZZ */
 #ifndef MATCH_OPENSSL
             fputs("Z = ", ecdhresp);
             to_hex_str(buf, ZZ.data, ZZ.len);
             fputs(buf, ecdhresp);
             fputc('\n', ecdhresp);
 #endif
@@ -3450,20 +3463,20 @@ ecdh_verify(char *reqfn, PRBool response
             SECITEM_FreeItem(&ZZ, PR_FALSE);
 #ifndef MATCH_NIST
             fputs("IUTHashZZ = ", ecdhresp);
             to_hex_str(buf, hashBuf, fips_hashLen(hash));
             fputs(buf, ecdhresp);
             fputc('\n', ecdhresp);
 #endif
             if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) {
-#ifdef MATCH_OPENSSL
+#ifdef VERBOSE_REASON
+                fprintf(ecdhresp, "Result = F # hash doesn't match\n");
+#else
                 fprintf(ecdhresp, "Result = F\n");
-#else
-                fprintf(ecdhresp, "Result = F # hash doesn't match\n");
 #endif
             } else {
                 fprintf(ecdhresp, "Result = P\n");
             }
 #ifndef MATCH_OPENSSL
             fputc('\n', ecdhresp);
 #endif
             continue;
@@ -3670,17 +3683,16 @@ dh_functional(char *reqfn, PRBool respon
     }
 loser:
     if (dsapriv != NULL) {
         PORT_FreeArena(dsapriv->params.arena, PR_TRUE);
     }
     fclose(dhreq);
 }
 
-#define MATCH_OPENSSL 1
 /*
  * Perform the DH Validity Test.
  *
  * reqfn is the pathname of the REQUEST file.
  *
  * The output RESPONSE file is written to stdout.
  */
 void
@@ -3841,19 +3853,20 @@ dh_verify(char *reqfn, PRBool response)
             continue;
         }
         /* YephemUIT = ... */
         if (strncmp(buf, "YephemIUT", 9) == 0) {
             fputs(buf, dhresp);
             continue;
         }
         /* CAVSHashZZ = ... */
-        if (strncmp(buf, "CAVSHashZZ", 10) == 0) {
+        if ((strncmp(buf, "CAVSHashZZ", 10) == 0) ||
+            (strncmp(buf, "HashZZ", 6) == 0)) {
             fputs(buf, dhresp);
-            i = 10;
+            i = buf[0] == 'C' ? 10 : 6;
             while (isspace(buf[i]) || buf[i] == '=') {
                 i++;
             }
             from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]);
             /* do the DH operation*/
             if (DH_Derive(&pubkey, &pqg.prime, &privkey,
                           &ZZ, pqg.prime.len) != SECSuccess) {
                 fprintf(stderr, "Derive failed\n");
@@ -3866,17 +3879,17 @@ dh_verify(char *reqfn, PRBool response)
             fputs(buf, dhresp);
             fputc('\n', dhresp);
 #endif
             if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) {
                 fprintf(stderr, "hash of derived key failed\n");
                 goto loser;
             }
             SECITEM_FreeItem(&ZZ, PR_FALSE);
-#ifndef MATCH_NIST_
+#ifndef MATCH_NIST
             fputs("IUTHashZZ = ", dhresp);
             to_hex_str(buf, hashBuf, fips_hashLen(hash));
             fputs(buf, dhresp);
             fputc('\n', dhresp);
 #endif
             if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) {
                 fprintf(dhresp, "Result = F\n");
             } else {
@@ -6895,16 +6908,1306 @@ loser:
     if (master_secret)
         free(master_secret);
     if (key_block)
         free(key_block);
     if (tlsreq)
         fclose(tlsreq);
 }
 
