diff --git a/mozilla/security/nss/lib/freebl/blapit.h b/mozilla/security/nss/lib/freebl/blapit.h
index 2151f3f2a39..7979fa3c5a6 100644
--- a/mozilla/security/nss/lib/freebl/blapit.h
+++ b/mozilla/security/nss/lib/freebl/blapit.h
@@ -4,7 +4,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: blapit.h,v 1.28 2012-06-12 16:39:00 rrelyea%redhat.com Exp $ */
+/* $Id: blapit.h,v 1.29 2012-06-14 18:55:10 wtc%google.com Exp $ */
 
 #ifndef _BLAPIT_H_
 #define _BLAPIT_H_
@@ -129,10 +129,10 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
  * module. They may be arbitrarily adjusted to any value freebl supports.
  */
 #define RSA_MIN_MODULUS_BITS   128
-#define RSA_MAX_MODULUS_BITS  8192
+#define RSA_MAX_MODULUS_BITS 16384
 #define RSA_MAX_EXPONENT_BITS   64
 #define DH_MIN_P_BITS	       128
-#define DH_MAX_P_BITS         3072
+#define DH_MAX_P_BITS        16384
 
 /*
  * The FIPS 186-1 algorithm for generating primes P and Q allows only 9
diff --git a/mozilla/security/nss/lib/freebl/dh.c b/mozilla/security/nss/lib/freebl/dh.c
index 1135f689f4a..e4ebe8495f3 100644
--- a/mozilla/security/nss/lib/freebl/dh.c
+++ b/mozilla/security/nss/lib/freebl/dh.c
@@ -6,7 +6,7 @@
  * Diffie-Hellman parameter generation, key generation, and secret derivation.
  * KEA secret generation and verification.
  *
- * $Id: dh.c,v 1.11 2012-04-25 14:49:43 gerv%gerv.net Exp $
+ * $Id: dh.c,v 1.12 2012-06-14 18:55:10 wtc%google.com Exp $
  */
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
@@ -21,9 +21,28 @@
 #include "mpprime.h"
 #include "secmpi.h"
 
-#define DH_SECRET_KEY_LEN      20
 #define KEA_DERIVED_SECRET_LEN 128
 
+/* Lengths are in bytes. */
+static unsigned int
+dh_GetSecretKeyLen(unsigned int primeLen)
+{
+    /* Based on Table 2 in NIST SP 800-57. */
+    if (primeLen >= 1920) { /* 15360 bits */
+        return 64;  /* 512 bits */
+    }
+    if (primeLen >= 960) { /* 7680 bits */
+        return 48;  /* 384 bits */
+    }
+    if (primeLen >= 384) { /* 3072 bits */
+        return 32;  /* 256 bits */
+    }
+    if (primeLen >= 256) { /* 2048 bits */
+        return 28;  /* 224 bits */
+    }
+    return 20;  /* 160 bits */
+}
+
 SECStatus 
 DH_GenParam(int primeLen, DHParams **params)
 {
@@ -154,7 +173,8 @@ DH_NewKey(DHParams *params, DHPrivateKey **privKey)
     CHECK_SEC_OK( SECITEM_CopyItem(arena, &key->base, &params->base) );
     SECITEM_TO_MPINT(key->base, &g);
     /* Generate private key xa */
-    SECITEM_AllocItem(arena, &key->privateValue, DH_SECRET_KEY_LEN);
+    SECITEM_AllocItem(arena, &key->privateValue,
+                      dh_GetSecretKeyLen(params->prime.len));
     RNG_GenerateGlobalRandomBytes(key->privateValue.data, 
                                   key->privateValue.len);
     SECITEM_TO_MPINT( key->privateValue, &xa );