diff --git a/fips_algorithms.h b/fips_algorithms.h
index 6526ec7..80d7dcd 100644
--- a/fips_algorithms.h
+++ b/fips_algorithms.h
@@ -14,9 +14,13 @@ typedef enum {
     SFTKFIPSDH,  /* allow only specific primes */
     SFTKFIPSECC, /* not just keys but specific curves */
     SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
-    SFTKFIPSRSAPSS
+    SFTKFIPSRSAPSS, /* make sure salt isn't too big */
+    SFTKFIPSPBKDF2  /* handle pbkdf2 FIPS restrictions */
 } SFTKFIPSSpecialClass;
 
+/* set according to your security policy */
+#define SFTKFIPS_PBKDF2_MIN_PW_LEN  7
+
 typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList;
 struct SFTKFIPSAlgorithmListStr {
     CK_MECHANISM_TYPE type;
@@ -163,6 +167,6 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
     { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
     { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
     /* ------------------ PBE Key Derivations  ------------------- */
-    { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
+    { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
 };
 const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
diff --git a/nss-3.90-add-ems-policy.patch b/nss-3.90-add-ems-policy.patch
index 1d475b5..18739d9 100644
--- a/nss-3.90-add-ems-policy.patch
+++ b/nss-3.90-add-ems-policy.patch
@@ -53,7 +53,7 @@ diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
 +        rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy);
 +        /* we only look at the policy if we can fetch it. */
 +        if (rv == SECSuccess) {
-+            if (policy & NSS_USE_POLICY_IN_SSL) {
++            if (policy & NSS_USE_ALG_IN_SSL_KX) {
 +                /* just set the error, we don't want to map any errors
 +                 * set by NSS_GetAlgorithmPolicy here */
 +                PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
diff --git a/nss-3.90-pbkdf2-indicator.patch b/nss-3.90-pbkdf2-indicator.patch
new file mode 100644
index 0000000..dbb7765
--- /dev/null
+++ b/nss-3.90-pbkdf2-indicator.patch
@@ -0,0 +1,42 @@
+diff -up ./lib/softoken/pkcs11u.c.pkcs12_indicator ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.pkcs12_indicator	2023-08-03 10:50:37.067109367 -0700
++++ ./lib/softoken/pkcs11u.c	2023-08-03 11:41:55.641541953 -0700
+@@ -2429,7 +2429,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+             return PR_FALSE;
+         case SFTKFIPSECC:
+             /* we've already handled the curve selection in the 'getlength'
+-          * function */
++             * function */
+             return PR_TRUE;
+         case SFTKFIPSAEAD: {
+             if (mech->ulParameterLen == 0) {
+@@ -2463,6 +2463,29 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+             }
+             return PR_TRUE;
+         }
++        case SFTKFIPSPBKDF2: {
++            /* PBKDF2 must have the following addition restrictions
++             * (independent of keysize).
++             *    1. iteration count must be at least 1000.
++             *    2. salt must be at least 128 bits (16 bytes).
++             *    3. password must match the length specified in the SP
++             */
++             CK_PKCS5_PBKD2_PARAMS *pbkdf2 = (CK_PKCS5_PBKD2_PARAMS *)
++                                                    mech->pParameter;
++             if (mech->ulParameterLen != sizeof(*pbkdf2)) {
++                 return PR_FALSE;
++             }
++             if (pbkdf2->iterations < 1000) {
++                 return PR_FALSE;
++             }
++             if (pbkdf2->ulSaltSourceDataLen < 16) {
++                 return PR_FALSE;
++             }
++             if (*(pbkdf2->ulPasswordLen) < SFTKFIPS_PBKDF2_MIN_PW_LEN) {
++                 return PR_FALSE;
++             }
++             return PR_TRUE;
++        }
+         default:
+             break;
+     }
diff --git a/nss.spec b/nss.spec
index f6884e7..dd31cc1 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,6 +1,6 @@
 %global nss_version 3.90.0
 %global nspr_version 4.35.0
-%global baserelease 2
+%global baserelease 3
 %global nss_release %baserelease
 # NOTE: To avoid NVR clashes of nspr* packages:
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@@ -171,6 +171,7 @@ Patch51:          nss-3.79-dbtool.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
 Patch58:          nss-3.79-fips.patch
 Patch61:          nss-3.79-fips-review.patches
+Patch63:          nss-3.90-pbkdf2-indicator.patch
 
 # ems policy. needs to upstream
 Patch70:          nss-3.90-add-ems-policy.patch
@@ -186,8 +187,6 @@ Patch120:         nspr-4.34-server-passive.patch
 Patch60:          nss-3.90-DisablingASM.patch
 
 
-
-
 # NSS reverse patches
 Patch300:         nss-3.79-distrusted-certs.patch
 
@@ -1170,7 +1169,11 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
-* Thu Jun 29 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-2
+* Fri Aug 4 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
+- add indicator for pbkdf
+- fix ems policy bug
+
+* Thu Jun 29 2023 frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-2
 - fix release number
 
 * Wed Jun 28 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1