+void
+ikev1(char *reqfn)
+{
+    char buf[4096]; /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "g^xy = <2048 hex digits>\n".
+                         */
+    unsigned char *gxy = NULL;
+    int gxy_len;
+    unsigned char *Ni = NULL;
+    int Ni_len;
+    unsigned char *Nr = NULL;
+    int Nr_len;
+    unsigned char CKYi[8];
+    int CKYi_len;
+    unsigned char CKYr[8];
+    int CKYr_len;
+    unsigned int i, j;
+    FILE *ikereq = NULL; /* input stream from the REQUEST file */
+    FILE *ikeresp;       /* output stream to the RESPONSE file */
+
+    CK_SLOT_ID slotList[10];
+    CK_SLOT_ID slotID;
+    CK_ULONG slotListCount = sizeof(slotList) / sizeof(slotList[0]);
+    CK_ULONG count;
+    static const CK_C_INITIALIZE_ARGS pk11args = {
+        NULL, NULL, NULL, NULL, CKF_LIBRARY_CANT_CREATE_OS_THREADS,
+        (void *)"flags=readOnly,noCertDB,noModDB", NULL
+    };
+    static CK_OBJECT_CLASS ck_secret = CKO_SECRET_KEY;
+    static CK_KEY_TYPE ck_generic = CKK_GENERIC_SECRET;
+    static CK_BBOOL ck_true = CK_TRUE;
+    static CK_ULONG keyLen = 1;
+    CK_ATTRIBUTE gxy_template[] = {
+        { CKA_VALUE, NULL, 0 }, /* must be first */
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+    };
+    CK_ULONG gxy_template_count =
+        sizeof(gxy_template) / sizeof(gxy_template[0]);
+    CK_ATTRIBUTE derive_template[] = {
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+        { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, /* must be last */
+    };
+    CK_ULONG derive_template_count =
+        sizeof(derive_template) / sizeof(derive_template[0]);
+    CK_ATTRIBUTE skeyid_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE skeyid_d_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE skeyid_a_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE skeyid_e_template =
+        { CKA_VALUE, NULL, 0 };
+    unsigned char skeyid_secret[HASH_LENGTH_MAX];
+    unsigned char skeyid_d_secret[HASH_LENGTH_MAX];
+    unsigned char skeyid_a_secret[HASH_LENGTH_MAX];
+    unsigned char skeyid_e_secret[HASH_LENGTH_MAX];
+
+    CK_MECHANISM ike_mech = { CKM_NSS_IKE_PRF_DERIVE, NULL, 0 };
+    CK_MECHANISM ike1_mech = { CKM_NSS_IKE1_PRF_DERIVE, NULL, 0 };
+    CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf;
+    CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf;
+    CK_RV crv;
+
+    /* set up PKCS #11 parameters */
+    ike_prf.bDataAsKey = PR_TRUE;
+    ike_prf.bRekey = PR_FALSE;
+    ike_prf.hNewKey = CK_INVALID_HANDLE;
+    CKYi_len = sizeof(CKYi);
+    CKYr_len = sizeof(CKYr);
+    ike1_prf.pCKYi = CKYi;
+    ike1_prf.ulCKYiLen = CKYi_len;
+    ike1_prf.pCKYr = CKYr;
+    ike1_prf.ulCKYrLen = CKYr_len;
+    ike_mech.pParameter = &ike_prf;
+    ike_mech.ulParameterLen = sizeof(ike_prf);
+    ike1_mech.pParameter = &ike1_prf;
+    ike1_mech.ulParameterLen = sizeof(ike1_prf);
+    skeyid_template.pValue = skeyid_secret;
+    skeyid_template.ulValueLen = HASH_LENGTH_MAX;
+    skeyid_d_template.pValue = skeyid_d_secret;
+    skeyid_d_template.ulValueLen = HASH_LENGTH_MAX;
+    skeyid_a_template.pValue = skeyid_a_secret;
+    skeyid_a_template.ulValueLen = HASH_LENGTH_MAX;
+    skeyid_e_template.pValue = skeyid_e_secret;
+    skeyid_e_template.ulValueLen = HASH_LENGTH_MAX;
+
+    crv = NSC_Initialize((CK_VOID_PTR)&pk11args);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_Initialize failed crv=0x%x\n", (unsigned int)crv);
+        goto loser;
+    }
+    count = slotListCount;
+    crv = NSC_GetSlotList(PR_TRUE, slotList, &count);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_GetSlotList failed crv=0x%x\n", (unsigned int)crv);
+        goto loser;
+    }
+    if ((count > slotListCount) || count < 1) {
+        fprintf(stderr,
+                "NSC_GetSlotList returned too many or too few slots: %d slots max=%d min=1\n",
+                (int)count, (int)slotListCount);
+        goto loser;
+    }
+    slotID = slotList[0];
+    ikereq = fopen(reqfn, "r");
+    ikeresp = stdout;
+    while (fgets(buf, sizeof buf, ikereq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* [.....] */
+        if (buf[0] == '[') {
+            if (strncmp(buf, "[SHA-1]", 7) == 0) {
+                ike_prf.prfMechanism = CKM_SHA_1_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA_1_HMAC;
+            }
+            if (strncmp(buf, "[SHA-224]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA224_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA224_HMAC;
+            }
+            if (strncmp(buf, "[SHA-256]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA256_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA256_HMAC;
+            }
+            if (strncmp(buf, "[SHA-384]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA384_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA384_HMAC;
+            }
+            if (strncmp(buf, "[SHA-512]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA512_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA512_HMAC;
+            }
+            if (strncmp(buf, "[AES-XCBC", 9) == 0) {
+                ike_prf.prfMechanism = CKM_AES_XCBC_MAC;
+                ike1_prf.prfMechanism = CKM_AES_XCBC_MAC;
+            }
+            if (strncmp(buf, "[g^xy", 5) == 0) {
+                if (sscanf(buf, "[g^xy length = %d]",
+                           &gxy_len) != 1) {
+                    goto loser;
+                }
+                gxy_len = gxy_len / 8;
+                if (gxy)
+                    free(gxy);
+                gxy = malloc(gxy_len);
+                gxy_template[0].pValue = gxy;
+                gxy_template[0].ulValueLen = gxy_len;
+            }
+            if (strncmp(buf, "[Ni", 3) == 0) {
+                if (sscanf(buf, "[Ni length = %d]", &Ni_len) != 1) {
+                    goto loser;
+                }
+                Ni_len = Ni_len / 8;
+                if (Ni)
+                    free(Ni);
+                Ni = malloc(Ni_len);
+                ike_prf.pNi = Ni;
+                ike_prf.ulNiLen = Ni_len;
+            }
+            if (strncmp(buf, "[Nr", 3) == 0) {
+                if (sscanf(buf, "[Nr length = %d]", &Nr_len) != 1) {
+                    goto loser;
+                }
+                Nr_len = Nr_len / 8;
+                if (Nr)
+                    free(Nr);
+                Nr = malloc(Nr_len);
+                ike_prf.pNr = Nr;
+                ike_prf.ulNrLen = Nr_len;
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* "COUNT = x" begins a new data set */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            /* zeroize the variables for the test with this data set */
+            memset(gxy, 0, gxy_len);
+            memset(Ni, 0, Ni_len);
+            memset(Nr, 0, Nr_len);
+            memset(CKYi, 0, CKYi_len);
+            memset(CKYr, 0, CKYr_len);
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* Ni = ... */
+        if (strncmp(buf, "Ni", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < Ni_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &Ni[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* Nr = ... */
+        if (strncmp(buf, "Nr", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < Nr_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &Nr[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* CKYi = ... */
+        if (strncmp(buf, "CKY_I", 5) == 0) {
+            i = 5;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < CKYi_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &CKYi[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* CKYr = ... */
+        if (strncmp(buf, "CKY_R", 5) == 0) {
+            i = 5;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < CKYr_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &CKYr[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* g^xy = ... */
+        if (strncmp(buf, "g^xy", 4) == 0) {
+            CK_SESSION_HANDLE session;
+            CK_OBJECT_HANDLE gxy_handle;
+            CK_OBJECT_HANDLE skeyid_handle;
+            CK_OBJECT_HANDLE skeyid_d_handle;
+            CK_OBJECT_HANDLE skeyid_a_handle;
+            CK_OBJECT_HANDLE skeyid_e_handle;
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < gxy_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &gxy[j]);
+            }
+            fputs(buf, ikeresp);
+            crv = NSC_OpenSession(slotID, 0, NULL, NULL, &session);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_OpenSession failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_CreateObject(session, gxy_template,
+                                   gxy_template_count, &gxy_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_CreateObject failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            /* get the skeyid key */
+            crv = NSC_DeriveKey(session, &ike_mech, gxy_handle,
+                                derive_template, derive_template_count - 1,
+                                &skeyid_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            skeyid_template.ulValueLen = HASH_LENGTH_MAX;
+            crv = NSC_GetAttributeValue(session, skeyid_handle,
+                                        &skeyid_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            /* use the length of the skeyid to set the target length of all the
+             * other keys */
+            keyLen = skeyid_template.ulValueLen;
+            ike1_prf.hKeygxy = gxy_handle;
+            ike1_prf.bHasPrevKey = PR_FALSE;
+            ike1_prf.keyNumber = 0;
+            crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle,
+                                derive_template, derive_template_count,
+                                &skeyid_d_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid_d) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+
+            ike1_prf.hKeygxy = gxy_handle;
+            ike1_prf.bHasPrevKey = CK_TRUE;
+            ike1_prf.hPrevKey = skeyid_d_handle;
+            ike1_prf.keyNumber = 1;
+            crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle,
+                                derive_template, derive_template_count,
+                                &skeyid_a_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid_a) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            ike1_prf.hKeygxy = gxy_handle;
+            ike1_prf.bHasPrevKey = CK_TRUE;
+            ike1_prf.hPrevKey = skeyid_a_handle;
+            ike1_prf.keyNumber = 2;
+            crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle,
+                                derive_template, derive_template_count,
+                                &skeyid_e_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid_e) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID = ", ikeresp);
+            to_hex_str(buf, skeyid_secret, keyLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            skeyid_d_template.ulValueLen = keyLen;
+            crv = NSC_GetAttributeValue(session, skeyid_d_handle,
+                                        &skeyid_d_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid_d) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID_d = ", ikeresp);
+            to_hex_str(buf, skeyid_d_secret, skeyid_d_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            skeyid_a_template.ulValueLen = keyLen;
+            crv = NSC_GetAttributeValue(session, skeyid_a_handle,
+                                        &skeyid_a_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid_a) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID_a = ", ikeresp);
+            to_hex_str(buf, skeyid_a_secret, skeyid_a_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            skeyid_e_template.ulValueLen = keyLen;
+            crv = NSC_GetAttributeValue(session, skeyid_e_handle,
+                                        &skeyid_e_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid_e) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID_e = ", ikeresp);
+            to_hex_str(buf, skeyid_e_secret, skeyid_e_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            crv = NSC_CloseSession(session);
+            continue;
+        }
+    }
+loser:
+    NSC_Finalize(NULL);
+    if (gxy)
+        free(gxy);
+    if (Ni)
+        free(Ni);
+    if (Nr)
+        free(Nr);
+    if (ikereq)
+        fclose(ikereq);
+}
+
+void
+ikev1_psk(char *reqfn)
+{
+    char buf[4096]; /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "g^xy = <2048 hex digits>\n".
+                         */
+    unsigned char *gxy = NULL;
+    int gxy_len;
+    unsigned char *Ni = NULL;
+    int Ni_len;
+    unsigned char *Nr = NULL;
+    int Nr_len;
+    unsigned char CKYi[8];
+    int CKYi_len;
+    unsigned char CKYr[8];
+    int CKYr_len;
+    unsigned char *psk = NULL;
+    int psk_len;
+    unsigned int i, j;
+    FILE *ikereq = NULL; /* input stream from the REQUEST file */
+    FILE *ikeresp;       /* output stream to the RESPONSE file */
+
+    CK_SLOT_ID slotList[10];
+    CK_SLOT_ID slotID;
+    CK_ULONG slotListCount = sizeof(slotList) / sizeof(slotList[0]);
+    CK_ULONG count;
+    static const CK_C_INITIALIZE_ARGS pk11args = {
+        NULL, NULL, NULL, NULL, CKF_LIBRARY_CANT_CREATE_OS_THREADS,
+        (void *)"flags=readOnly,noCertDB,noModDB", NULL
+    };
+    static CK_OBJECT_CLASS ck_secret = CKO_SECRET_KEY;
+    static CK_KEY_TYPE ck_generic = CKK_GENERIC_SECRET;
+    static CK_BBOOL ck_true = CK_TRUE;
+    static CK_ULONG keyLen = 1;
+    CK_ATTRIBUTE gxy_template[] = {
+        { CKA_VALUE, NULL, 0 }, /* must be first */
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+    };
+    CK_ULONG gxy_template_count =
+        sizeof(gxy_template) / sizeof(gxy_template[0]);
+    CK_ATTRIBUTE psk_template[] = {
+        { CKA_VALUE, NULL, 0 }, /* must be first */
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+    };
+    CK_ULONG psk_template_count =
+        sizeof(psk_template) / sizeof(psk_template[0]);
+    CK_ATTRIBUTE derive_template[] = {
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+        { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, /* must be last */
+    };
+    CK_ULONG derive_template_count =
+        sizeof(derive_template) / sizeof(derive_template[0]);
+    CK_ATTRIBUTE skeyid_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE skeyid_d_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE skeyid_a_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE skeyid_e_template =
+        { CKA_VALUE, NULL, 0 };
+    unsigned char skeyid_secret[HASH_LENGTH_MAX];
+    unsigned char skeyid_d_secret[HASH_LENGTH_MAX];
+    unsigned char skeyid_a_secret[HASH_LENGTH_MAX];
+    unsigned char skeyid_e_secret[HASH_LENGTH_MAX];
+
+    CK_MECHANISM ike_mech = { CKM_NSS_IKE_PRF_DERIVE, NULL, 0 };
+    CK_MECHANISM ike1_mech = { CKM_NSS_IKE1_PRF_DERIVE, NULL, 0 };
+    CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf;
+    CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf;
+    CK_RV crv;
+
+    /* set up PKCS #11 parameters */
+    ike_prf.bDataAsKey = PR_FALSE;
+    ike_prf.bRekey = PR_FALSE;
+    ike_prf.hNewKey = CK_INVALID_HANDLE;
+    CKYi_len = 8;
+    CKYr_len = 8;
+    ike1_prf.pCKYi = CKYi;
+    ike1_prf.ulCKYiLen = CKYi_len;
+    ike1_prf.pCKYr = CKYr;
+    ike1_prf.ulCKYrLen = CKYr_len;
+    ike_mech.pParameter = &ike_prf;
+    ike_mech.ulParameterLen = sizeof(ike_prf);
+    ike1_mech.pParameter = &ike1_prf;
+    ike1_mech.ulParameterLen = sizeof(ike1_prf);
+    skeyid_template.pValue = skeyid_secret;
+    skeyid_template.ulValueLen = HASH_LENGTH_MAX;
+    skeyid_d_template.pValue = skeyid_d_secret;
+    skeyid_d_template.ulValueLen = HASH_LENGTH_MAX;
+    skeyid_a_template.pValue = skeyid_a_secret;
+    skeyid_a_template.ulValueLen = HASH_LENGTH_MAX;
+    skeyid_e_template.pValue = skeyid_e_secret;
+    skeyid_e_template.ulValueLen = HASH_LENGTH_MAX;
+
+    crv = NSC_Initialize((CK_VOID_PTR)&pk11args);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_Initialize failed crv=0x%x\n", (unsigned int)crv);
+        goto loser;
+    }
+    count = slotListCount;
+    crv = NSC_GetSlotList(PR_TRUE, slotList, &count);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_GetSlotList failed crv=0x%x\n", (unsigned int)crv);
+        goto loser;
+    }
+    if ((count > slotListCount) || count < 1) {
+        fprintf(stderr,
+                "NSC_GetSlotList returned too many or too few slots: %d slots max=%d min=1\n",
+                (int)count, (int)slotListCount);
+        goto loser;
+    }
+    slotID = slotList[0];
+    ikereq = fopen(reqfn, "r");
+    ikeresp = stdout;
+    while (fgets(buf, sizeof buf, ikereq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* [.....] */
+        if (buf[0] == '[') {
+            if (strncmp(buf, "[SHA-1]", 7) == 0) {
+                ike_prf.prfMechanism = CKM_SHA_1_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA_1_HMAC;
+            }
+            if (strncmp(buf, "[SHA-224]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA224_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA224_HMAC;
+            }
+            if (strncmp(buf, "[SHA-256]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA256_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA256_HMAC;
+            }
+            if (strncmp(buf, "[SHA-384]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA384_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA384_HMAC;
+            }
+            if (strncmp(buf, "[SHA-512]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA512_HMAC;
+                ike1_prf.prfMechanism = CKM_SHA512_HMAC;
+            }
+            if (strncmp(buf, "[AES-XCBC", 9) == 0) {
+                ike_prf.prfMechanism = CKM_AES_XCBC_MAC;
+                ike1_prf.prfMechanism = CKM_AES_XCBC_MAC;
+            }
+            if (strncmp(buf, "[g^xy", 5) == 0) {
+                if (sscanf(buf, "[g^xy length = %d]",
+                           &gxy_len) != 1) {
+                    goto loser;
+                }
+                gxy_len = gxy_len / 8;
+                if (gxy)
+                    free(gxy);
+                gxy = malloc(gxy_len);
+                gxy_template[0].pValue = gxy;
+                gxy_template[0].ulValueLen = gxy_len;
+            }
+            if (strncmp(buf, "[pre-shared-key", 15) == 0) {
+                if (sscanf(buf, "[pre-shared-key length = %d]",
+                           &psk_len) != 1) {
+                    goto loser;
+                }
+                psk_len = psk_len / 8;
+                if (psk)
+                    free(psk);
+                psk = malloc(psk_len);
+                psk_template[0].pValue = psk;
+                psk_template[0].ulValueLen = psk_len;
+            }
+            if (strncmp(buf, "[Ni", 3) == 0) {
+                if (sscanf(buf, "[Ni length = %d]", &Ni_len) != 1) {
+                    goto loser;
+                }
+                Ni_len = Ni_len / 8;
+                if (Ni)
+                    free(Ni);
+                Ni = malloc(Ni_len);
+                ike_prf.pNi = Ni;
+                ike_prf.ulNiLen = Ni_len;
+            }
+            if (strncmp(buf, "[Nr", 3) == 0) {
+                if (sscanf(buf, "[Nr length = %d]", &Nr_len) != 1) {
+                    goto loser;
+                }
+                Nr_len = Nr_len / 8;
+                if (Nr)
+                    free(Nr);
+                Nr = malloc(Nr_len);
+                ike_prf.pNr = Nr;
+                ike_prf.ulNrLen = Nr_len;
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* "COUNT = x" begins a new data set */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            /* zeroize the variables for the test with this data set */
+            memset(gxy, 0, gxy_len);
+            memset(Ni, 0, Ni_len);
+            memset(Nr, 0, Nr_len);
+            memset(CKYi, 0, CKYi_len);
+            memset(CKYr, 0, CKYr_len);
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* Ni = ... */
+        if (strncmp(buf, "Ni", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < Ni_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &Ni[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* Nr = ... */
+        if (strncmp(buf, "Nr", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < Nr_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &Nr[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* CKYi = ... */
+        if (strncmp(buf, "CKY_I", 5) == 0) {
+            i = 5;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < CKYi_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &CKYi[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* CKYr = ... */
+        if (strncmp(buf, "CKY_R", 5) == 0) {
+            i = 5;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < CKYr_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &CKYr[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* g^xy = ... */
+        if (strncmp(buf, "g^xy", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < gxy_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &gxy[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* pre-shared-key = ... */
+        if (strncmp(buf, "pre-shared-key", 14) == 0) {
+            CK_SESSION_HANDLE session;
+            CK_OBJECT_HANDLE gxy_handle;
+            CK_OBJECT_HANDLE psk_handle;
+            CK_OBJECT_HANDLE skeyid_handle;
+            CK_OBJECT_HANDLE skeyid_d_handle;
+            CK_OBJECT_HANDLE skeyid_a_handle;
+            CK_OBJECT_HANDLE skeyid_e_handle;
+            i = 14;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < psk_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &psk[j]);
+            }
+            fputs(buf, ikeresp);
+            crv = NSC_OpenSession(slotID, 0, NULL, NULL, &session);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_OpenSession failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_CreateObject(session, psk_template,
+                                   psk_template_count, &psk_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_CreateObject(psk) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_CreateObject(session, gxy_template,
+                                   gxy_template_count, &gxy_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_CreateObject(gxy) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            /* get the skeyid key */
+            crv = NSC_DeriveKey(session, &ike_mech, psk_handle,
+                                derive_template, derive_template_count - 1,
+                                &skeyid_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            skeyid_template.ulValueLen = HASH_LENGTH_MAX;
+            crv = NSC_GetAttributeValue(session, skeyid_handle,
+                                        &skeyid_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            /* use the length of the skeyid to set the target length of all the
+             * other keys */
+            keyLen = skeyid_template.ulValueLen;
+            ike1_prf.hKeygxy = gxy_handle;
+            ike1_prf.bHasPrevKey = PR_FALSE;
+            ike1_prf.keyNumber = 0;
+            crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle,
+                                derive_template, derive_template_count,
+                                &skeyid_d_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid_d) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+
+            ike1_prf.hKeygxy = gxy_handle;
+            ike1_prf.bHasPrevKey = CK_TRUE;
+            ike1_prf.hPrevKey = skeyid_d_handle;
+            ike1_prf.keyNumber = 1;
+            crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle,
+                                derive_template, derive_template_count,
+                                &skeyid_a_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid_a) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            ike1_prf.hKeygxy = gxy_handle;
+            ike1_prf.bHasPrevKey = CK_TRUE;
+            ike1_prf.hPrevKey = skeyid_a_handle;
+            ike1_prf.keyNumber = 2;
+            crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle,
+                                derive_template, derive_template_count,
+                                &skeyid_e_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid_e) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID = ", ikeresp);
+            to_hex_str(buf, skeyid_secret, keyLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            skeyid_d_template.ulValueLen = keyLen;
+            crv = NSC_GetAttributeValue(session, skeyid_d_handle,
+                                        &skeyid_d_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid_d) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID_d = ", ikeresp);
+            to_hex_str(buf, skeyid_d_secret, skeyid_d_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            skeyid_a_template.ulValueLen = keyLen;
+            crv = NSC_GetAttributeValue(session, skeyid_a_handle,
+                                        &skeyid_a_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid_a) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID_a = ", ikeresp);
+            to_hex_str(buf, skeyid_a_secret, skeyid_a_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            skeyid_e_template.ulValueLen = keyLen;
+            crv = NSC_GetAttributeValue(session, skeyid_e_handle,
+                                        &skeyid_e_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid_e) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYID_e = ", ikeresp);
+            to_hex_str(buf, skeyid_e_secret, skeyid_e_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            crv = NSC_CloseSession(session);
+            continue;
+        }
+    }
+loser:
+    NSC_Finalize(NULL);
+    if (psk)
+        free(psk);
+    if (gxy)
+        free(gxy);
+    if (Ni)
+        free(Ni);
+    if (Nr)
+        free(Nr);
+    if (ikereq)
+        fclose(ikereq);
+}
+
+void
+ikev2(char *reqfn)
+{
+    char buf[4096]; /* holds one line from the input REQUEST file.
+                         * needs to be large enough to hold the longest
+                         * line "g^xy = <2048 hex digits>\n".
+                         */
+    unsigned char *gir = NULL;
+    unsigned char *gir_new = NULL;
+    int gir_len;
+    unsigned char *Ni = NULL;
+    int Ni_len;
+    unsigned char *Nr = NULL;
+    int Nr_len;
+    unsigned char *SPIi = NULL;
+    int SPIi_len = 8;
+    unsigned char *SPIr = NULL;
+    int SPIr_len = 8;
+    unsigned char *DKM = NULL;
+    int DKM_len;
+    unsigned char *DKM_child = NULL;
+    int DKM_child_len;
+    unsigned char *seed_data = NULL;
+    int seed_data_len = 0;
+    unsigned int i, j;
+    FILE *ikereq = NULL; /* input stream from the REQUEST file */
+    FILE *ikeresp;       /* output stream to the RESPONSE file */
+
+    CK_SLOT_ID slotList[10];
+    CK_SLOT_ID slotID;
+    CK_ULONG slotListCount = sizeof(slotList) / sizeof(slotList[0]);
+    CK_ULONG count;
+    static const CK_C_INITIALIZE_ARGS pk11args = {
+        NULL, NULL, NULL, NULL, CKF_LIBRARY_CANT_CREATE_OS_THREADS,
+        (void *)"flags=readOnly,noCertDB,noModDB", NULL
+    };
+    static CK_OBJECT_CLASS ck_secret = CKO_SECRET_KEY;
+    static CK_KEY_TYPE ck_generic = CKK_GENERIC_SECRET;
+    static CK_BBOOL ck_true = CK_TRUE;
+    static CK_ULONG keyLen = 1;
+    CK_ATTRIBUTE gir_template[] = {
+        { CKA_VALUE, NULL, 0 },
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+    };
+    CK_ULONG gir_template_count =
+        sizeof(gir_template) / sizeof(gir_template[0]);
+    CK_ATTRIBUTE gir_new_template[] = {
+        { CKA_VALUE, NULL, 0 },
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+    };
+    CK_ULONG gir_new_template_count =
+        sizeof(gir_new_template) / sizeof(gir_new_template[0]);
+    CK_ATTRIBUTE derive_template[] = {
+        { CKA_CLASS, &ck_secret, sizeof(ck_secret) },
+        { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) },
+        { CKA_DERIVE, &ck_true, sizeof(ck_true) },
+        { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) },
+    };
+    CK_ULONG derive_template_count =
+        sizeof(derive_template) / sizeof(derive_template[0]);
+    CK_ATTRIBUTE skeyseed_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE dkm_template =
+        { CKA_VALUE, NULL, 0 };
+    CK_ATTRIBUTE dkm_child_template =
+        { CKA_VALUE, NULL, 0 };
+    unsigned char skeyseed_secret[HASH_LENGTH_MAX];
+
+    CK_MECHANISM ike_mech = { CKM_NSS_IKE_PRF_DERIVE, NULL, 0 };
+    CK_MECHANISM ike2_mech = { CKM_NSS_IKE_PRF_PLUS_DERIVE, NULL, 0 };
+    CK_MECHANISM subset_mech = { CKM_EXTRACT_KEY_FROM_KEY, NULL, 0 };
+    CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf;
+    CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS ike2_prf;
+    CK_EXTRACT_PARAMS subset_params;
+    CK_RV crv;
+
+    /* set up PKCS #11 parameters */
+    ike_mech.pParameter = &ike_prf;
+    ike_mech.ulParameterLen = sizeof(ike_prf);
+    ike2_mech.pParameter = &ike2_prf;
+    ike2_mech.ulParameterLen = sizeof(ike2_prf);
+    subset_mech.pParameter = &subset_params;
+    subset_mech.ulParameterLen = sizeof(subset_params);
+    subset_params = 0;
+    skeyseed_template.pValue = skeyseed_secret;
+    skeyseed_template.ulValueLen = HASH_LENGTH_MAX;
+
+    crv = NSC_Initialize((CK_VOID_PTR)&pk11args);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_Initialize failed crv=0x%x\n", (unsigned int)crv);
+        goto loser;
+    }
+    count = slotListCount;
+    crv = NSC_GetSlotList(PR_TRUE, slotList, &count);
+    if (crv != CKR_OK) {
+        fprintf(stderr, "NSC_GetSlotList failed crv=0x%x\n", (unsigned int)crv);
+        goto loser;
+    }
+    if ((count > slotListCount) || count < 1) {
+        fprintf(stderr,
+                "NSC_GetSlotList returned too many or too few slots: %d slots max=%d min=1\n",
+                (int)count, (int)slotListCount);
+        goto loser;
+    }
+    slotID = slotList[0];
+    ikereq = fopen(reqfn, "r");
+    ikeresp = stdout;
+    while (fgets(buf, sizeof buf, ikereq) != NULL) {
+        /* a comment or blank line */
+        if (buf[0] == '#' || buf[0] == '\n') {
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* [.....] */
+        if (buf[0] == '[') {
+            if (strncmp(buf, "[SHA-1]", 7) == 0) {
+                ike_prf.prfMechanism = CKM_SHA_1_HMAC;
+                ike2_prf.prfMechanism = CKM_SHA_1_HMAC;
+            }
+            if (strncmp(buf, "[SHA-224]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA224_HMAC;
+                ike2_prf.prfMechanism = CKM_SHA224_HMAC;
+            }
+            if (strncmp(buf, "[SHA-256]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA256_HMAC;
+                ike2_prf.prfMechanism = CKM_SHA256_HMAC;
+            }
+            if (strncmp(buf, "[SHA-384]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA384_HMAC;
+                ike2_prf.prfMechanism = CKM_SHA384_HMAC;
+            }
+            if (strncmp(buf, "[SHA-512]", 9) == 0) {
+                ike_prf.prfMechanism = CKM_SHA512_HMAC;
+                ike2_prf.prfMechanism = CKM_SHA512_HMAC;
+            }
+            if (strncmp(buf, "[AES-XCBC", 9) == 0) {
+                ike_prf.prfMechanism = CKM_AES_XCBC_MAC;
+                ike2_prf.prfMechanism = CKM_AES_XCBC_MAC;
+            }
+            if (strncmp(buf, "[g^ir", 5) == 0) {
+                if (sscanf(buf, "[g^ir length = %d]",
+                           &gir_len) != 1) {
+                    goto loser;
+                }
+                gir_len = gir_len / 8;
+                if (gir)
+                    free(gir);
+                if (gir_new)
+                    free(gir_new);
+                gir = malloc(gir_len);
+                gir_new = malloc(gir_len);
+                gir_template[0].pValue = gir;
+                gir_template[0].ulValueLen = gir_len;
+                gir_new_template[0].pValue = gir_new;
+                gir_new_template[0].ulValueLen = gir_len;
+            }
+            if (strncmp(buf, "[Ni", 3) == 0) {
+                if (sscanf(buf, "[Ni length = %d]", &Ni_len) != 1) {
+                    goto loser;
+                }
+                Ni_len = Ni_len / 8;
+            }
+            if (strncmp(buf, "[Nr", 3) == 0) {
+                if (sscanf(buf, "[Nr length = %d]", &Nr_len) != 1) {
+                    goto loser;
+                }
+                Nr_len = Nr_len / 8;
+            }
+            if (strncmp(buf, "[DKM", 4) == 0) {
+                if (sscanf(buf, "[DKM length = %d]",
+                           &DKM_len) != 1) {
+                    goto loser;
+                }
+                DKM_len = DKM_len / 8;
+                if (DKM)
+                    free(DKM);
+                DKM = malloc(DKM_len);
+                dkm_template.pValue = DKM;
+                dkm_template.ulValueLen = DKM_len;
+            }
+            if (strncmp(buf, "[Child SA DKM", 13) == 0) {
+                if (sscanf(buf, "[Child SA DKM length = %d]",
+                           &DKM_child_len) != 1) {
+                    goto loser;
+                }
+                DKM_child_len = DKM_child_len / 8;
+                if (DKM_child)
+                    free(DKM_child);
+                DKM_child = malloc(DKM_child_len);
+                dkm_child_template.pValue = DKM_child;
+                dkm_child_template.ulValueLen = DKM_child_len;
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* "COUNT = x" begins a new data set */
+        if (strncmp(buf, "COUNT", 5) == 0) {
+            /* zeroize the variables for the test with this data set */
+            int new_seed_len = Ni_len + Nr_len + SPIi_len + SPIr_len;
+            if (seed_data_len != new_seed_len) {
+                if (seed_data)
+                    free(seed_data);
+                seed_data_len = new_seed_len;
+                seed_data = malloc(seed_data_len);
+                Ni = seed_data;
+                Nr = &seed_data[Ni_len];
+                SPIi = &seed_data[Ni_len + Nr_len];
+                SPIr = &seed_data[new_seed_len - SPIr_len];
+                ike_prf.pNi = Ni;
+                ike_prf.ulNiLen = Ni_len;
+                ike_prf.pNr = Nr;
+                ike_prf.ulNrLen = Nr_len;
+                ike2_prf.pSeedData = seed_data;
+            }
+            memset(gir, 0, gir_len);
+            memset(gir_new, 0, gir_len);
+            memset(seed_data, 0, seed_data_len);
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* Ni = ... */
+        if (strncmp(buf, "Ni", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < Ni_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &Ni[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* Nr = ... */
+        if (strncmp(buf, "Nr", 2) == 0) {
+            i = 2;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < Nr_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &Nr[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* g^ir (new) = ... */
+        if (strncmp(buf, "g^ir (new)", 10) == 0) {
+            i = 10;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < gir_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &gir_new[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* g^ir = ... */
+        if (strncmp(buf, "g^ir", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < gir_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &gir[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* SPIi = ... */
+        if (strncmp(buf, "SPIi", 4) == 0) {
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < SPIi_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &SPIi[j]);
+            }
+            fputs(buf, ikeresp);
+            continue;
+        }
+        /* SPIr = ... */
+        if (strncmp(buf, "SPIr", 4) == 0) {
+            CK_SESSION_HANDLE session;
+            CK_OBJECT_HANDLE gir_handle;
+            CK_OBJECT_HANDLE gir_new_handle;
+            CK_OBJECT_HANDLE skeyseed_handle;
+            CK_OBJECT_HANDLE sk_d_handle;
+            CK_OBJECT_HANDLE skeyseed_new_handle;
+            CK_OBJECT_HANDLE dkm_handle;
+            CK_OBJECT_HANDLE dkm_child_handle;
+            i = 4;
+            while (isspace(buf[i]) || buf[i] == '=') {
+                i++;
+            }
+            for (j = 0; j < SPIr_len; i += 2, j++) {
+                hex_to_byteval(&buf[i], &SPIr[j]);
+            }
+            fputs(buf, ikeresp);
+            crv = NSC_OpenSession(slotID, 0, NULL, NULL, &session);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_OpenSession failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_CreateObject(session, gir_template,
+                                   gir_template_count, &gir_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_CreateObject (g^ir) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_CreateObject(session, gir_new_template,
+                                   gir_new_template_count, &gir_new_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_CreateObject (g^ir new) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            /* get the SKEYSEED key */
+            ike_prf.bDataAsKey = CK_TRUE;
+            ike_prf.bRekey = CK_FALSE;
+            ike_prf.hNewKey = CK_INVALID_HANDLE;
+            crv = NSC_DeriveKey(session, &ike_mech, gir_handle,
+                                derive_template, derive_template_count - 1,
+                                &skeyseed_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            skeyseed_template.ulValueLen = HASH_LENGTH_MAX;
+            crv = NSC_GetAttributeValue(session, skeyseed_handle,
+                                        &skeyseed_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYSEED = ", ikeresp);
+            to_hex_str(buf, skeyseed_secret, skeyseed_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            /* get DKM */
+            keyLen = DKM_len;
+            ike2_prf.bHasSeedKey = CK_FALSE;
+            ike2_prf.hSeedKey = CK_INVALID_HANDLE;
+            ike2_prf.ulSeedDataLen = seed_data_len;
+            crv = NSC_DeriveKey(session, &ike2_mech, skeyseed_handle,
+                                derive_template, derive_template_count,
+                                &dkm_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(DKM) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_GetAttributeValue(session, dkm_handle,
+                                        &dkm_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(DKM) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("DKM = ", ikeresp);
+            to_hex_str(buf, DKM, DKM_len);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            /* get the sk_d from the DKM */
+            keyLen = skeyseed_template.ulValueLen;
+            crv = NSC_DeriveKey(session, &subset_mech, dkm_handle,
+                                derive_template, derive_template_count,
+                                &sk_d_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(sk_d) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+
+            /* get DKM child */
+            keyLen = DKM_child_len;
+            ike2_prf.bHasSeedKey = CK_FALSE;
+            ike2_prf.hSeedKey = CK_INVALID_HANDLE;
+            ike2_prf.ulSeedDataLen = Ni_len + Nr_len;
+            crv = NSC_DeriveKey(session, &ike2_mech, sk_d_handle,
+                                derive_template, derive_template_count,
+                                &dkm_child_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(DKM Child SA) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_GetAttributeValue(session, dkm_child_handle,
+                                        &dkm_child_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(DKM Child SA) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("DKM(Child SA) = ", ikeresp);
+            to_hex_str(buf, DKM_child, DKM_child_len);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            /* get DKM child D-H*/
+            keyLen = DKM_child_len;
+            ike2_prf.bHasSeedKey = CK_TRUE;
+            ike2_prf.hSeedKey = gir_new_handle;
+            ike2_prf.ulSeedDataLen = Ni_len + Nr_len;
+            crv = NSC_DeriveKey(session, &ike2_mech, sk_d_handle,
+                                derive_template, derive_template_count,
+                                &dkm_child_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(DKM Child SA D-H) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            crv = NSC_GetAttributeValue(session, dkm_child_handle,
+                                        &dkm_child_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(DKM Child SA D-H) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("DKM(Child SA D-H) = ", ikeresp);
+            to_hex_str(buf, DKM_child, DKM_child_len);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            /* get SKEYSEED(rekey) */
+            ike_prf.bDataAsKey = CK_FALSE;
+            ike_prf.bRekey = CK_TRUE;
+            ike_prf.hNewKey = gir_new_handle;
+            crv = NSC_DeriveKey(session, &ike_mech, sk_d_handle,
+                                derive_template, derive_template_count - 1,
+                                &skeyseed_new_handle);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_DeriveKey(skeyid rekey) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            skeyseed_template.ulValueLen = HASH_LENGTH_MAX;
+            crv = NSC_GetAttributeValue(session, skeyseed_new_handle,
+                                        &skeyseed_template, 1);
+            if (crv != CKR_OK) {
+                fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n",
+                        (unsigned int)crv);
+                goto loser;
+            }
+            fputs("SKEYSEED(rekey) = ", ikeresp);
+            to_hex_str(buf, skeyseed_secret, skeyseed_template.ulValueLen);
+            fputs(buf, ikeresp);
+            fputc('\n', ikeresp);
+
+            crv = NSC_CloseSession(session);
+            continue;
+        }
+    }
+loser:
+    NSC_Finalize(NULL);
+    if (gir)
+        free(gir);
+    if (gir_new)
+        free(gir_new);
+    if (seed_data)
+        free(seed_data);
+    if (DKM)
+        free(DKM);
+    if (DKM_child)
+        free(DKM_child);
+    if (ikereq)
+        fclose(ikereq);
+}
+
 int
 main(int argc, char **argv)
 {
     if (argc < 2)
         exit(-1);
 
     RNG_RNGInit();
     SECOID_Init();
@@ -7066,11 +8369,19 @@ main(int argc, char **argv)
             rng_mct(argv[3]);
         }
     } else if (strcmp(argv[1], "drbg") == 0) {
         /* Variable Seed Test */
         drbg(argv[2]);
     } else if (strcmp(argv[1], "ddrbg") == 0) {
         debug = 1;
         drbg(argv[2]);
+    } else if (strcmp(argv[1], "tls") == 0) {
+        tls(argv[2]);
+    } else if (strcmp(argv[1], "ikev1") == 0) {
+        ikev1(argv[2]);
+    } else if (strcmp(argv[1], "ikev1-psk") == 0) {
+        ikev1_psk(argv[2]);
+    } else if (strcmp(argv[1], "ikev2") == 0) {
+        ikev2(argv[2]);
     }
     return 0;
 }
deleted file mode 100755
--- a/security/nss/cmd/fipstest/hmac.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/HMAC
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-                               
-hmac_requests="
-HMAC.req
-"
-
-if [ ${COMMAND} = "verify" ]; then
-    for request in $hmac_requests; do
-	sh ./validate1.sh ${TESTDIR} $request
-    done
-    exit 0
-fi
-for request in $hmac_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest hmac ${REQDIR}/$request > ${RSPDIR}/$response
-done
-
deleted file mode 100755
--- a/security/nss/cmd/fipstest/kas.sh
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST DSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/KAS
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-
-#
-if [ ${COMMAND} = "verify" ]; then
-#
-# need verify for KAS tests
-
-# verify generated keys
-#    name=KeyPair
-#    echo ">>>>>  $name"
-#    fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-# verify generated pqg values
-#    name=PQGGen
-#    echo ">>>>>  $name"
-#    fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-# verify PQGVer with known answer
-#    sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;'
-# verify signatures
-#    name=SigGen
-#    echo ">>>>>  $name"
-#    fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-# verify SigVer with known answer
-#    sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;'
-    exit 0
-fi
-
-request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest ecdh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dh init-func ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dh resp-func ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dh init-verify ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest dh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response
-
deleted file mode 100644
--- a/security/nss/cmd/fipstest/rng.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST RNG Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/DRBG800-90A
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-drbg_requests="
-Hash_DRBG.req
-"
-
-if [ ${COMMAND} = "verify" ]; then
-    for request in $drbg_requests; do
-	sh ./validate1.sh ${TESTDIR} $request
-    done
-    exit 0
-fi
-for request in $drbg_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest drbg ${REQDIR}/$request > ${RSPDIR}/$response
-done
deleted file mode 100644
--- a/security/nss/cmd/fipstest/rsa.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST RSA Validation System
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/RSA2
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-if [ ${COMMAND} = "verify" ]; then
-#verify the signatures. The fax file does not have any known answers, so
-#use our own verify function.
-    name=SigGen15_186-3
-    echo ">>>>>  $name"
-    fipstest rsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F
-#    fipstest rsa sigver ${REQDIR}/SigVer15_186-3.req | grep ^Result.=.F
-#The Fax file has the private exponent and the salt value, remove it
-#also remove the false reason
-    sh ./validate1.sh ${TESTDIR} SigVer15_186-3.req ' ' '-e /^SaltVal/d -e/^d.=/d -e /^p.=/d -e /^q.=/d -e /^EM.with/d -e /^Result.=.F/s;.(.*);;'
-#
-# currently don't have a way to verify the RSA keygen
-#
-    exit 0
-fi
-
-request=SigGen15_186-3.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest rsa siggen ${REQDIR}/$request > ${RSPDIR}/$response
-
-request=SigVer15_186-3.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest rsa sigver ${REQDIR}/$request > ${RSPDIR}/$response
-
-#request=KeyGen_186-3.req
-request=KeyGen_RandomProbablyPrime3_3.req
-response=`echo $request | sed -e "s/req/rsp/"`
-echo $request $response
-fipstest rsa keypair ${REQDIR}/$request > ${RSPDIR}/$response
deleted file mode 100644
--- a/security/nss/cmd/fipstest/runtest.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-TESTDIR=${1-.}
-COMMAND=${2-run}
-TESTS="aes aesgcm dsa ecdsa hmac kas tls rng rsa sha tdea"
-for i in $TESTS
-do
-    echo "********************Running $i tests"
-    sh ./${i}.sh ${TESTDIR} ${COMMAND}
-done
deleted file mode 100644
--- a/security/nss/cmd/fipstest/sha.sh
+++ /dev/null
@@ -1,66 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST SHA Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/SHA
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-                               
-sha_ShortMsg_requests="
-SHA1ShortMsg.req
-SHA224ShortMsg.req
-SHA256ShortMsg.req
-SHA384ShortMsg.req
-SHA512ShortMsg.req
-"
-
-sha_LongMsg_requests="
-SHA1LongMsg.req
-SHA224LongMsg.req
-SHA256LongMsg.req
-SHA384LongMsg.req
-SHA512LongMsg.req
-"
-
-sha_Monte_requests="
-SHA1Monte.req
-SHA224Monte.req
-SHA256Monte.req
-SHA384Monte.req
-SHA512Monte.req
-"
-
-if [ ${COMMAND} = "verify" ]; then
-    for request in $sha_ShortMsg_requests $sha_LongMsg_requests $sha_Monte_requests; do
-	sh ./validate1.sh ${TESTDIR} $request
-    done
-    exit 0
-fi
-
-for request in $sha_ShortMsg_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $sha_LongMsg_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $sha_Monte_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response
-done
-
deleted file mode 100644
--- a/security/nss/cmd/fipstest/tdea.sh
+++ /dev/null
@@ -1,106 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST tdea Algorithm Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/TDES
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-#CBC_Known_Answer_tests
-#Initial Permutation KAT  
-#Permutation Operation KAT 
-#Subsitution Table KAT    
-#Variable Key KAT         
-#Variable PlainText KAT   
-cbc_kat_requests="
-TCBCinvperm.req   
-TCBCpermop.req    
-TCBCsubtab.req    
-TCBCvarkey.req    
-TCBCvartext.req   
-"
-
-#CBC Monte Carlo KATs
-cbc_monte_requests="
-TCBCMonte1.req
-TCBCMonte2.req
-TCBCMonte3.req
-"
-#Multi-block Message KATs
-cbc_mmt_requests="
-TCBCMMT1.req
-TCBCMMT2.req
-TCBCMMT3.req
-"
-
-ecb_kat_requests="
-TECBinvperm.req   
-TECBpermop.req    
-TECBsubtab.req    
-TECBvarkey.req    
-TECBvartext.req   
-"
-
-ecb_monte_requests="
-TECBMonte1.req
-TECBMonte2.req
-TECBMonte3.req
-"
-
-ecb_mmt_requests="
-TECBMMT1.req
-TECBMMT2.req
-TECBMMT3.req
-"
-
-
-if [ ${COMMAND} = "verify" ]; then
-    for request in $cbc_kat_requests $cbc_monte_requests $cbc_mmt_requests $ecb_kat_requests $ecb_monte_requests $ecb_mmt_requests
-    do
-	sh ./validate1.sh ${TESTDIR} $request "-e /^NumKeys/d"
-    done
-    exit 0
-fi
-
-for request in $cbc_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea kat cbc ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $cbc_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $cbc_monte_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mct cbc ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $ecb_kat_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea kat ecb ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $ecb_mmt_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response
-done
-for request in $ecb_monte_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tdea mct ecb ${REQDIR}/$request > ${RSPDIR}/$response
-done
deleted file mode 100644
--- a/security/nss/cmd/fipstest/tls.sh
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# A Bourne shell script for running the NIST RNG Validation Suite
-#
-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment
-# variables appropriately so that the fipstest command and the NSPR and NSS
-# shared libraries/DLLs are on the search path.  Then run this script in the
-# directory where the REQUEST (.req) files reside.  The script generates the
-# RESPONSE (.rsp) files in the same directory.
-BASEDIR=${1-.}
-TESTDIR=${BASEDIR}/KDF135
-COMMAND=${2-run}
-REQDIR=${TESTDIR}/req
-RSPDIR=${TESTDIR}/resp
-
-drbg_requests="
-tls.req
-"
-
-if [ ${COMMAND} = "verify" ]; then
-    for request in $drbg_requests; do
-	sh ./validate1.sh ${TESTDIR} $request
-    done
-    exit 0
-fi
-for request in $drbg_requests; do
-    response=`echo $request | sed -e "s/req/rsp/"`
-    echo $request $response
-    fipstest tls ${REQDIR}/$request > ${RSPDIR}/$response
-done
deleted file mode 100644
--- a/security/nss/cmd/fipstest/validate.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-sh ./runtest.sh ${1-.} verify
deleted file mode 100644
--- a/security/nss/cmd/fipstest/validate1.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/sh
-# 
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# Validate1.sh is a helper shell script that each of the base test shell 
-# scripts call to help validate that the generated response (response) 
-# matches the known answer response (fax). Sometimes (depending on the 
-# individual tests) there are extraneous output in either or both response 
-# and fax files. These allow the caller to pass in additional sed commands 
-# to clear out those extraneous outputs before we compare the two files.
-# The sed line always clears out Windows line endings, replaces tabs with 
-# spaces, and removed comments.
-#
-TESTDIR=${1-.}
-request=${2}
-extraneous_response=${3}
-extraneous_fax=${4}
-name=`basename $request .req`
-echo ">>>>>  $name"
-sed -e 's;
;;g' -e 's;	; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
-# if we didn't generate any output, flag that as an error 
-size=`sum /tmp/y1 | awk '{ print $NF }'`
-if [ $size -eq 0 ]; then
-   echo "${TESTDIR}/resp/${name}.rsp: empty"
-   exit 1;
-fi
-sed -e 's;
;;g' -e 's;	; ;g' -e '/^#/d' $extraneous_fax ${TESTDIR}/fax/${name}.fax > /tmp/y2
-diff -i -w -B /tmp/y1 /tmp/y2
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -423,16 +423,19 @@ of the attribute codes:
 <para><command>R</command> (as an email recipient)</para>
 	</listitem>
 	<listitem>
 <para><command>O</command> (as an OCSP status responder)</para>
 	</listitem>
 	<listitem>
 <para><command>J</command> (as an object signer)</para>
 	</listitem>
+	<listitem>
+<para><command>I</command> (as an IPSEC user)</para>
+	</listitem>
 	</itemizedlist></listitem>
       </varlistentry>
 
       <varlistentry>
         <term>-v valid-months</term>
         <listitem><para>Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the <option>-w</option> option. If this argument is not used, the default validity period is three months. </para></listitem>
       </varlistentry>
 
--- a/security/nss/gtests/pk11_gtest/manifest.mn
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@@ -3,16 +3,17 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 CORE_DEPTH = ../..
 DEPTH      = ../..
 MODULE = nss
 
 CPPSRCS = \
       pk11_aeskeywrap_unittest.cc \
+      pk11_aes_gcm_unittest.cc \
       pk11_chacha20poly1305_unittest.cc \
       pk11_curve25519_unittest.cc \
       pk11_ecdsa_unittest.cc \
       pk11_encrypt_derive_unittest.cc \
       pk11_export_unittest.cc \
       pk11_import_unittest.cc \
       pk11_pbkdf2_unittest.cc \
       pk11_prf_unittest.cc \
--- a/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc
@@ -35,16 +35,19 @@ class Pkcs11Curve25519Test
     ScopedSECKEYPrivateKey privKey(key);
     ASSERT_TRUE(privKey);
 
     SECItem spkiItem = {siBuffer, toUcharPtr(spki),
                         static_cast<unsigned int>(spki_len)};
 
     ScopedCERTSubjectPublicKeyInfo certSpki(
         SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+    if (!expect_success && !certSpki) {
+      return;
+    }
     ASSERT_TRUE(certSpki);
 
     ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
     ASSERT_TRUE(pubKey);
 
     ScopedPK11SymKey symKey(PK11_PubDeriveWithKDF(
         privKey.get(), pubKey.get(), false, nullptr, nullptr, CKM_ECDH1_DERIVE,
         CKM_SHA512_HMAC, CKA_DERIVE, 0, CKD_NULL, nullptr, nullptr));
--- a/security/nss/gtests/pk11_gtest/pk11_import_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_import_unittest.cc
@@ -43,18 +43,25 @@ class Pk11KeyImportTestBase : public ::t
   }
 
   void Test() {
     // Generate a key and export it.
     KeyType key_type;
     ScopedSECKEYEncryptedPrivateKeyInfo key_info;
     ScopedSECItem public_value;
     GenerateAndExport(&key_type, &key_info, &public_value);
+
+    ASSERT_NE(nullptr, public_value);
+    // Note: NSS is currently unable export wrapped DH keys, so this doesn't
+    // test
+    // CKM_DH_PKCS_KEY_PAIR_GEN beyond generate and verify
+    if (key_type == dhKey) {
+      return;
+    }
     ASSERT_NE(nullptr, key_info);
-    ASSERT_NE(nullptr, public_value);
 
     // Now import the encrypted key.
     static const uint8_t nick[] = "nick";
     SECItem nickname = {siBuffer, toUcharPtr(nick), sizeof(nick)};
     SECKEYPrivateKey* priv_tmp;
     SECStatus rv = PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(
         slot_.get(), key_info.get(), password_.get(), &nickname,
         public_value.get(), PR_TRUE, PR_TRUE, key_type, 0, &priv_tmp, NULL);
@@ -73,27 +80,51 @@ class Pk11KeyImportTestBase : public ::t
     virtual void* get() = 0;
   };
 
   virtual std::unique_ptr<ParamHolder> MakeParams() = 0;
 
   CK_MECHANISM_TYPE mech_;
 
  private:
+  SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
+    SECItem null = {siBuffer, NULL, 0};
+    switch (SECKEY_GetPublicKeyType(pub_key.get())) {
+      case rsaKey:
+      case rsaPssKey:
+      case rsaOaepKey:
+        return pub_key->u.rsa.modulus;
+      case keaKey:
+        return pub_key->u.kea.publicValue;
+      case dsaKey:
+        return pub_key->u.dsa.publicValue;
+      case dhKey:
+        return pub_key->u.dh.publicValue;
+      case ecKey:
+        return pub_key->u.ec.publicValue;
+      case fortezzaKey: /* depricated */
+      case nullKey:
+        /* didn't use default here so we can catch new key types at compile time
+         */
+        break;
+    }
+    return null;
+  }
   void CheckForPublicKey(const ScopedSECKEYPrivateKey& priv_key,
                          const SECItem* expected_public) {
     // Verify the public key exists.
     StackSECItem priv_id;
+    KeyType type = SECKEY_GetPrivateKeyType(priv_key.get());
     SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, priv_key.get(),
                                          CKA_ID, &priv_id);
     ASSERT_EQ(SECSuccess, rv) << "Couldn't read CKA_ID from private key: "
                               << PORT_ErrorToName(PORT_GetError());
 
     CK_ATTRIBUTE_TYPE value_type = CKA_VALUE;
-    switch (SECKEY_GetPrivateKeyType(priv_key.get())) {
+    switch (type) {
       case rsaKey:
         value_type = CKA_MODULUS;
         break;
 
       case dhKey:
       case dsaKey:
         value_type = CKA_VALUE;
         break;
@@ -101,16 +132,18 @@ class Pk11KeyImportTestBase : public ::t
       case ecKey:
         value_type = CKA_EC_POINT;
         break;
 
       default:
         FAIL() << "unknown key type";
     }
 
+    // Scan public key objects until we find one with the same CKA_ID as
+    // priv_key
     std::unique_ptr<PK11GenericObject, PK11GenericObjectsDeleter> objs(
         PK11_FindGenericObjects(slot_.get(), CKO_PUBLIC_KEY));
     ASSERT_NE(nullptr, objs);
     for (PK11GenericObject* obj = objs.get(); obj != nullptr;
          obj = PK11_GetNextGenericObject(obj)) {
       StackSECItem pub_id;
       rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_ID, &pub_id);
       if (rv != SECSuccess) {
@@ -123,30 +156,54 @@ class Pk11KeyImportTestBase : public ::t
       }
 
       StackSECItem token;
       rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_TOKEN, &token);
       ASSERT_EQ(SECSuccess, rv);
       ASSERT_EQ(1U, token.len);
       ASSERT_NE(0, token.data[0]);
 
-      StackSECItem value;
-      rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &value);
+      StackSECItem raw_value;
+      SECItem decoded_value;
+      rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &raw_value);
       ASSERT_EQ(SECSuccess, rv);
+      SECItem value = raw_value;
 
+      // Decode the EC_POINT and check the output against expected.
       // CKA_EC_POINT isn't stable, see Bug 1520649.
+      ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+      ASSERT_TRUE(arena);
       if (value_type == CKA_EC_POINT) {
-        continue;
+        // If this fails due to the noted inconsistency, we may need to
+        // check the whole raw_value, or remove a leading UNCOMPRESSED_POINT tag
+        rv = SEC_QuickDERDecodeItem(arena.get(), &decoded_value,
+                                    SEC_ASN1_GET(SEC_OctetStringTemplate),
+                                    &raw_value);
+        ASSERT_EQ(SECSuccess, rv);
+        value = decoded_value;
       }
-
       ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &value))
           << "expected: "
           << DataBuffer(expected_public->data, expected_public->len)
           << std::endl
           << "actual: " << DataBuffer(value.data, value.len) << std::endl;
+
+      // Finally, convert the private to public and ensure it matches.
+      ScopedSECKEYPublicKey pub_key(SECKEY_ConvertToPublicKey(priv_key.get()));
+      ASSERT_TRUE(pub_key);
+      SECItem converted_public = GetPublicComponent(pub_key);
+      ASSERT_TRUE(converted_public.len != 0);
+
+      ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &converted_public))
+          << "expected: "
+          << DataBuffer(expected_public->data, expected_public->len)
+          << std::endl
+          << "actual: "
+          << DataBuffer(converted_public.data, converted_public.len)
+          << std::endl;
     }
   }
 
   void GenerateAndExport(KeyType* key_type,
                          ScopedSECKEYEncryptedPrivateKeyInfo* key_info,
                          ScopedSECItem* public_value) {
     auto params = MakeParams();
     ASSERT_NE(nullptr, params);
@@ -155,23 +212,16 @@ class Pk11KeyImportTestBase : public ::t
     ScopedSECKEYPrivateKey priv_key(
         PK11_GenerateKeyPair(slot_.get(), mech_, params->get(), &pub_tmp,
                              PR_FALSE, PR_TRUE, nullptr));
     ASSERT_NE(nullptr, priv_key) << "PK11_GenerateKeyPair failed: "
                                  << PORT_ErrorToName(PORT_GetError());
     ScopedSECKEYPublicKey pub_key(pub_tmp);
     ASSERT_NE(nullptr, pub_key);
 
-    // Wrap and export the key.
-    ScopedSECKEYEncryptedPrivateKeyInfo epki(PK11_ExportEncryptedPrivKeyInfo(
-        slot_.get(), SEC_OID_AES_256_CBC, password_.get(), priv_key.get(), 1,
-        nullptr));
-    ASSERT_NE(nullptr, epki) << "PK11_ExportEncryptedPrivKeyInfo failed: "
-                             << PORT_ErrorToName(PORT_GetError());
-
     // Save the public value, which we will need on import */
     SECItem* pub_val;
     KeyType t = SECKEY_GetPublicKeyType(pub_key.get());
     switch (t) {
       case rsaKey:
         pub_val = &pub_key->u.rsa.modulus;
         break;
       case dhKey:
@@ -185,18 +235,32 @@ class Pk11KeyImportTestBase : public ::t
         break;
       default:
         FAIL() << "Unknown key type";
     }
 
     CheckForPublicKey(priv_key, pub_val);
 
     *key_type = t;
+    public_value->reset(SECITEM_DupItem(pub_val));
+
+    // Note: NSS is currently unable export wrapped DH keys, so this doesn't
+    // test
+    // CKM_DH_PKCS_KEY_PAIR_GEN beyond generate and verify
+    if (mech_ == CKM_DH_PKCS_KEY_PAIR_GEN) {
+      return;
+    }
+    // Wrap and export the key.
+    ScopedSECKEYEncryptedPrivateKeyInfo epki(PK11_ExportEncryptedPrivKeyInfo(
+        slot_.get(), SEC_OID_AES_256_CBC, password_.get(), priv_key.get(), 1,
+        nullptr));
+    ASSERT_NE(nullptr, epki) << "PK11_ExportEncryptedPrivKeyInfo failed: "
+                             << PORT_ErrorToName(PORT_GetError());
+
     key_info->swap(epki);
-    public_value->reset(SECITEM_DupItem(pub_val));
   }
 
   ScopedPK11SlotInfo slot_;
   ScopedSECItem password_;
 };
 
 class Pk11KeyImportTest
     : public Pk11KeyImportTestBase,
@@ -276,19 +340,18 @@ class Pk11KeyImportTest
     SECKEYDHParams params_;
   };
 };
 
 TEST_P(Pk11KeyImportTest, GenerateExportImport) { Test(); }
 
 INSTANTIATE_TEST_CASE_P(Pk11KeyImportTest, Pk11KeyImportTest,
                         ::testing::Values(CKM_RSA_PKCS_KEY_PAIR_GEN,
-                                          CKM_DSA_KEY_PAIR_GEN));
-// Note: NSS is currently unable export wrapped DH keys, so this doesn't test
-// CKM_DH_PKCS_KEY_PAIR_GEN.
+                                          CKM_DSA_KEY_PAIR_GEN,
+                                          CKM_DH_PKCS_KEY_PAIR_GEN));
 
 class Pk11KeyImportTestEC : public Pk11KeyImportTestBase,
                             public ::testing::WithParamInterface<SECOidTag> {
  public:
   Pk11KeyImportTestEC() : Pk11KeyImportTestBase(CKM_EC_KEY_PAIR_GEN) {}
   virtual ~Pk11KeyImportTestEC() = default;
 
  protected:
--- a/security/nss/gtests/ssl_gtest/Makefile
+++ b/security/nss/gtests/ssl_gtest/Makefile
@@ -31,16 +31,22 @@ CFLAGS += -I$(CORE_DEPTH)/lib/ssl
 
 ifdef NSS_DISABLE_TLS_1_3
 NSS_DISABLE_TLS_1_3=1
 # Run parameterized tests only, for which we can easily exclude TLS 1.3
 CPPSRCS := $(filter-out $(shell grep -l '^TEST_F' $(CPPSRCS)), $(CPPSRCS))
 CFLAGS += -DNSS_DISABLE_TLS_1_3
 endif
 
+ifdef NSS_ALLOW_SSLKEYLOGFILE
+SSLKEYLOGFILE_FILES = ssl_keylog_unittest.cc
+else
+SSLKEYLOGFILE_FILES = $(NULL)
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
--- a/security/nss/gtests/ssl_gtest/manifest.mn
+++ b/security/nss/gtests/ssl_gtest/manifest.mn
@@ -26,17 +26,16 @@ CPPSRCS = \
       ssl_ems_unittest.cc \
       ssl_exporter_unittest.cc \
       ssl_extension_unittest.cc \
       ssl_fragment_unittest.cc \
       ssl_fuzz_unittest.cc \
       ssl_gather_unittest.cc \
       ssl_gtest.cc \
       ssl_hrr_unittest.cc \
-      ssl_keylog_unittest.cc \
       ssl_keyupdate_unittest.cc \
       ssl_loopback_unittest.cc \
       ssl_misc_unittest.cc \
       ssl_primitive_unittest.cc \
       ssl_record_unittest.cc \
       ssl_recordsep_unittest.cc \
       ssl_recordsize_unittest.cc \
       ssl_resumption_unittest.cc \
@@ -50,16 +49,17 @@ CPPSRCS = \
       selfencrypt_unittest.cc \
       test_io.cc \
       tls_agent.cc \
       tls_connect.cc \
       tls_hkdf_unittest.cc \
       tls_filter.cc \
       tls_protect.cc \
       tls_esni_unittest.cc \
+      $(SSLKEYLOGFILE_FILES) \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
             -I$(CORE_DEPTH)/gtests/common \
             -I$(CORE_DEPTH)/cpputil
 
 REQUIRES = nspr nss libdbm gtest cpputil
 
--- a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -696,16 +696,54 @@ TEST_P(TlsConnectTls12, ClientAuthIncons
   EnsureTlsSetup();
 
   MakeTlsFilter<TlsReplaceSignatureSchemeFilter>(client_,
                                                  ssl_sig_rsa_pss_pss_sha256);
 
   ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
 }
 
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) {
+  static const SSLSignatureScheme kSignatureScheme[] = {
+      ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pss_rsae_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa");
+  client_->SetSignatureSchemes(kSignatureScheme,
+                               PR_ARRAY_SIZE(kSignatureScheme));
+  server_->SetSignatureSchemes(kSignatureScheme,
+                               PR_ARRAY_SIZE(kSignatureScheme));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
+      client_, kTlsHandshakeCertificateVerify);
+  capture_cert_verify->EnableDecryption();
+
+  Connect();
+  CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
+                 1024);
+}
+
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
+  static const SSLSignatureScheme kSignatureScheme[] = {
+      ssl_sig_rsa_pkcs1_sha256};
+
+  Reset(TlsAgent::kServerRsa, "rsa");
+  client_->SetSignatureSchemes(kSignatureScheme,
+                               PR_ARRAY_SIZE(kSignatureScheme));
+  server_->SetSignatureSchemes(kSignatureScheme,
+                               PR_ARRAY_SIZE(kSignatureScheme));
+  client_->SetupClientAuth();
+  server_->RequestClientAuth(true);
+
+  ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
+  server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+  client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+}
+
 class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
  public:
   TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
       : TlsHandshakeFilter(a, {kTlsHandshakeCertificateRequest}) {}
   virtual PacketFilter::Action FilterHandshake(
       const TlsHandshakeFilter::HandshakeHeader& header,
       const DataBuffer& input, DataBuffer* output) {
     TlsParser parser(input);
@@ -928,17 +966,17 @@ TEST_P(TlsConnectTls13, InconsistentSign
       server_, ssl_sig_ecdsa_secp256r1_sha256);
   filter->EnableDecryption();
 
   ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
   server_->CheckErrorCode(SSL_ERROR_ILLEGAL_PARAMETER_ALERT);
   client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
 }
 
-TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
+TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) {
   server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
                                PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
   server_->RequestClientAuth(false);
   Connect();
 }
 
 class BeforeFinished : public TlsRecordFilter {
  private:
@@ -1390,22 +1428,31 @@ TEST_P(TlsSignatureSchemeConfiguration, 
   server_->SetSignatureSchemes(&signature_scheme_, 1);
   Connect();
   CheckKeys(ssl_kea_ecdh, ssl_grp_ec_curve25519, auth_type_, signature_scheme_);
 }
 
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
     ::testing::Combine(
-        TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
+        TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12,
         ::testing::Values(TlsAgent::kServerRsaSign),
         ::testing::Values(ssl_auth_rsa_sign),
         ::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
                           ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_rsae_sha256,
                           ssl_sig_rsa_pss_rsae_sha384)));
+// RSASSA-PKCS1-v1_5 is not allowed to be used in TLS 1.3
+INSTANTIATE_TEST_CASE_P(
+    SignatureSchemeRsaTls13, TlsSignatureSchemeConfiguration,
+    ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+                       TlsConnectTestBase::kTlsV13,
+                       ::testing::Values(TlsAgent::kServerRsaSign),
+                       ::testing::Values(ssl_auth_rsa_sign),
+                       ::testing::Values(ssl_sig_rsa_pss_rsae_sha256,
+                                         ssl_sig_rsa_pss_rsae_sha384)));
 // PSS with SHA-512 needs a bigger key to work.
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                        TlsConnectTestBase::kTlsV12Plus,
                        ::testing::Values(TlsAgent::kRsa2048),
                        ::testing::Values(ssl_auth_rsa_sign),
                        ::testing::Values(ssl_sig_rsa_pss_rsae_sha512)));
--- a/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -63,22 +63,16 @@ class TlsCipherSuiteTestBase : public Tl
       client_->SetSignatureSchemes(&sig_scheme_, 1);
       server_->SetSignatureSchemes(&sig_scheme_, 1);
     }
   }
 
   virtual void SetupCertificate() {
     if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
       switch (sig_scheme_) {
-        case ssl_sig_rsa_pkcs1_sha256:
-        case ssl_sig_rsa_pkcs1_sha384:
-        case ssl_sig_rsa_pkcs1_sha512:
-          Reset(TlsAgent::kServerRsaSign);
-          auth_type_ = ssl_auth_rsa_sign;
-          break;
         case ssl_sig_rsa_pss_rsae_sha256:
         case ssl_sig_rsa_pss_rsae_sha384:
           Reset(TlsAgent::kServerRsaSign);
           auth_type_ = ssl_auth_rsa_sign;
           break;
         case ssl_sig_rsa_pss_rsae_sha512:
           // You can't fit SHA-512 PSS in a 1024-bit key.
           Reset(TlsAgent::kRsa2048);
@@ -325,16 +319,22 @@ static const auto kDummySignatureSchemes
 static SSLSignatureScheme kSignatureSchemesParamsArr[] = {
     ssl_sig_rsa_pkcs1_sha256,       ssl_sig_rsa_pkcs1_sha384,
     ssl_sig_rsa_pkcs1_sha512,       ssl_sig_ecdsa_secp256r1_sha256,
     ssl_sig_ecdsa_secp384r1_sha384, ssl_sig_rsa_pss_rsae_sha256,
     ssl_sig_rsa_pss_rsae_sha384,    ssl_sig_rsa_pss_rsae_sha512,
     ssl_sig_rsa_pss_pss_sha256,     ssl_sig_rsa_pss_pss_sha384,
     ssl_sig_rsa_pss_pss_sha512};
 
+static SSLSignatureScheme kSignatureSchemesParamsArrTls13[] = {
+    ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
+    ssl_sig_rsa_pss_rsae_sha256,    ssl_sig_rsa_pss_rsae_sha384,
+    ssl_sig_rsa_pss_rsae_sha512,    ssl_sig_rsa_pss_pss_sha256,
+    ssl_sig_rsa_pss_pss_sha384,     ssl_sig_rsa_pss_pss_sha512};
+
 INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
                           kDummySignatureSchemesParams,
                           TLS_RSA_WITH_RC4_128_SHA,
                           TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
                           TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
                           TLS_ECDH_RSA_WITH_RC4_128_SHA,
                           TLS_ECDHE_RSA_WITH_RC4_128_SHA);
 INSTANTIATE_CIPHER_TEST_P(AEAD12, All, V12, kDummyNamedGroupParams,
@@ -389,17 +389,17 @@ INSTANTIATE_CIPHER_TEST_P(
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA256);
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
                           ::testing::ValuesIn(kFasterDHEGroups),
-                          ::testing::ValuesIn(kSignatureSchemesParamsArr),
+                          ::testing::ValuesIn(kSignatureSchemesParamsArrTls13),
                           TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
                           TLS_AES_256_GCM_SHA384);
 INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
                           ::testing::ValuesIn(kAllDHEGroups),
                           ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384),
                           TLS_AES_256_GCM_SHA384);
 #endif
 
--- a/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -431,24 +431,24 @@ TEST_P(TlsExtensionTest12Plus, Signature
 TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsOddLength) {
   const uint8_t val[] = {0x00, 0x01, 0x04};
   DataBuffer extension(val, sizeof(val));
   ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
       client_, ssl_signature_algorithms_xtn, extension));
 }
 
 TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
-  // 31 unknown signature algorithms followed by sha-256, rsa
+  // 31 unknown signature algorithms followed by sha-256, rsa-pss
   const uint8_t val[] = {
       0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
       0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
+      0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x08, 0x04};
   DataBuffer extension(val, sizeof(val));
   MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
                                       extension);
   client_->ExpectSendAlert(kTlsAlertBadRecordMac);
   server_->ExpectSendAlert(kTlsAlertBadRecordMac);
   ConnectExpectFail();
   client_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
   server_->CheckErrorCode(SSL_ERROR_BAD_MAC_READ);
--- a/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
+++ b/security/nss/gtests/ssl_gtest/ssl_gtest.gyp
@@ -27,17 +27,16 @@
         'ssl_ems_unittest.cc',
         'ssl_exporter_unittest.cc',
         'ssl_extension_unittest.cc',
         'ssl_fuzz_unittest.cc',
         'ssl_fragment_unittest.cc',
         'ssl_gather_unittest.cc',
         'ssl_gtest.cc',
         'ssl_hrr_unittest.cc',
-        'ssl_keylog_unittest.cc',
         'ssl_keyupdate_unittest.cc',
         'ssl_loopback_unittest.cc',
         'ssl_misc_unittest.cc',
         'ssl_primitive_unittest.cc',
         'ssl_record_unittest.cc',
         'ssl_recordsep_unittest.cc',
         'ssl_recordsize_unittest.cc',
         'ssl_resumption_unittest.cc',
@@ -88,16 +87,24 @@
             '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
           ],
         }],
         [ 'disable_dbm==0', {
           'dependencies': [
             '<(DEPTH)/lib/dbm/src/src.gyp:dbm',
           ],
         }],
+        [ 'enable_sslkeylogfile==1 and sanitizer_flags==0', {
+          'sources': [
+            'ssl_keylog_unittest.cc',
+          ],
+          'defines': [
+            'NSS_ALLOW_SSLKEYLOGFILE',
+          ],
+        }],
       ],
     }
   ],
   'target_defaults': {
     'include_dirs': [
       '../../lib/ssl'
     ],
     'defines': [
--- a/security/nss/gtests/ssl_gtest/ssl_keylog_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_keylog_unittest.cc
@@ -1,16 +1,14 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifdef NSS_ALLOW_SSLKEYLOGFILE
-
 #include <cstdlib>
 #include <fstream>
 #include <sstream>
 
 #include "gtest_utils.h"
 #include "tls_connect.h"
 
 namespace nss_test {
@@ -109,10 +107,8 @@ INSTANTIATE_TEST_CASE_P(
 #ifndef NSS_DISABLE_TLS_1_3
 INSTANTIATE_TEST_CASE_P(
     KeyLogFileTLS13, KeyLogFileTest,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream,
                        TlsConnectTestBase::kTlsV13));
 #endif
 
 }  // namespace nss_test
-
-#endif  // NSS_ALLOW_SSLKEYLOGFILE
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@@ -47,9 +47,11 @@ NSS build tool options:
                      --with-nspr=<include>:<lib> sets include and lib paths
     --system-nspr    attempt to use system nspr
                      shorthand for --with-nspr=/usr/include/nspr:
     --system-sqlite  use system sqlite
     --enable-fips    enable FIPS checks
     --enable-libpkix make libpkix part of the build
     --mozpkix-only   build only static mozpkix and mozpkix-test libraries
                      support for this build option is limited
+    --disable-keylog disable support for logging key data to a file specified
+                     by the SSLKEYLOGFILE environment variable
     -D<gyp-option>   pass an option directly to gyp
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -634,16 +634,21 @@ seckey_ExtractPublicKey(const CERTSubjec
 
                 rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHParamKeyTemplate,
                                             &newParms);
 
                 if (rv == SECSuccess)
                     return pubk;
                 break;
             case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+                /* A basic sanity check on inputs. */
+                if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
+                    PORT_SetError(SEC_ERROR_INPUT_LEN);
+                    break;
+                }
                 pubk->keyType = ecKey;
                 pubk->u.ec.size = 0;
 
                 /* Since PKCS#11 directly takes the DER encoding of EC params
                  * and public value, we don't need any decoding here.
                  */
                 rv = SECITEM_CopyItem(arena, &pubk->u.ec.DEREncodedParams,
                                       &spki->algorithm.parameters);
@@ -1201,23 +1206,56 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
     }
     if (rv == SECSuccess)
         return copyk;
 
     SECKEY_DestroyPublicKey(copyk);
     return NULL;
 }
 
+/*
+ * Use the private key to find a public key handle. The handle will be on
+ * the same slot as the private key.
+ */
+static CK_OBJECT_HANDLE
+seckey_FindPublicKeyHandle(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk)
+{
+    CK_OBJECT_HANDLE keyID;
+
+    /* this helper function is only used below. If we want to make this more
+     * general, we would need to free up any already cached handles if the
+     * slot doesn't match up with the private key slot */
+    PORT_Assert(pubk->pkcs11ID == CK_INVALID_HANDLE);
+
+    /* first look for a matching public key */
+    keyID = PK11_MatchItem(privk->pkcs11Slot, privk->pkcs11ID, CKO_PUBLIC_KEY);
+    if (keyID != CK_INVALID_HANDLE) {
+        return keyID;
+    }
+
+    /* none found, create a temp one, make the pubk the owner */
+    pubk->pkcs11ID = PK11_DerivePubKeyFromPrivKey(privk);
+    if (pubk->pkcs11ID == CK_INVALID_HANDLE) {
+        /* end of the road. Token doesn't have matching public key, nor can
+          * token regenerate a new public key from and existing private key. */
+        return CK_INVALID_HANDLE;
+    }
+    pubk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
+    return pubk->pkcs11ID;
+}
+
 SECKEYPublicKey *
 SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
 {
     SECKEYPublicKey *pubk;
     PLArenaPool *arena;
     CERTCertificate *cert;
     SECStatus rv;
+    CK_OBJECT_HANDLE pubKeyHandle;
+    SECItem decodedPoint;
 
     /*
      * First try to look up the cert.
      */
     cert = PK11_GetCertFromPrivateKey(privk);
     if (cert) {
         pubk = CERT_ExtractPublicKey(cert);
         CERT_DestroyCertificate(cert);
@@ -1238,50 +1276,103 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
     }
     pubk->keyType = privk->keyType;
     pubk->pkcs11Slot = NULL;
     pubk->pkcs11ID = CK_INVALID_HANDLE;
     pubk->arena = arena;
 
     switch (privk->keyType) {
         case nullKey:
-        case dhKey:
-        case dsaKey:
             /* Nothing to query, if the cert isn't there, we're done -- no way
              * to get the public key */
             break;
+        case dsaKey:
+            pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+            if (pubKeyHandle == CK_INVALID_HANDLE)
+                break;
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                    CKA_BASE, arena, &pubk->u.dsa.params.base);
+            if (rv != SECSuccess)
+                break;
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                    CKA_PRIME, arena, &pubk->u.dsa.params.prime);
+            if (rv != SECSuccess)
+                break;
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                    CKA_SUBPRIME, arena, &pubk->u.dsa.params.subPrime);
+            if (rv != SECSuccess)
+                break;
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                    CKA_VALUE, arena, &pubk->u.dsa.publicValue);
+            if (rv != SECSuccess)
+                break;
+            return pubk;
+        case dhKey:
+            pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+            if (pubKeyHandle == CK_INVALID_HANDLE)
+                break;
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                    CKA_BASE, arena, &pubk->u.dh.base);
+            if (rv != SECSuccess)
+                break;
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                    CKA_PRIME, arena, &pubk->u.dh.prime);
+            if (rv != SECSuccess)
+                break;
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                    CKA_VALUE, arena, &pubk->u.dh.publicValue);
+            if (rv != SECSuccess)
+                break;
+            return pubk;
         case rsaKey:
             rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
                                     CKA_MODULUS, arena, &pubk->u.rsa.modulus);
             if (rv != SECSuccess)
                 break;
             rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
                                     CKA_PUBLIC_EXPONENT, arena, &pubk->u.rsa.publicExponent);
             if (rv != SECSuccess)
                 break;
             return pubk;
-            break;
         case ecKey:
             rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
                                     CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams);
             if (rv != SECSuccess) {
                 break;
             }
             rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
                                     CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
             if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) {
-                break;
+                pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+                if (pubKeyHandle == CK_INVALID_HANDLE)
+                    break;
+                rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+                                        CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
+                if (rv != SECSuccess)
+                    break;
+            }
+            /* ec.publicValue should be decoded, PKCS #11 defines CKA_EC_POINT
+             * as encoded, but it's not always. try do decoded it and if it
+             * succeeds store the decoded value */
+            rv = SEC_QuickDERDecodeItem(arena, &decodedPoint,
+                                        SEC_ASN1_GET(SEC_OctetStringTemplate), &pubk->u.ec.publicValue);
+            if (rv == SECSuccess) {
+                /* both values are in the public key arena, so it's safe to
+                 * overwrite  the old value */
+                pubk->u.ec.publicValue = decodedPoint;
             }
             pubk->u.ec.encoding = ECPoint_Undefined;
             return pubk;
         default:
             break;
     }
 
-    PORT_FreeArena(arena, PR_FALSE);
+    /* must use Destroy public key here, because some paths create temporary
+     * PKCS #11 objects which need to be freed */
+    SECKEY_DestroyPublicKey(pubk);
     return NULL;
 }
 
 static CERTSubjectPublicKeyInfo *
 seckey_CreateSubjectPublicKeyInfo_helper(SECKEYPublicKey *pubk)
 {
     CERTSubjectPublicKeyInfo *spki;
     PLArenaPool *arena;
--- a/security/nss/lib/freebl/crypto_primitives.c
+++ b/security/nss/lib/freebl/crypto_primitives.c
@@ -17,17 +17,17 @@
 __inline__ PRUint64
 swap8b(PRUint64 value)
 {
     __asm__("bswapq %0"
             : "+r"(value));
     return (value);
 }
 
-#elif !defined(_MSC_VER) && !__has_builtin(__builtin_bswap64) && !((defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3))))
+#elif defined(IS_LITTLE_ENDIAN) && !defined(_MSC_VER) && !__has_builtin(__builtin_bswap64) && !((defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3))))
 
 PRUint64
 swap8b(PRUint64 x)
 {
     PRUint64 t1 = x;
     t1 = ((t1 & SHA_MASK8) << 8) | ((t1 >> 8) & SHA_MASK8);
     t1 = ((t1 & SHA_MASK16) << 16) | ((t1 >> 16) & SHA_MASK16);
     return (t1 >> 32) | (t1 << 32);
--- a/security/nss/lib/freebl/dh.c
+++ b/security/nss/lib/freebl/dh.c
@@ -205,17 +205,18 @@ DH_Derive(SECItem *publicValue,
           SECItem *derivedSecret,
           unsigned int outBytes)
 {
     mp_int p, Xa, Yb, ZZ, psub1;
     mp_err err = MP_OKAY;
     unsigned int len = 0;
     unsigned int nb;
     unsigned char *secret = NULL;
-    if (!publicValue || !prime || !privateValue || !derivedSecret) {
+    if (!publicValue || !publicValue->len || !prime || !prime->len ||
+        !privateValue || !privateValue->len || !derivedSecret) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     memset(derivedSecret, 0, sizeof *derivedSecret);
     MP_DIGITS(&p) = 0;
     MP_DIGITS(&Xa) = 0;
     MP_DIGITS(&Yb) = 0;
     MP_DIGITS(&ZZ) = 0;
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -197,18 +197,18 @@ ec_NewKey(ECParams *ecParams, ECPrivateK
     mp_err err = MP_OKAY;
     int len;
 
 #if EC_DEBUG
     printf("ec_NewKey called\n");
 #endif
     MP_DIGITS(&k) = 0;
 
-    if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0) ||
-        !ecParams->name) {
+    if (!ecParams || ecParams->name == ECCurve_noName ||
+        !privKey || !privKeyBytes || privKeyLen <= 0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     /* Initialize an arena for the EC key. */
     if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
         return SECFailure;
 
@@ -386,17 +386,17 @@ cleanup:
  */
 SECStatus
 EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
 {
     SECStatus rv = SECFailure;
     int len;
     unsigned char *privKeyBytes = NULL;
 
-    if (!ecParams) {
+    if (!ecParams || ecParams->name == ECCurve_noName || !privKey) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     len = ecParams->order.len;
     privKeyBytes = ec_GenerateRandomPrivateKey(ecParams->order.data, len);
     if (privKeyBytes == NULL)
         goto cleanup;
@@ -425,17 +425,18 @@ SECStatus
 EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
 {
     mp_int Px, Py;
     ECGroup *group = NULL;
     SECStatus rv = SECFailure;
     mp_err err = MP_OKAY;
     int len;
 
-    if (!ecParams || !publicValue || !ecParams->name) {
+    if (!ecParams || ecParams->name == ECCurve_noName ||
+        !publicValue || !publicValue->len) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     /* Uses curve specific code for point validation. */
     if (ecParams->fieldID.type == ec_field_plain) {
         const ECMethod *method = ec_get_method_from_name(ecParams->name);
         if (method == NULL || method->validate == NULL) {
@@ -531,18 +532,19 @@ ECDH_Derive(SECItem *publicValue,
     SECItem pointQ = { siBuffer, NULL, 0 };
     mp_int k; /* to hold the private value */
     mp_int cofactor;
     mp_err err = MP_OKAY;
 #if EC_DEBUG
     int i;
 #endif
 
-    if (!publicValue || !ecParams || !privateValue || !derivedSecret ||
-        !ecParams->name) {
+    if (!publicValue || !publicValue->len ||
+        !ecParams || ecParams->name == ECCurve_noName ||
+        !privateValue || !privateValue->len || !derivedSecret) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
     /*
      * Make sure the point is on the requested curve to avoid
      * certain small subgroup attacks.
      */
--- a/security/nss/lib/freebl/ecl/ecp_25519.c
+++ b/security/nss/lib/freebl/ecl/ecp_25519.c
@@ -109,15 +109,18 @@ ec_Curve25519_pt_mul(SECItem *X, SECItem
         px = basePoint;
     } else {
         PORT_Assert(P->len == 32);
         if (P->len != 32) {
             return SECFailure;
         }
         px = P->data;
     }
+    if (k->len != 32) {
+        return SECFailure;
+    }
 
     SECStatus rv = ec_Curve25519_mul(X->data, k->data, px);
     if (NSS_SecureMemcmpZero(X->data, X->len) == 0) {
         return SECFailure;
     }
     return rv;
 }
--- a/security/nss/lib/freebl/fipsfreebl.c
+++ b/security/nss/lib/freebl/fipsfreebl.c
@@ -10,18 +10,20 @@
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "blapi.h"
 #include "seccomon.h" /* Required for RSA and DSA. */
 #include "secerr.h"
 #include "prtypes.h"
+#include "secitem.h"
+#include "pkcs11t.h"
 
-#include "ec.h" /* Required for ECDSA */
+#include "ec.h" /* Required for EC */
 
 /*
  * different platforms have different ways of calling and initial entry point
  * when the dll/.so is loaded. Most platforms support either a posix pragma
  * or the GCC attribute. Some platforms suppor a pre-defined name, and some
  * platforms have a link line way of invoking this function.
  */
 
@@ -283,61 +285,88 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
 
     /* AES-CBC Known Initialization Vector (128-bits). */
     static const PRUint8 aes_cbc_known_initialization_vector[] =
         { "SecurityytiruceS" };
 
     /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */
     static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" };
 
+    static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" };
+
     /* AES Known Ciphertext (128-bit key). */
     static const PRUint8 aes_ecb128_known_ciphertext[] = {
         0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1,
         0x03, 0x88, 0x16, 0x7b, 0x20, 0xbf, 0x35, 0x47
     };
 
     static const PRUint8 aes_cbc128_known_ciphertext[] = {
         0xcf, 0x15, 0x1d, 0x4f, 0x96, 0xe4, 0x4f, 0x63,
         0x15, 0x54, 0x14, 0x1d, 0x4e, 0xd8, 0xd5, 0xea
     };
 
+    static const PRUint8 aes_gcm128_known_ciphertext[] = {
+        0x63, 0xf4, 0x95, 0x28, 0xe6, 0x78, 0xee, 0x6e,
+        0x4f, 0xe0, 0xfc, 0x8d, 0xd7, 0xa2, 0xb1, 0xff,
+        0x0c, 0x97, 0x1b, 0x0a, 0xdd, 0x97, 0x75, 0xed,
+        0x8b, 0xde, 0xbf, 0x16, 0x5e, 0x57, 0x6b, 0x4f
+    };
+
     /* AES Known Ciphertext (192-bit key). */
     static const PRUint8 aes_ecb192_known_ciphertext[] = {
         0xa0, 0x18, 0x62, 0xed, 0x88, 0x19, 0xcb, 0x62,
         0x88, 0x1d, 0x4d, 0xfe, 0x84, 0x02, 0x89, 0x0e
     };
 
     static const PRUint8 aes_cbc192_known_ciphertext[] = {
         0x83, 0xf7, 0xa4, 0x76, 0xd1, 0x6f, 0x07, 0xbe,
         0x07, 0xbc, 0x43, 0x2f, 0x6d, 0xad, 0x29, 0xe1
     };
 
+    static const PRUint8 aes_gcm192_known_ciphertext[] = {
+        0xc1, 0x0b, 0x92, 0x1d, 0x68, 0x21, 0xf4, 0x25,
+        0x41, 0x61, 0x20, 0x2d, 0x59, 0x7f, 0x53, 0xde,
+        0x93, 0x39, 0xab, 0x09, 0x76, 0x41, 0x57, 0x2b,
+        0x90, 0x2e, 0x44, 0xbb, 0x52, 0x03, 0xe9, 0x07
+    };
+
     /* AES Known Ciphertext (256-bit key). */
     static const PRUint8 aes_ecb256_known_ciphertext[] = {
         0xdb, 0xa6, 0x52, 0x01, 0x8a, 0x70, 0xae, 0x66,
         0x3a, 0x99, 0xd8, 0x95, 0x7f, 0xfb, 0x01, 0x67
     };
 
     static const PRUint8 aes_cbc256_known_ciphertext[] = {
         0x37, 0xea, 0x07, 0x06, 0x31, 0x1c, 0x59, 0x27,
         0xc5, 0xc5, 0x68, 0x71, 0x6e, 0x34, 0x40, 0x16
     };
 
+    static const PRUint8 aes_gcm256_known_ciphertext[] = {
+        0x5d, 0x9e, 0xd2, 0xa2, 0x74, 0x9c, 0xd9, 0x1c,
+        0xd1, 0xc9, 0xee, 0x5d, 0xb6, 0xf2, 0xc9, 0xb6,
+        0x79, 0x27, 0x53, 0x02, 0xa3, 0xdc, 0x22, 0xce,
+        0xf4, 0xb0, 0xc1, 0x8c, 0x86, 0x51, 0xf5, 0xa1
+    };
+
     const PRUint8 *aes_ecb_known_ciphertext =
         (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext;
 
     const PRUint8 *aes_cbc_known_ciphertext =
         (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext : aes_cbc256_known_ciphertext;
 
+    const PRUint8 *aes_gcm_known_ciphertext =
+        (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_gcm128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_gcm192_known_ciphertext : aes_gcm256_known_ciphertext;
+
     /* AES variables. */
-    PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH];
-    PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH];
+    PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2];
+    PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2];
     AESContext *aes_context;
     unsigned int aes_bytes_encrypted;
     unsigned int aes_bytes_decrypted;
+    CK_GCM_PARAMS gcmParams;
     SECStatus aes_status;
 
     /*check if aes_key_size is 128, 192, or 256 bits */
     if ((aes_key_size != FIPS_AES_128_KEY_SIZE) &&
         (aes_key_size != FIPS_AES_192_KEY_SIZE) &&
         (aes_key_size != FIPS_AES_256_KEY_SIZE)) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return (SECFailure);
@@ -450,16 +479,79 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
     if ((aes_status != SECSuccess) ||
         (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) ||
         (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext,
                      FIPS_AES_DECRYPT_LENGTH) != 0)) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return (SECFailure);
     }
 
+    /******************************************************/
+    /* AES-GCM Single-Round Known Answer Encryption Test. */
+    /******************************************************/
+
+    gcmParams.pIv = (PRUint8 *)aes_cbc_known_initialization_vector;
+    gcmParams.ulIvLen = FIPS_AES_BLOCK_SIZE;
+    gcmParams.pAAD = (PRUint8 *)aes_gcm_known_aad;
+    gcmParams.ulAADLen = sizeof(aes_gcm_known_aad);
+    gcmParams.ulTagBits = FIPS_AES_BLOCK_SIZE * 8;
+    aes_context = AES_CreateContext(aes_known_key,
+                                    (PRUint8 *)&gcmParams,
+                                    NSS_AES_GCM, PR_TRUE, aes_key_size,
+                                    FIPS_AES_BLOCK_SIZE);
+
+    if (aes_context == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return (SECFailure);
+    }
+
+    aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext,
+                             &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH * 2,
+                             aes_known_plaintext,
+                             FIPS_AES_DECRYPT_LENGTH);
+
+    AES_DestroyContext(aes_context, PR_TRUE);
+
+    if ((aes_status != SECSuccess) ||
+        (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH * 2) ||
+        (PORT_Memcmp(aes_computed_ciphertext, aes_gcm_known_ciphertext,
+                     FIPS_AES_ENCRYPT_LENGTH * 2) != 0)) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return (SECFailure);
+    }
+
+    /******************************************************/
+    /* AES-GCM Single-Round Known Answer Decryption Test. */
+    /******************************************************/
+
+    aes_context = AES_CreateContext(aes_known_key,
+                                    (PRUint8 *)&gcmParams,
+                                    NSS_AES_GCM, PR_FALSE, aes_key_size,
+                                    FIPS_AES_BLOCK_SIZE);
+
+    if (aes_context == NULL) {
+        PORT_SetError(SEC_ERROR_NO_MEMORY);
+        return (SECFailure);
+    }
+
+    aes_status = AES_Decrypt(aes_context, aes_computed_plaintext,
+                             &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH * 2,
+                             aes_gcm_known_ciphertext,
+                             FIPS_AES_ENCRYPT_LENGTH * 2);
+
+    AES_DestroyContext(aes_context, PR_TRUE);
+
+    if ((aes_status != SECSuccess) ||
+        (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) ||
+        (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext,
+                     FIPS_AES_DECRYPT_LENGTH) != 0)) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return (SECFailure);
+    }
+
     return (SECSuccess);
 }
 
 /* Known Hash Message (512-bits).  Used for all hashes (incl. SHA-N [N>1]). */
 static const PRUint8 known_hash_message[] = {
     "The test message for the MD2, MD5, and SHA-1 hashing algorithms."
 };
 
@@ -1089,17 +1181,17 @@ freebl_fips_ECDSA_Test(ECParams *ecparam
         0x7b, 0x5a, 0x3b, 0x76, 0x4e, 0x7b, 0x7c, 0xbc,
         0xf2, 0x76, 0x1c, 0x1c, 0x7f, 0xc5, 0x53, 0x2f
     };
 
     static const PRUint8 msg[] = {
         "Firefox and ThunderBird are awesome!"
     };
 
-    unsigned char sha1[SHA1_LENGTH]; /* SHA-1 hash (160 bits) */
+    unsigned char sha256[SHA256_LENGTH]; /* SHA-256 hash (256 bits) */
     unsigned char sig[2 * MAX_ECKEY_LEN];
     SECItem signature, digest;
     ECPrivateKey *ecdsa_private_key = NULL;
     ECPublicKey ecdsa_public_key;
     SECStatus ecdsaStatus = SECSuccess;
 
     /* Generates a new EC key pair. The private key is a supplied
      * random value (in seed) and the public key is the result of
@@ -1131,23 +1223,23 @@ freebl_fips_ECDSA_Test(ECParams *ecparam
     if (ecdsaStatus != SECSuccess) {
         goto loser;
     }
 
     /***************************************************/
     /* ECDSA Single-Round Known Answer Signature Test. */
     /***************************************************/
 
-    ecdsaStatus = SHA1_HashBuf(sha1, msg, sizeof msg);
+    ecdsaStatus = SHA256_HashBuf(sha256, msg, sizeof msg);
     if (ecdsaStatus != SECSuccess) {
         goto loser;
     }
     digest.type = siBuffer;
-    digest.data = sha1;
-    digest.len = SHA1_LENGTH;
+    digest.data = sha256;
+    digest.len = SHA256_LENGTH;
 
     memset(sig, 0, sizeof sig);
     signature.type = siBuffer;
     signature.data = sig;
     signature.len = sizeof sig;
 
     ecdsaStatus = ECDSA_SignDigestWithSeed(ecdsa_private_key, &signature,
                                            &digest, ecdsa_Known_Seed, sizeof ecdsa_Known_Seed);
@@ -1176,20 +1268,93 @@ loser:
     if (ecdsaStatus != SECSuccess) {
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return (SECFailure);
     }
     return (SECSuccess);
 }
 
 static SECStatus
-freebl_fips_ECDSA_PowerUpSelfTest()
+freebl_fips_ECDH_Test(ECParams *ecparams)
 {
 
-    /* ECDSA Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */
+    /* ECDH Known result (reused old CAVS vector)  */
+    static const PRUint8 ecdh_known_pub_key_1[] = {
+        EC_POINT_FORM_UNCOMPRESSED,
+        /* pubX */
+        0x16, 0x81, 0x32, 0x86, 0xc8, 0xe4, 0x3a, 0x1f,
+        0x5d, 0xe3, 0x06, 0x22, 0x8b, 0x99, 0x14, 0x25,
+        0xf7, 0x9c, 0x5b, 0x1e, 0x96, 0x84, 0x85, 0x3b,
+        0x17, 0xfe, 0xf3, 0x1c, 0x0e, 0xed, 0xc4, 0xce,
+        /* pubY */
+        0x7a, 0x44, 0xfe, 0xbd, 0x91, 0x71, 0x7d, 0x73,
+        0xd9, 0x45, 0xea, 0xae, 0x66, 0x78, 0xfa, 0x6e,
+        0x46, 0xcd, 0xfa, 0x95, 0x15, 0x47, 0x62, 0x5d,
+        0xbb, 0x1b, 0x9f, 0xe6, 0x39, 0xfc, 0xfd, 0x47
+    };
+    static const PRUint8 ecdh_known_priv_key_2[] = {
+        0xb4, 0x2a, 0xe3, 0x69, 0x19, 0xec, 0xf0, 0x42,
+        0x6d, 0x45, 0x8c, 0x94, 0x4a, 0x26, 0xa7, 0x5c,
+        0xea, 0x9d, 0xd9, 0x0f, 0x59, 0xe0, 0x1a, 0x9d,
+        0x7c, 0xb7, 0x1c, 0x04, 0x53, 0xb8, 0x98, 0x5a
+    };
+    static const PRUint8 ecdh_known_hash_result[] = {
+        0x16, 0xf3, 0x85, 0xa2, 0x41, 0xf3, 0x7f, 0xc4,
+        0x0b, 0x56, 0x47, 0xee, 0xa7, 0x74, 0xb9, 0xdb,
+        0xe1, 0xfa, 0x22, 0xe9, 0x04, 0xf1, 0xb6, 0x12,
+        0x4b, 0x44, 0x8a, 0xbb, 0xbc, 0x08, 0x2b, 0xa7,
+    };
+
+    SECItem ecdh_priv_2, ecdh_pub_1;
+    SECItem ZZ = { 0, 0, 0 };
+    SECStatus ecdhStatus = SECSuccess;
+    PRUint8 computed_hash_result[HASH_LENGTH_MAX];
+
+    ecdh_priv_2.data = (PRUint8 *)ecdh_known_priv_key_2;
+    ecdh_priv_2.len = sizeof(ecdh_known_priv_key_2);
+    ecdh_pub_1.data = (PRUint8 *)ecdh_known_pub_key_1;
+    ecdh_pub_1.len = sizeof(ecdh_known_pub_key_1);
+
+    /* Generates a new EC key pair. The private key is a supplied
+     * random value (in seed) and the public key is the result of
+     * performing a scalar point multiplication of that value with
+     * the curve's base point.
+     */
+    ecdhStatus = ECDH_Derive(&ecdh_pub_1, ecparams, &ecdh_priv_2, PR_FALSE, &ZZ);
+    if (ecdhStatus != SECSuccess) {
+        goto loser;
+    }
+    ecdhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len);
+    if (ecdhStatus != SECSuccess) {
+        goto loser;
+    }
+
+    if (PORT_Memcmp(computed_hash_result, ecdh_known_hash_result,
+                    sizeof(ecdh_known_hash_result)) != 0) {
+        ecdhStatus = SECFailure;
+        goto loser;
+    }
+
+loser:
+    if (ZZ.data) {
+        SECITEM_FreeItem(&ZZ, PR_FALSE);
+    }
+
+    if (ecdhStatus != SECSuccess) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return (SECFailure);
+    }
+    return (SECSuccess);
+}
+
+static SECStatus
+freebl_fips_EC_PowerUpSelfTest()
+{
+
+    /* EC Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */
     static const unsigned char p256_prime[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
     };
     static const unsigned char p256_a[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -1212,17 +1377,17 @@ freebl_fips_ECDSA_PowerUpSelfTest()
     static const unsigned char p256_order[] = {
         0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
         0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9,
         0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
     };
     static const unsigned char p256_encoding[] = {
         0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
     };
-    static const ECParams ecdsa_known_P256_Params = {
+    static const ECParams ec_known_P256_Params = {
         NULL, ec_params_named,                                               /* arena, type */
                                                                              /* fieldID */
         { 256, ec_field_GFp,                                                 /* size and type */
           { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */
           0,
           0,
           0 },
         /* curve */
@@ -1245,34 +1410,39 @@ freebl_fips_ECDSA_PowerUpSelfTest()
         { siBuffer, (unsigned char *)(p256_encoding) + 2, sizeof(p256_encoding) - 2 },
     };
 
     static const PRUint8 ecdsa_known_P256_signature[] = {
         0x07, 0xb1, 0xcb, 0x57, 0x20, 0xa7, 0x10, 0xd6,
         0x9d, 0x37, 0x4b, 0x1c, 0xdc, 0x35, 0x90, 0xff,
         0x1a, 0x2d, 0x98, 0x95, 0x1b, 0x2f, 0xeb, 0x7f,
         0xbb, 0x81, 0xca, 0xc0, 0x69, 0x75, 0xea, 0xc5,
-        0x59, 0x6a, 0x62, 0x49, 0x3d, 0x50, 0xc9, 0xe1,
-        0x27, 0x3b, 0xff, 0x9b, 0x13, 0x66, 0x67, 0xdd,
-        0x7d, 0xd1, 0x0d, 0x2d, 0x7c, 0x44, 0x04, 0x1b,
-        0x16, 0x21, 0x12, 0xc5, 0xcb, 0xbd, 0x9e, 0x75
+        0xa7, 0xd2, 0x20, 0xdd, 0x45, 0xf9, 0x2b, 0xdd,
+        0xda, 0x98, 0x99, 0x5b, 0x1c, 0x02, 0x3a, 0x27,
+        0x8b, 0x7d, 0xb6, 0xed, 0x0e, 0xe0, 0xa7, 0xac,
+        0xaa, 0x36, 0x2c, 0xfa, 0x1a, 0xdf, 0x0d, 0xe1,
     };
 
     ECParams ecparams;
 
     SECStatus rv;
 
     /* ECDSA GF(p) prime field curve test */
-    ecparams = ecdsa_known_P256_Params;
+    ecparams = ec_known_P256_Params;
     rv = freebl_fips_ECDSA_Test(&ecparams,
                                 ecdsa_known_P256_signature,
                                 sizeof ecdsa_known_P256_signature);
     if (rv != SECSuccess) {
         return (SECFailure);
     }
+    /* ECDH GF(p) prime field curve test */
+    rv = freebl_fips_ECDH_Test(&ecparams);
+    if (rv != SECSuccess) {
+        return (SECFailure);
+    }
 
     return (SECSuccess);
 }
 
 static SECStatus
 freebl_fips_DSA_PowerUpSelfTest(void)
 {
     /* DSA Known P (1024-bits), Q (160-bits), and G (1024-bits) Values. */
@@ -1413,16 +1583,148 @@ freebl_fips_DSA_PowerUpSelfTest(void)
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 
     return (SECSuccess);
 }
 
 static SECStatus
+freebl_fips_DH_PowerUpSelfTest(void)
+{
+    /* DH Known P (2048-bits) */
+    static const PRUint8 dh_known_P[] = {
+        0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd,
+        0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef,
+        0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b,
+        0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e,
+        0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03,
+        0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc,
+        0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85,
+        0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01,
+        0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c,
+        0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03,
+        0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0,
+        0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5,
+        0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f,
+        0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9,
+        0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57,
+        0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70,
+        0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c,
+        0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d,
+        0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e,
+        0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc,
+        0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62,
+        0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12,
+        0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e,
+        0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b,
+        0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b,
+        0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55,
+        0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b,
+        0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97,
+        0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34,
+        0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c,
+        0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60,
+        0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f
+    };
+
+    static const PRUint8 dh_known_Y_1[] = {
+        0xb4, 0xc7, 0x85, 0xba, 0xa6, 0x98, 0xb3, 0x77,
+        0x41, 0x2b, 0xd9, 0x9a, 0x72, 0x90, 0xa4, 0xac,
+        0xc4, 0xf7, 0xc2, 0x23, 0x9a, 0x68, 0xe2, 0x7d,
+        0x3a, 0x54, 0x45, 0x91, 0xc1, 0xd7, 0x8a, 0x17,
+        0x54, 0xd3, 0x37, 0xaa, 0x0c, 0xcd, 0x0b, 0xe2,
+        0xf2, 0x34, 0x0f, 0x17, 0xa8, 0x07, 0x88, 0xaf,
+        0xed, 0xc1, 0x02, 0xd4, 0xdb, 0xdc, 0x0f, 0x22,
+        0x51, 0x23, 0x40, 0xb9, 0x65, 0x6d, 0x39, 0xf4,
+        0xe1, 0x8b, 0x57, 0x7d, 0xb6, 0xd3, 0xf2, 0x6b,
+        0x02, 0xa9, 0x36, 0xf0, 0x0d, 0xe3, 0xdb, 0x9a,
+        0xbf, 0x20, 0x00, 0x4d, 0xec, 0x6f, 0x68, 0x95,
+        0xee, 0x59, 0x4e, 0x3c, 0xb6, 0xda, 0x7b, 0x19,
+        0x08, 0x9a, 0xef, 0x61, 0x43, 0xf5, 0xfb, 0x25,
+        0x70, 0x19, 0xc1, 0x5f, 0x0e, 0x0f, 0x6a, 0x63,
+        0x44, 0xe9, 0xcf, 0x33, 0xce, 0x13, 0x4f, 0x34,
+        0x3c, 0x94, 0x40, 0x8d, 0xf2, 0x65, 0x42, 0xef,
+        0x70, 0x54, 0xdd, 0x5f, 0xc1, 0xd7, 0x0b, 0xa6,
+        0x06, 0xd5, 0xa6, 0x47, 0xae, 0x2c, 0x1f, 0x5a,
+        0xa6, 0xb3, 0xc1, 0x38, 0x3a, 0x3b, 0x60, 0x94,
+        0xa2, 0x95, 0xab, 0xb2, 0x86, 0x82, 0xc5, 0x3b,
+        0xb8, 0x6f, 0x3e, 0x55, 0x86, 0x84, 0xe0, 0x00,
+        0xe5, 0xef, 0xca, 0x5c, 0xec, 0x7e, 0x38, 0x0f,
+        0x82, 0xa2, 0xb1, 0xee, 0x48, 0x1b, 0x32, 0xbb,
+        0x5a, 0x33, 0xa5, 0x01, 0xba, 0xca, 0xa6, 0x64,
+        0x61, 0xb6, 0xe5, 0x5c, 0x0e, 0x5f, 0x2c, 0x66,
+        0x0d, 0x01, 0x6a, 0x20, 0x04, 0x70, 0x68, 0x82,
+        0x93, 0x29, 0x15, 0x3b, 0x7a, 0x06, 0xb2, 0x92,
+        0x61, 0xcd, 0x7e, 0xa4, 0xc1, 0x15, 0x64, 0x3b,
+        0x3c, 0x51, 0x10, 0x4c, 0x87, 0xa6, 0xaf, 0x07,
+        0xce, 0x46, 0x82, 0x75, 0xf3, 0x90, 0xf3, 0x21,
+        0x55, 0x74, 0xc2, 0xe4, 0x96, 0x7d, 0xc3, 0xe6,
+        0x33, 0xa5, 0xc6, 0x51, 0xef, 0xec, 0x90, 0x08
+    };
+
+    static const PRUint8 dh_known_x_2[] = {
+        0x9e, 0x9b, 0xc3, 0x25, 0x53, 0xf9, 0xfc, 0x92,
+        0xb6, 0xae, 0x54, 0x8e, 0x23, 0x4c, 0x94, 0xba,
+        0x41, 0xe6, 0x29, 0x33, 0xb9, 0xdb, 0xff, 0x6d,
+        0xa8, 0xb8, 0x48, 0x49, 0x66, 0x11, 0xa6, 0x13
+    };
+
+    static const PRUint8 dh_known_hash_result[] = {
+        0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf,
+        0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81,
+        0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f,
+        0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10
+    };
+
+    /* DH variables. */
+    SECStatus dhStatus;
+    SECItem dh_prime;
+    SECItem dh_pub_key_1;
+    SECItem dh_priv_key_2;
+    SECItem ZZ = { 0, 0, 0 };
+    PRUint8 computed_hash_result[HASH_LENGTH_MAX];
+
+    dh_prime.data = (PRUint8 *)dh_known_P;
+    dh_prime.len = sizeof(dh_known_P);
+    dh_pub_key_1.data = (PRUint8 *)dh_known_Y_1;
+    dh_pub_key_1.len = sizeof(dh_known_Y_1);
+    dh_priv_key_2.data = (PRUint8 *)dh_known_x_2;
+    dh_priv_key_2.len = sizeof(dh_known_x_2);
+
+    /* execute the derive */
+    dhStatus = DH_Derive(&dh_pub_key_1, &dh_prime, &dh_priv_key_2, &ZZ, dh_prime.len);
+    if (dhStatus != SECSuccess) {
+        goto loser;
+    }
+
+    dhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len);
+    if (dhStatus != SECSuccess) {
+        goto loser;
+    }
+
+    if (PORT_Memcmp(computed_hash_result, dh_known_hash_result,
+                    sizeof(dh_known_hash_result)) != 0) {
+        dhStatus = SECFailure;
+        goto loser;
+    }
+
+loser:
+    if (ZZ.data) {
+        SECITEM_FreeItem(&ZZ, PR_FALSE);
+    }
+
+    if (dhStatus != SECSuccess) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return (SECFailure);
+    }
+    return (SECSuccess);
+}
+
+static SECStatus
 freebl_fips_RNG_PowerUpSelfTest(void)
 {
     static const PRUint8 Q[] = {
         0x85, 0x89, 0x9c, 0x77, 0xa3, 0x79, 0xff, 0x1a,
         0x86, 0x6f, 0x2f, 0x3e, 0x2e, 0xf9, 0x8c, 0x9c,
         0x9d, 0xef, 0xeb, 0xed
     };
     static const PRUint8 GENX[] = {
@@ -1536,31 +1838,37 @@ freebl_fipsPowerUpSelfTest(unsigned int 
 
         /* HMAC SHA-X Power-Up SelfTest(s). */
         rv = freebl_fips_HMAC_PowerUpSelfTest();
 
         if (rv != SECSuccess)
             return rv;
 
         /* NOTE: RSA can only be tested in full freebl. It requires access to
-     * the locking primitives */
+         * the locking primitives */
         /* RSA Power-Up SelfTest(s). */
         rv = freebl_fips_RSA_PowerUpSelfTest();
 
         if (rv != SECSuccess)
             return rv;
 
         /* DSA Power-Up SelfTest(s). */
         rv = freebl_fips_DSA_PowerUpSelfTest();
 
         if (rv != SECSuccess)
             return rv;
 
-        /* ECDSA Power-Up SelfTest(s). */
-        rv = freebl_fips_ECDSA_PowerUpSelfTest();
+        /* DH Power-Up SelfTest(s). */
+        rv = freebl_fips_DH_PowerUpSelfTest();
+
+        if (rv != SECSuccess)
+            return rv;
+
+        /* EC Power-Up SelfTest(s). */
+        rv = freebl_fips_EC_PowerUpSelfTest();
 
         if (rv != SECSuccess)
             return rv;
     }
     /* Passed Power-Up SelfTest(s). */
     return (SECSuccess);
 }
 
--- a/security/nss/lib/freebl/intel-gcm-wrap.c
+++ b/security/nss/lib/freebl/intel-gcm-wrap.c
@@ -138,16 +138,17 @@ intel_AES_GCM_CreateContext(void *contex
 loser:
     PORT_Free(gcm);
     return NULL;
 }
 
 void
 intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
 {
+    PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
     if (freeit) {
         PORT_Free(gcm);
     }
 }
 
 SECStatus
 intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm,
                             unsigned char *outbuf,
--- a/security/nss/lib/freebl/mpi/mpi.c
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -2058,17 +2058,20 @@ s_mp_almost_inverse(const mp_int *a, con
                 MP_CHECKOK(mp_sub(&f, &g, &f)); /* f = f - g */
                 MP_CHECKOK(mp_sub(c, &d, c));   /* c = c - d */
             } else {
                 MP_CHECKOK(mp_add(&f, &g, &f)); /* f = f + g */
                 MP_CHECKOK(mp_add(c, &d, c));   /* c = c + d */
             }
         }
     if (res >= 0) {
-        while (MP_SIGN(c) != MP_ZPOS) {
+        if (mp_cmp_mag(c, p) >= 0) {
+            MP_CHECKOK(mp_div(c, p, NULL, c));
+        }
+        if (MP_SIGN(c) != MP_ZPOS) {
             MP_CHECKOK(mp_add(c, p, c));
         }
         res = k;
     }
 
 CLEANUP:
     mp_clear(&d);
     mp_clear(&f);
--- a/security/nss/lib/freebl/pqg.c
+++ b/security/nss/lib/freebl/pqg.c
@@ -486,21 +486,21 @@ cleanup:
 **  Perform steps from  FIPS 186-3, Appendix A.1.2.1 and Appendix C.6
 **
 **  This generates a provable prime from two smaller prime. The resulting
 **  prime p will have q0 as a multiple of p-1. q0 can be 1.
 **
 ** This implments steps 4 thorough 22 of FIPS 186-3 A.1.2.1 and
 **                steps 16 through 34 of FIPS 186-2 C.6
 */
-#define MAX_ST_SEED_BITS (HASH_LENGTH_MAX * PR_BITS_PER_BYTE)
 static SECStatus
 makePrimefromPrimesShaweTaylor(
     HASH_HashType hashtype,          /* selected Hashing algorithm */
     unsigned int length,             /* input. Length of prime in bits. */
+    unsigned int seedlen,            /* input seed length in bits */
     mp_int *c0,                      /* seed prime */
     mp_int *q,                       /* sub prime, can be 1 */
     mp_int *prime,                   /* output.  */
     SECItem *prime_seed,             /* input/output.  */
     unsigned int *prime_gen_counter) /* input/output.  */
 {
     mp_int c;
     mp_int c0_2;
@@ -552,33 +552,32 @@ makePrimefromPrimesShaweTaylor(
     */
 
     /* Step 4/16 iterations = ceiling(length/outlen)-1 */
     iterations = (length + outlen - 1) / outlen; /* NOTE: iterations +1 */
     /* Step 5/17 old_counter = prime_gen_counter */
     old_counter = *prime_gen_counter;
     /*
     ** Comment: Generate a pseudorandom integer x in the interval
-    ** [2**(lenght-1), 2**length].
+    ** [2**(length-1), 2**length].
     **
     ** Step 6/18 x = 0
     */
     PORT_Memset(x, 0, sizeof(x));
     /*
     ** Step 7/19 for i = 0 to iterations do
     **  x = x + (HASH(prime_seed + i) * 2^(i*outlen))
     */
     for (i = 0; i < iterations; i++) {
         /* is bigger than prime_seed should get to */
         CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, i,
-                                       MAX_ST_SEED_BITS, &x[(iterations - i - 1) * hashlen]));
+                                       seedlen, &x[(iterations - i - 1) * hashlen]));
     }
     /* Step 8/20 prime_seed = prime_seed + iterations + 1 */
-    CHECK_SEC_OK(addToSeed(prime_seed, iterations, MAX_ST_SEED_BITS,
-                           prime_seed));
+    CHECK_SEC_OK(addToSeed(prime_seed, iterations, seedlen, prime_seed));
     /*
     ** Step 9/21 x = 2 ** (length-1) + x mod 2 ** (length-1)
     **
     **   This step mathematically sets the high bit and clears out
     **  all the other bits higher than length. 'x' is stored
     **  in the x array, MSB first. The above formula gives us an 'x'
     **  which is length bytes long and has the high bit set. We also know
     **  that length <= iterations*outlen since
@@ -590,17 +589,17 @@ makePrimefromPrimesShaweTaylor(
      * multiple of 8,*/
     bit = 1 << ((length - 1) & 0x7); /* select the proper bit in the byte */
     /* we need to zero out the rest of the bits in the byte above */
     mask = (bit - 1);
     /* now we set it */
     x[offset] = (mask & x[offset]) | bit;
     /*
     ** Comment: Generate a candidate prime c in the interval
-    ** [2**(lenght-1), 2**length].
+    ** [2**(length-1), 2**length].
     **
     ** Step 10 t = ceiling(x/(2q(p0)))
     ** Step 22 t = ceiling(x/(2(c0)))
     */
     CHECK_MPI_OK(mp_read_unsigned_octets(&t, &x[offset],
                                          hashlen * iterations - offset)); /* t = x */
     CHECK_MPI_OK(mp_mul(c0, q, &c0_2));                                   /* c0_2 is now c0*q */
     CHECK_MPI_OK(mp_add(&c0_2, &c0_2, &c0_2));                            /* c0_2 is now 2*q*c0 */
@@ -619,17 +618,17 @@ makePrimefromPrimesShaweTaylor(
 step_23:
     CHECK_MPI_OK(mp_mul(&t, &c0_2, &c));                /* c = t*2qc0 */
     CHECK_MPI_OK(mp_add_d(&c, (mp_digit)1, &c));        /* c= 2tqc0 + 1*/
     if (mpl_significant_bits(&c) > length) {            /* if c > 2**length */
         CHECK_MPI_OK(mp_sub_d(&c0_2, (mp_digit)1, &t)); /* t = 2qc0-1 */
         /* t = 2**(length-1) + 2qc0 -1 */
         CHECK_MPI_OK(mp_add(&two_length_minus_1, &t, &t));
         /* t = floor((2**(length-1)+2qc0 -1)/2qco)
-         *   = ceil(2**(lenght-2)/2qc0) */
+         *   = ceil(2**(length-2)/2qc0) */
         CHECK_MPI_OK(mp_div(&t, &c0_2, &t, NULL));
         CHECK_MPI_OK(mp_mul(&t, &c0_2, &c));
         CHECK_MPI_OK(mp_add_d(&c, (mp_digit)1, &c)); /* c= 2tqc0 + 1*/
     }
     /* Step 13/25 prime_gen_counter = prime_gen_counter + 1*/
     (*prime_gen_counter)++;
     /*
     ** Comment: Test the candidate prime c for primality; first pick an
@@ -640,23 +639,21 @@ step_23:
     PORT_Memset(x, 0, sizeof(x)); /* use x for a */
     /*
     ** Step 15/27 for i = 0 to iterations do
     **  a = a + (HASH(prime_seed + i) * 2^(i*outlen))
     **
     ** NOTE: we reuse the x array for 'a' initially.
     */
     for (i = 0; i < iterations; i++) {
-        /* MAX_ST_SEED_BITS is bigger than prime_seed should get to */
         CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, i,
-                                       MAX_ST_SEED_BITS, &x[(iterations - i - 1) * hashlen]));
+                                       seedlen, &x[(iterations - i - 1) * hashlen]));
     }
     /* Step 16/28 prime_seed = prime_seed + iterations + 1 */
-    CHECK_SEC_OK(addToSeed(prime_seed, iterations, MAX_ST_SEED_BITS,
-                           prime_seed));
+    CHECK_SEC_OK(addToSeed(prime_seed, iterations, seedlen, prime_seed));
     /* Step 17/29 a = 2 + (a mod (c-3)). */
     CHECK_MPI_OK(mp_read_unsigned_octets(&a, x, iterations * hashlen));
     CHECK_MPI_OK(mp_sub_d(&c, (mp_digit)3, &z)); /* z = c -3 */
     CHECK_MPI_OK(mp_mod(&a, &z, &a));            /* a = a mod c -3 */
     CHECK_MPI_OK(mp_add_d(&a, (mp_digit)2, &a)); /* a = 2 + a mod c -3 */
     /*
     ** Step 18 z = a**(2tq) mod p.
     ** Step 30 z = a**(2t) mod c.
@@ -737,16 +734,17 @@ makePrimefromSeedShaweTaylor(
 {
     mp_int c;
     mp_int c0;
     mp_int one;
     SECStatus rv = SECFailure;
     int hashlen = HASH_ResultLen(hashtype);
     int outlen = hashlen * PR_BITS_PER_BYTE;
     int offset;
+    int seedlen = input_seed->len * 8; /*seedlen is in bits */
     unsigned char bit, mask;
     unsigned char x[HASH_LENGTH_MAX * 2];
     mp_digit dummy;
     mp_err err = MP_OKAY;
     int i;
 
     MP_DIGITS(&c) = 0;
     MP_DIGITS(&c0) = 0;
@@ -770,30 +768,29 @@ makePrimefromSeedShaweTaylor(
     */
         rv = makePrimefromSeedShaweTaylor(hashtype, (length + 1) / 2 + 1,
                                           input_seed, &c0, prime_seed, prime_gen_counter);
         /* Step 15 if FAILURE is returned, return (FAILURE, 0, 0, 0). */
         if (rv != SECSuccess) {
             goto cleanup;
         }
         /* Steps 16-34 */
-        rv = makePrimefromPrimesShaweTaylor(hashtype, length, &c0, &one,
+        rv = makePrimefromPrimesShaweTaylor(hashtype, length, seedlen, &c0, &one,
                                             prime, prime_seed, prime_gen_counter);
         goto cleanup; /* we're done, one way or the other */
     }
     /* Step 3 prime_seed = input_seed */
     CHECK_SEC_OK(SECITEM_CopyItem(NULL, prime_seed, input_seed));
     /* Step 4 prime_gen_count = 0 */
     *prime_gen_counter = 0;
 
 step_5:
     /* Step 5 c = Hash(prime_seed) xor Hash(prime_seed+1). */
     CHECK_SEC_OK(HASH_HashBuf(hashtype, x, prime_seed->data, prime_seed->len));
-    CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, 1,
-                                   MAX_ST_SEED_BITS, &x[hashlen]));
+    CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, 1, seedlen, &x[hashlen]));
     for (i = 0; i < hashlen; i++) {
         x[i] = x[i] ^ x[i + hashlen];
     }
     /* Step 6 c = 2**length-1 + c mod 2**length-1 */
     /*   This step mathematically sets the high bit and clears out
     **  all the other bits higher than length. Right now c is stored
     **  in the x array, MSB first. The above formula gives us a c which
     **  is length bytes long and has the high bit set. We also know that
@@ -812,17 +809,17 @@ step_5:
     /* Step 7 c = c*floor(c/2) + 1 */
     /* set the low bit. much easier to find (the end of the array) */
     x[hashlen - 1] |= 1;
     /* now that we've set our bits, we can create our candidate "c" */
     CHECK_MPI_OK(mp_read_unsigned_octets(&c, &x[offset], hashlen - offset));
     /* Step 8 prime_gen_counter = prime_gen_counter + 1 */
     (*prime_gen_counter)++;
     /* Step 9 prime_seed = prime_seed + 2 */
-    CHECK_SEC_OK(addToSeed(prime_seed, 2, MAX_ST_SEED_BITS, prime_seed));
+    CHECK_SEC_OK(addToSeed(prime_seed, 2, seedlen, prime_seed));
     /* Step 10 Perform deterministic primality test on c. For example, since
     ** c is small, it's primality can be tested by trial division, See
     ** See Appendic C.7.
     **
     ** We in fact test with trial division. mpi has a built int trial divider
     ** that divides all divisors up to 2^16.
     */
     if (prime_tab[prime_tab_size - 1] < 0xFFF1) {
@@ -885,17 +882,18 @@ findQfromSeed(
     unsigned int L,             /* input.  Length of p in bits. */
     unsigned int N,             /* input.  Length of q in bits. */
     unsigned int g,             /* input.  Length of seed in bits. */
     const SECItem *seed,        /* input.  */
     mp_int *Q,                  /* input. */
     mp_int *Q_,                 /* output. */
     unsigned int *qseed_len,    /* output */
     HASH_HashType *hashtypePtr, /* output. Hash uses */
-    pqgGenType *typePtr)        /* output. Generation Type used */
+    pqgGenType *typePtr,        /* output. Generation Type used */
+    unsigned int *qgen_counter) /* output. q_counter */
 {
     HASH_HashType hashtype;
     SECItem firstseed = { 0, 0, 0 };
     SECItem qseed = { 0, 0, 0 };
     SECStatus rv;
 
     *qseed_len = 0; /* only set if FIPS186_3_ST_TYPE */
 
@@ -959,16 +957,17 @@ findQfromSeed(
          * accident, someone has been tweeking with the seeds, just
          * fail a this point. */
                 SECITEM_FreeItem(&qseed, PR_FALSE);
                 return SECFailure;
             }
             *qseed_len = qseed.len;
             *hashtypePtr = hashtype;
             *typePtr = FIPS186_3_ST_TYPE;
+            *qgen_counter = count;
             SECITEM_FreeItem(&qseed, PR_FALSE);
             return SECSuccess;
         }
         SECITEM_FreeItem(&qseed, PR_FALSE);
     }
     /* no hash algorithms found which match seed to Q, fail */
     return SECFailure;
 }
@@ -1383,29 +1382,36 @@ step_5:
         CHECK_SEC_OK(makePrimefromSeedShaweTaylor(hashtype, N, &firstseed, &Q,
                                                   &qseed, &qgen_counter));
         /* Step 3. Use floor(L/2+1) and qseed to generate random prime p0
      * using Appendix C.6 */
         pgen_counter = 0;
         CHECK_SEC_OK(makePrimefromSeedShaweTaylor(hashtype, (L + 1) / 2 + 1,
                                                   &qseed, &p0, &pseed, &pgen_counter));
         /* Steps 4-22 FIPS 186-3 appendix A.1.2.1.2 */
-        CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L,
+        CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L, seedBytes * 8,
                                                     &p0, &Q, &P, &pseed, &pgen_counter));
 
         /* combine all the seeds */
-        seed->len = firstseed.len + qseed.len + pseed.len;
+        if ((qseed.len > firstseed.len) || (pseed.len > firstseed.len)) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); /* shouldn't happen */
+            goto cleanup;
+        }
+        /* If the seed overflows, then pseed and qseed may have leading zeros which the mpl code clamps.
+         * we want to make sure those are added back in so the individual seed lengths are predictable from
+         * the overall seed length */
+        seed->len = firstseed.len * 3;
         seed->data = PORT_ArenaZAlloc(verify->arena, seed->len);
         if (seed->data == NULL) {
             goto cleanup;
         }
         PORT_Memcpy(seed->data, firstseed.data, firstseed.len);
-        PORT_Memcpy(seed->data + firstseed.len, pseed.data, pseed.len);
-        PORT_Memcpy(seed->data + firstseed.len + pseed.len, qseed.data, qseed.len);
-        counter = 0; /* (qgen_counter << 16) | pgen_counter; */
+        PORT_Memcpy(seed->data + 2 * firstseed.len - pseed.len, pseed.data, pseed.len);
+        PORT_Memcpy(seed->data + 3 * firstseed.len - qseed.len, qseed.data, qseed.len);
+        counter = (qgen_counter << 16) | pgen_counter;
 
         /* we've generated both P and Q now, skip to generating G */
         goto generate_G;
     }
     /* ******************************************************************
     ** Step 8. (Step 4 in 186-1)
     ** "Use a robust primality testing algorithm to test whether q is prime."
     **
@@ -1615,16 +1621,17 @@ PQG_VerifyParams(const PQGParams *params
 {
     SECStatus rv = SECSuccess;
     unsigned int g, n, L, N, offset, outlen;
     mp_int p0, P, Q, G, P_, Q_, G_, r, h;
     mp_err err = MP_OKAY;
     int j;
     unsigned int counter_max = 0; /* handle legacy L < 1024 */
     unsigned int qseed_len;
+    unsigned int qgen_counter_ = 0;
     SECItem pseed_ = { 0, 0, 0 };
     HASH_HashType hashtype;
     pqgGenType type;
 
 #define CHECKPARAM(cond)      \
     if (!(cond)) {            \
         *result = SECFailure; \
         goto cleanup;         \
@@ -1694,77 +1701,104 @@ PQG_VerifyParams(const PQGParams *params
     CHECKPARAM(mp_cmp_d(&r, 1) == 0);
     /* 5.  Q is prime */
     CHECKPARAM(mpp_pprime(&Q, prime_testcount_q(L, N)) == MP_YES);
     /* 6.  P is prime */
     CHECKPARAM(mpp_pprime(&P, prime_testcount_p(L, N)) == MP_YES);
     /* Steps 7-12 are done only if the optional PQGVerify is supplied. */
     /* continue processing P */
     /* 7.  counter < 4*L */
-    CHECKPARAM((vfy->counter == -1) || (vfy->counter < counter_max));
     /* 8.  g >= N and g < 2*L   (g is length of seed in bits) */
-    g = vfy->seed.len * 8;
-    CHECKPARAM(g >= N && g < counter_max / 2);
+    /* step 7 and 8 are delayed until we determine which type of generation
+     * was used */
     /* 9.  Q generated from SEED matches Q in PQGParams. */
     /* This function checks all possible hash and generation types to
      * find a Q_ which matches Q. */
+    g = vfy->seed.len * 8;
     CHECKPARAM(findQfromSeed(L, N, g, &vfy->seed, &Q, &Q_, &qseed_len,
-                             &hashtype, &type) == SECSuccess);
+                             &hashtype, &type, &qgen_counter_) == SECSuccess);
     CHECKPARAM(mp_cmp(&Q, &Q_) == 0);
+    /* now we can do steps 7  & 8*/
+    if ((type == FIPS186_1_TYPE) || (type == FIPS186_3_TYPE)) {
+        CHECKPARAM((vfy->counter == -1) || (vfy->counter < counter_max));
+        CHECKPARAM(g >= N && g < counter_max / 2);
+    }
     if (type == FIPS186_3_ST_TYPE) {
         SECItem qseed = { 0, 0, 0 };
         SECItem pseed = { 0, 0, 0 };
         unsigned int first_seed_len;
-        unsigned int pgen_counter = 0;
+        unsigned int pgen_counter_ = 0;
+        unsigned int qgen_counter = (vfy->counter >> 16) & 0xffff;
+        unsigned int pgen_counter = (vfy->counter) & 0xffff;
 
         /* extract pseed and qseed from domain_parameter_seed, which is
          * first_seed || pseed || qseed. qseed is first_seed + small_integer
-         * pseed is qseed + small_integer. This means most of the time
+         * mod the length of first_seed. pseed is qseed + small_integer mod
+         * the length of first_seed. This means most of the time
          * first_seed.len == qseed.len == pseed.len. Rarely qseed.len and/or
-         * pseed.len will be one greater than first_seed.len, so we can
-         * depend on the fact that
-         *   first_seed.len = floor(domain_parameter_seed.len/3).
-         * findQfromSeed returned qseed.len, so we can calculate pseed.len as
-         *   pseed.len = domain_parameter_seed.len - first_seed.len - qseed.len
-         * this is probably over kill, since 99.999% of the time they will all
-         * be equal.
-         *
-         * With the lengths, we can now find the offsets;
+         * pseed.len will be smaller because mpi clamps them. pqgGen
+         * automatically adds the zero pad back though, so we can depend
+         * domain_parameter_seed.len to be a multiple of three. We only have
+         * to deal with the fact that the returned seeds from our functions
+         * could be shorter.
+         *   first_seed.len = domain_parameter_seed.len/3
+         * We can now find the offsets;
          * first_seed.data = domain_parameter_seed.data + 0
          * pseed.data = domain_parameter_seed.data + first_seed.len
          * qseed.data = domain_parameter_seed.data
          *         + domain_paramter_seed.len - qseed.len
-         *
+         * We deal with pseed possibly having zero pad in the pseed check later.
          */
         first_seed_len = vfy->seed.len / 3;
         CHECKPARAM(qseed_len < vfy->seed.len);
         CHECKPARAM(first_seed_len * 8 > N - 1);
-        CHECKPARAM(first_seed_len + qseed_len < vfy->seed.len);
+        CHECKPARAM(first_seed_len * 8 < counter_max / 2);
+        CHECKPARAM(first_seed_len >= qseed_len);
         qseed.len = qseed_len;
         qseed.data = vfy->seed.data + vfy->seed.len - qseed.len;
-        pseed.len = vfy->seed.len - (first_seed_len + qseed_len);
+        pseed.len = first_seed_len;
         pseed.data = vfy->seed.data + first_seed_len;
 
         /*
          * now complete FIPS 186-3 A.1.2.1.2. Step 1 was completed
          * above in our initial checks, Step 2 was completed by
          * findQfromSeed */
 
         /* Step 3 (status, c0, prime_seed, prime_gen_counter) =
         ** (ST_Random_Prime((ceil(length/2)+1, input_seed)
         */
         CHECK_SEC_OK(makePrimefromSeedShaweTaylor(hashtype, (L + 1) / 2 + 1,
-                                                  &qseed, &p0, &pseed_, &pgen_counter));
+                                                  &qseed, &p0, &pseed_, &pgen_counter_));
         /* Steps 4-22 FIPS 186-3 appendix A.1.2.1.2 */
-        CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L,
-                                                    &p0, &Q_, &P_, &pseed_, &pgen_counter));
+        CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L, first_seed_len * 8,
+                                                    &p0, &Q_, &P_, &pseed_, &pgen_counter_));
         CHECKPARAM(mp_cmp(&P, &P_) == 0);
         /* make sure pseed wasn't tampered with (since it is part of
          * calculating G) */
+        if (pseed.len > pseed_.len) {
+            /* handle the case of zero pad for pseed */
+            int extra = pseed.len - pseed_.len;
+            int i;
+            for (i = 0; i < extra; i++) {
+                if (pseed.data[i] != 0) {
+                    *result = SECFailure;
+                    goto cleanup;
+                }
+            }
+            pseed.data += extra;
+            pseed.len -= extra;
+            /* the rest is handled in the normal compare below */
+        }
         CHECKPARAM(SECITEM_CompareItem(&pseed, &pseed_) == SECEqual);
+        if (vfy->counter != -1) {
+            CHECKPARAM(pgen_counter < counter_max);
+            CHECKPARAM(qgen_counter < counter_max);
+            CHECKPARAM((pgen_counter_ == pgen_counter));
+            CHECKPARAM((qgen_counter_ == qgen_counter));
+        }
     } else if (vfy->counter == -1) {
         /* If counter is set to -1, we are really only verifying G, skip
          * the remainder of the checks for P */
         CHECKPARAM(type != FIPS186_1_TYPE); /* we only do this for DSA2 */
     } else {
         /* 10. P generated from (L, counter, g, SEED, Q) matches P
          * in PQGParams. */
         outlen = HASH_ResultLen(hashtype) * PR_BITS_PER_BYTE;
--- a/security/nss/lib/freebl/rijndael.c
+++ b/security/nss/lib/freebl/rijndael.c
@@ -1027,23 +1027,29 @@ AES_CreateContext(const unsigned char *k
  * AES_DestroyContext
  *
  * Zero an AES cipher context.  If freeit is true, also free the pointer
  * to the context.
  */
 void
 AES_DestroyContext(AESContext *cx, PRBool freeit)
 {
+    void *mem = cx->mem;
     if (cx->worker_cx && cx->destroy) {
         (*cx->destroy)(cx->worker_cx, PR_TRUE);
         cx->worker_cx = NULL;
         cx->destroy = NULL;
     }
+    PORT_Memset(cx, 0, sizeof(AESContext));
     if (freeit) {
-        PORT_Free(cx->mem);
+        PORT_Free(mem);
+    } else {
+        /* if we are not freeing the context, restore mem, We may get called
+         * again to actually free the context */
+        cx->mem = mem;
     }
 }
 
 /*
  * AES_Encrypt
  *
  * Encrypt an arbitrary-length buffer.  The output buffer must already be
  * allocated to at least inputLen.
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -17,20 +17,20 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.44" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.44.1" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 44
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
 #define NSS_VBUILD 0
 #define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -185,17 +185,16 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
                 attrs++;
                 break;
             case ecKey:
                 keyType = CKK_EC;
                 PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
                 attrs++;
                 PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
                 attrs++;
-                signedattr = attrs;
                 PK11_SETATTRS(attrs, CKA_EC_PARAMS,
                               pubKey->u.ec.DEREncodedParams.data,
                               pubKey->u.ec.DEREncodedParams.len);
                 attrs++;
                 if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) {
                     PK11_SETATTRS(attrs, CKA_EC_POINT,
                                   pubKey->u.ec.publicValue.data,
                                   pubKey->u.ec.publicValue.len);
@@ -217,22 +216,24 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
                 break;
             default:
                 if (ckaId) {
                     SECITEM_FreeItem(ckaId, PR_TRUE);
                 }
                 PORT_SetError(SEC_ERROR_BAD_KEY);
                 return CK_INVALID_HANDLE;
         }
-
         templateCount = attrs - theTemplate;
-        signedcount = attrs - signedattr;
         PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)));
-        for (attrs = signedattr; signedcount; attrs++, signedcount--) {
-            pk11_SignedToUnsigned(attrs);
+        if (pubKey->keyType != ecKey) {
+            PORT_Assert(signedattr);
+            signedcount = attrs - signedattr;
+            for (attrs = signedattr; signedcount; attrs++, signedcount--) {
+                pk11_SignedToUnsigned(attrs);
+            }
         }
         rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
                                   templateCount, isToken, &objectID);
         if (ckaId) {
             SECITEM_FreeItem(ckaId, PR_TRUE);
         }
         if (pubValue) {
             SECITEM_FreeItem(pubValue, PR_TRUE);
@@ -1069,19 +1070,23 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *
         return NULL;
     }
 
     /* Set token, private, modifiable, sensitive, and extractable */
     count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count],
                                         &cktrue, &ckfalse);
 
     /* Not everyone can handle zero padded key values, give
-      * them the raw data as unsigned */
-    for (ap = attrs; extra_count; ap++, extra_count--) {
-        pk11_SignedToUnsigned(ap);
+     * them the raw data as unsigned. The exception is EC,
+     * where the values are encoded or zero-preserving
+     * per-RFC5915 */
+    if (privKey->keyType != ecKey) {
+        for (ap = attrs; extra_count; ap++, extra_count--) {
+            pk11_SignedToUnsigned(ap);
+        }
     }
 
     /* now Store the puppies */
     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate,
                               count, token, &objectID);
     PORT_FreeArena(arena, PR_TRUE);
     if (rv != SECSuccess) {
         return NULL;
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -179,17 +179,19 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERT
                 /* fall through and return false */
                 break;
         }
 
         if (theTemplate.ulValueLen == 0) {
             SECKEY_DestroyPublicKey(pubKey);
             return PR_FALSE;
         }
-        pk11_SignedToUnsigned(&theTemplate);
+        if (pubKey->keyType != ecKey) {
+            pk11_SignedToUnsigned(&theTemplate);
+        }
         if (pk11_FindObjectByTemplate(slot, &theTemplate, 1) != CK_INVALID_HANDLE) {
             SECKEY_DestroyPublicKey(pubKey);
             return PR_TRUE;
         }
         SECKEY_DestroyPublicKey(pubKey);
     }
     return PR_FALSE;
 }
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -235,16 +235,18 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, 
         case CKM_AES_CTS:
         case CKM_AES_GCM:
         case CKM_AES_MAC:
         case CKM_AES_MAC_GENERAL:
         case CKM_AES_CBC_PAD:
         case CKM_AES_KEY_GEN:
         case CKM_NETSCAPE_AES_KEY_WRAP:
         case CKM_NETSCAPE_AES_KEY_WRAP_PAD:
+        case CKM_AES_XCBC_MAC:
+        case CKM_AES_XCBC_MAC_96:
             return CKK_AES;
         case CKM_DES_ECB:
         case CKM_DES_CBC:
         case CKM_DES_MAC:
         case CKM_DES_MAC_GENERAL:
         case CKM_DES_CBC_PAD:
         case CKM_DES_KEY_GEN:
         case CKM_KEY_WRAP_LYNKS:
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -500,17 +500,17 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
                           sizeof(CK_BBOOL));
             attrs++;
             ck_id = PK11_MakeIDFromPubKey(&lpk->u.ec.publicValue);
             if (ck_id == NULL) {
                 goto loser;
             }
             PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len);
             attrs++;
-            signedattr = attrs;
+            /* No signed attrs for EC */
             /* curveOID always is a copy of AlgorithmID.parameters. */
             PK11_SETATTRS(attrs, CKA_EC_PARAMS, lpk->u.ec.curveOID.data,
                           lpk->u.ec.curveOID.len);
             attrs++;
             PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.ec.privateValue.data,
                           lpk->u.ec.privateValue.len);
             attrs++;
             PK11_SETATTRS(attrs, CKA_EC_POINT, lpk->u.ec.publicValue.data,
@@ -518,21 +518,22 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
             attrs++;
             break;
         default:
             PORT_SetError(SEC_ERROR_BAD_KEY);
             goto loser;
     }
     templateCount = attrs - theTemplate;
     PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
-    PORT_Assert(signedattr != NULL);
-    signedcount = attrs - signedattr;
-
-    for (ap = signedattr; signedcount; ap++, signedcount--) {
-        pk11_SignedToUnsigned(ap);
+    if (lpk->keyType != ecKey) {
+        PORT_Assert(signedattr);
+        signedcount = attrs - signedattr;
+        for (ap = signedattr; signedcount; ap++, signedcount--) {
+            pk11_SignedToUnsigned(ap);
+        }
     }
 
     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
                               theTemplate, templateCount, isPerm, &objectID);
 
     /* create and return a SECKEYPrivateKey */
     if (rv == SECSuccess && privk != NULL) {
         *privk = PK11_MakePrivKey(slot, lpk->keyType, !isPerm, objectID, wincx);
--- a/security/nss/lib/pk11wrap/pk11priv.h
+++ b/security/nss/lib/pk11wrap/pk11priv.h
@@ -106,16 +106,17 @@ CK_MECHANISM_TYPE PK11_GetKeyGenWithSize
 PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
 SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
                                        CK_OBJECT_HANDLE id);
 CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
                                         void *wincx, PK11SlotInfo **pSlot);
 PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                             CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
 unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
+CK_OBJECT_HANDLE PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey);
 
 /**********************************************************************
  *                   Certs
  **********************************************************************/
 SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot,
                                          SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg);
 SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
 CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname,
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -1593,16 +1593,17 @@ PK11_DeriveWithTemplate(PK11SymKey *base
         } else {
             pk11_ExitKeyMonitor(symKey);
         }
     }
     if (newBaseKey)
         PK11_FreeSymKey(newBaseKey);
     if (crv != CKR_OK) {
         PK11_FreeSymKey(symKey);
+        PORT_SetError(PK11_MapError(crv));
         return NULL;
     }
     return symKey;
 }
 
 /* Create a new key by concatenating base and data
  */
 static PK11SymKey *
@@ -1835,16 +1836,45 @@ loser:
     if (newSharedSecret != NULL)
         PK11_FreeSymKey(newSharedSecret);
     if (intermediateResult != NULL)
         PK11_FreeSymKey(intermediateResult);
     return NULL;
 }
 
 /*
+ * This regenerate a public key from a private key. This function is currently
+ * NSS private. If we want to make it public, we need to add and optional
+ * template or at least flags (a.la. PK11_DeriveWithFlags).
+ */
+CK_OBJECT_HANDLE
+PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey)
+{
+    PK11SlotInfo *slot = privKey->pkcs11Slot;
+    CK_MECHANISM mechanism;
+    CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
+    CK_RV crv;
+
+    mechanism.mechanism = CKM_NSS_PUB_FROM_PRIV;
+    mechanism.pParameter = NULL;
+    mechanism.ulParameterLen = 0;
+
+    PK11_EnterSlotMonitor(slot);
+    crv = PK11_GETTAB(slot)->C_DeriveKey(slot->session, &mechanism,
+                                         privKey->pkcs11ID, NULL, 0,
+                                         &objectID);
+    PK11_ExitSlotMonitor(slot);
+    if (crv != CKR_OK) {
+        PORT_SetError(PK11_MapError(crv));
+        return CK_INVALID_HANDLE;
+    }
+    return objectID;
+}
+
+/*
  * This Generates a wrapping key based on a privateKey, publicKey, and two
  * random numbers. For Mail usage RandomB should be NULL. In the Sender's
  * case RandomA is generate, outherwize it is passed.
  */
 PK11SymKey *
 PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
                PRBool isSender, SECItem *randomA, SECItem *randomB,
                CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
--- a/security/nss/lib/softoken/fipstest.c
+++ b/security/nss/lib/softoken/fipstest.c
@@ -7,16 +7,17 @@
 
 #ifndef NSS_FIPS_DISABLED
 #include "seccomon.h"
 #include "blapi.h"
 #include "softoken.h"
 #include "lowkeyi.h"
 #include "secoid.h"
 #include "secerr.h"
+#include "pkcs11i.h"
 
 /*
  * different platforms have different ways of calling and initial entry point
  * when the dll/.so is loaded. Most platforms support either a posix pragma
  * or the GCC attribute. Some platforms suppor a pre-defined name, and some
  * platforms have a link line way of invoking this function.
  */
 
@@ -621,16 +622,20 @@ sftk_startup_tests(void)
         return;
     }
     if (!BLAPI_SHVerify(libraryName,
                         (PRFuncPtr)&sftk_fips_RSA_PowerUpSelfTest)) {
         /* something is wrong with the library, fail without enabling
          * the token */
         return;
     }
+    rv = sftk_fips_IKE_PowerUpSelfTests();
+    if (rv != SECSuccess) {
+        return;
+    }
     sftk_self_tests_success = PR_TRUE;
 }
 
 /*
  * this is called from nsc_Common_Initizialize entry points that gates access
  * to * all other pkcs11 functions. This prevents softoken operation if our
  * power on selftest failed.
  */
--- a/security/nss/lib/softoken/legacydb/lgattr.c
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -945,19 +945,19 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPr
         case CKA_DERIVE:
         case CKA_SIGN:
             return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
         case CKA_DECRYPT:
         case CKA_SIGN_RECOVER:
         case CKA_UNWRAP:
             return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
         case CKA_VALUE:
-            return lg_CopyPrivAttrSigned(attribute, type,
-                                         key->u.ec.privateValue.data,
-                                         key->u.ec.privateValue.len, sdbpw);
+            return lg_CopyPrivAttribute(attribute, type,
+                                        key->u.ec.privateValue.data,
+                                        key->u.ec.privateValue.len, sdbpw);
         case CKA_EC_PARAMS:
             return lg_CopyAttributeSigned(attribute, type,
                                           key->u.ec.ecParams.DEREncoding.data,
                                           key->u.ec.ecParams.DEREncoding.len);
         case CKA_NETSCAPE_DB:
             return lg_CopyAttributeSigned(attribute, type,
                                           key->u.ec.publicValue.data,
                                           key->u.ec.publicValue.len);
--- a/security/nss/lib/softoken/lowkey.c
+++ b/security/nss/lib/softoken/lowkey.c
@@ -256,16 +256,17 @@ nsslowkey_PrivateModulusLen(NSSLOWKEYPri
     }
     return 0;
 }
 
 NSSLOWKEYPublicKey *
 nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
 {
     NSSLOWKEYPublicKey *pubk;
+    SECItem publicValue;
     PLArenaPool *arena;
 
     arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
     if (arena == NULL) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         return NULL;
     }
 
@@ -296,16 +297,29 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
         case NSSLOWKEYDSAKey:
             pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
                                                           sizeof(NSSLOWKEYPublicKey));
             if (pubk != NULL) {
                 SECStatus rv;
 
                 pubk->arena = arena;
                 pubk->keyType = privk->keyType;
+                /* if the public key value doesn't exist, calculate it */
+                if (privk->u.dsa.publicValue.len == 0) {
+                    rv = DH_Derive(&privk->u.dsa.params.base, &privk->u.dsa.params.prime,
+                                   &privk->u.dsa.privateValue, &publicValue, 0);
+                    if (rv != SECSuccess) {
+                        break;
+                    }
+                    rv = SECITEM_CopyItem(privk->arena, &privk->u.dsa.publicValue, &publicValue);
+                    SECITEM_FreeItem(&publicValue, PR_FALSE);
+                    if (rv != SECSuccess) {
+                        break;
+                    }
+                }
                 rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
                                       &privk->u.dsa.publicValue);
                 if (rv != SECSuccess)
                     break;
                 rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
                                       &privk->u.dsa.params.prime);
                 if (rv != SECSuccess)
                     break;
@@ -322,16 +336,29 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
         case NSSLOWKEYDHKey:
             pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
                                                           sizeof(NSSLOWKEYPublicKey));
             if (pubk != NULL) {
                 SECStatus rv;
 
                 pubk->arena = arena;
                 pubk->keyType = privk->keyType;
+                /* if the public key value doesn't exist, calculate it */
+                if (privk->u.dh.publicValue.len == 0) {
+                    rv = DH_Derive(&privk->u.dh.base, &privk->u.dh.prime,
+                                   &privk->u.dh.privateValue, &publicValue, 0);
+                    if (rv != SECSuccess) {
+                        break;
+                    }
+                    rv = SECITEM_CopyItem(privk->arena, &privk->u.dh.publicValue, &publicValue);
+                    SECITEM_FreeItem(&publicValue, PR_FALSE);
+                    if (rv != SECSuccess) {
+                        break;
+                    }
+                }
                 rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
                                       &privk->u.dh.publicValue);
                 if (rv != SECSuccess)
                     break;
                 rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
                                       &privk->u.dh.prime);
                 if (rv != SECSuccess)
                     break;
--- a/security/nss/lib/softoken/manifest.mn
+++ b/security/nss/lib/softoken/manifest.mn
@@ -41,16 +41,17 @@ CSRCS = \
 	lowpbe.c   \
 	padbuf.c   \
 	pkcs11.c   \
 	pkcs11c.c  \
 	pkcs11u.c  \
 	sdb.c  \
 	sftkdb.c  \
 	sftkhmac.c  \
+	sftkike.c  \
 	sftkpars.c  \
 	sftkpwd.c  \
 	softkver.c  \
 	tlsprf.c   \
 	jpakesftk.c \
 	$(NULL)
 
 ifdef SQLITE_UNSAFE_THREADS
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -323,16 +323,18 @@ static const struct mechanismList mechan
     { CKM_AES_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
     { CKM_AES_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
     { CKM_AES_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE },
     { CKM_AES_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE },
     { CKM_AES_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
     { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
     { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
     { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
+    { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
+    { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
     /* ------------------------- Camellia Operations --------------------- */
     { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
     { CKM_CAMELLIA_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
     { CKM_CAMELLIA_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
     { CKM_CAMELLIA_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE },
     { CKM_CAMELLIA_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE },
     { CKM_CAMELLIA_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
     /* ------------------------- SEED Operations --------------------------- */
@@ -505,17 +507,21 @@ static const struct mechanismList mechan
     { CKM_NSS_JPAKE_ROUND2_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE },
     { CKM_NSS_JPAKE_ROUND2_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE },
     { CKM_NSS_JPAKE_FINAL_SHA1, { 0, 0, CKF_DERIVE }, PR_TRUE },
     { CKM_NSS_JPAKE_FINAL_SHA256, { 0, 0, CKF_DERIVE }, PR_TRUE },
     { CKM_NSS_JPAKE_FINAL_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE },
     { CKM_NSS_JPAKE_FINAL_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE },
     /* -------------------- Constant Time TLS MACs ----------------------- */
     { CKM_NSS_HMAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE },
-    { CKM_NSS_SSL3_MAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE }
+    { CKM_NSS_SSL3_MAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE },
+    /* --------------------IPSEC ----------------------- */
+    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
+    { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
 };
 static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
 
 /* sigh global so fipstokn can read it */
 PRBool nsc_init = PR_FALSE;
 
 #if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED)
 
@@ -2195,16 +2201,129 @@ sftk_GetPrivKey(SFTKObject *object, CK_K
     }
 
     priv = sftk_mkPrivKey(object, key_type, crvp);
     object->objectInfo = priv;
     object->infoFree = (SFTKFree)nsslowkey_DestroyPrivateKey;
     return priv;
 }
 
+/* populate a public key object from a lowpublic keys structure */
+CK_RV
+sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey)
+{
+    CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_RV crv = CKR_OK;
+    sftk_DeleteAttributeType(publicKey, CKA_CLASS);
+    sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE);
+    sftk_DeleteAttributeType(publicKey, CKA_VALUE);
+
+    switch (keyType) {
+        case CKK_RSA:
+            sftk_DeleteAttributeType(publicKey, CKA_MODULUS);
+            sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT);
+            /* format the keys */
+            /* fill in the RSA dependent paramenters in the public key */
+            crv = sftk_AddAttributeType(publicKey, CKA_MODULUS,
+                                        sftk_item_expand(&pubKey->u.rsa.modulus));
+            if (crv != CKR_OK) {
+                break;
+            }
+            crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT,
+                                        sftk_item_expand(&pubKey->u.rsa.publicExponent));
+            break;
+        case CKK_DSA:
+            sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+            sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME);
+            sftk_DeleteAttributeType(publicKey, CKA_BASE);
+            crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+                                        sftk_item_expand(&pubKey->u.dsa.params.prime));
+            if (crv != CKR_OK) {
+                break;
+            }
+            crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME,
+                                        sftk_item_expand(&pubKey->u.dsa.params.subPrime));
+            if (crv != CKR_OK) {
+                break;
+            }
+            crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+                                        sftk_item_expand(&pubKey->u.dsa.params.base));
+            if (crv != CKR_OK) {
+                break;
+            }
+            crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+                                        sftk_item_expand(&pubKey->u.dsa.publicValue));
+            break;
+        case CKK_DH:
+            sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+            sftk_DeleteAttributeType(publicKey, CKA_BASE);
+            crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+                                        sftk_item_expand(&pubKey->u.dh.prime));
+            if (crv != CKR_OK) {
+                break;
+            }
+            crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+                                        sftk_item_expand(&pubKey->u.dh.base));
+            if (crv != CKR_OK) {
+                break;
+            }
+            crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+                                        sftk_item_expand(&pubKey->u.dh.publicValue));
+            break;
+        case CKK_EC:
+            sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS);
+            sftk_DeleteAttributeType(publicKey, CKA_EC_POINT);
+            crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS,
+                                        sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding));
+            if (crv != CKR_OK) {
+                break;
+            }
+            crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+                                        sftk_item_expand(&pubKey->u.ec.publicValue));
+            break;
+        default:
+            return CKR_KEY_TYPE_INCONSISTENT;
+    }
+    crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &classType,
+                                sizeof(CK_OBJECT_CLASS));
+    if (crv != CKR_OK)
+        return crv;
+    crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &keyType,
+                                sizeof(CK_KEY_TYPE));
+    if (crv != CKR_OK)
+        return crv;
+    /* now handle the operator attributes */
+    if (sftk_isTrue(privateKey, CKA_DECRYPT)) {
+        crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL));
+        if (crv != CKR_OK) {
+            return crv;
+        }
+    }
+    if (sftk_isTrue(privateKey, CKA_SIGN)) {
+        crv = sftk_forceAttribute(publicKey, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
+        if (crv != CKR_OK) {
+            return crv;
+        }
+    }
+    if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER)) {
+        crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER, &cktrue, sizeof(CK_BBOOL));
+        if (crv != CKR_OK) {
+            return crv;
+        }
+    }
+    if (sftk_isTrue(privateKey, CKA_DERIVE)) {
+        crv = sftk_forceAttribute(publicKey, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
+        if (crv != CKR_OK) {
+            return crv;
+        }
+    }
+    return crv;
+}
+
 /*
  **************************** Symetric Key utils ************************