diff --git a/SOURCES/fips_algorithms.h b/SOURCES/fips_algorithms.h
index 30f8688..8fc6ad7 100644
--- a/SOURCES/fips_algorithms.h
+++ b/SOURCES/fips_algorithms.h
@@ -20,6 +20,7 @@ typedef enum {
     SFTKFIPSChkHash,  /* make sure the base hash of KDF functions is FIPS */
     SFTKFIPSChkHashTls,  /* make sure the base hash of TLS KDF functions is FIPS */
     SFTKFIPSChkHashSp800,  /* make sure the base hash of SP-800-108 KDF functions is FIPS */
+    SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
 } SFTKFIPSSpecialClass;
 
 /* set according to your security policy */
@@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
 #define AES_FB_KEY 128, 256
 #define AES_FB_STEP 64
     { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
+    { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP },
 
     /* -------------- RSA Multipart Signing Operations -------------------- */
     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
diff --git a/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch b/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch
new file mode 100644
index 0000000..151643e
--- /dev/null
+++ b/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch
@@ -0,0 +1,20 @@
+diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fipsrsaoaep	2024-10-24 09:27:17.971673855 +0200
++++ ./lib/softoken/pkcs11u.c	2024-10-24 09:23:35.006352872 +0200
+@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+                 }
+             }
+             return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
++        case SFTKFIPSRSAOAEP:;
++            CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *)
++                                                mech->pParameter;
++
++            HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg);
++            HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf);
++            /* message hash and mask generation function must be the same */
++            if (hash_pad != hash_msg) return PR_FALSE;
++
++            return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE);
+         default:
+             break;
+     }
diff --git a/SOURCES/nss-3.101-fips-check-ec25519-size.patch b/SOURCES/nss-3.101-fips-check-ec25519-size.patch
new file mode 100644
index 0000000..e9957f8
--- /dev/null
+++ b/SOURCES/nss-3.101-fips-check-ec25519-size.patch
@@ -0,0 +1,12 @@
+diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_check_curver25519	2024-11-11 11:24:25.186654635 +0100
++++ ./lib/softoken/pkcs11u.c	2024-11-07 10:26:03.806562274 +0100
+@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
+          * key length is CKA_VALUE, which is the default */
+         keyType = CKK_INVALID_KEY_TYPE;
+     }
+-    if (keyType == CKK_EC) {
++    if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
+         SECOidTag curve = sftk_quickGetECCCurveOid(source);
+         switch (curve) {
+             case SEC_OID_CURVE25519:
diff --git a/SOURCES/nss-3.101-fix-shlibsign-fips.patch b/SOURCES/nss-3.101-fix-shlibsign-fips.patch
new file mode 100644
index 0000000..70e83f5
--- /dev/null
+++ b/SOURCES/nss-3.101-fix-shlibsign-fips.patch
@@ -0,0 +1,12 @@
+diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
+--- ./cmd/shlibsign/shlibsign.c.shlibsign	2024-06-07 09:26:03.000000000 -0700
++++ ./cmd/shlibsign/shlibsign.c	2024-10-31 10:49:28.637449054 -0700
+@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
+     } else {
+         /* NON FIPS mode  == C_GetFunctionList */
+         pC_GetFunctionList = (CK_C_GetFunctionList)
+-            PR_FindFunctionSymbol(lib, "C_GetFunctionList");
++            PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
+     }
+     assert(pC_GetFunctionList != NULL);
+     if (!pC_GetFunctionList) {
diff --git a/SOURCES/nss-3.90-ppc_no_init.patch b/SOURCES/nss-3.90-ppc_no_init.patch
index 134955a..75ee08e 100644
--- a/SOURCES/nss-3.90-ppc_no_init.patch
+++ b/SOURCES/nss-3.90-ppc_no_init.patch
@@ -34,3 +34,32 @@ diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
  
  
  #######################################################################
+diff -up ./lib/softoken/legacydb/Makefile.ppc_no_init ./lib/softoken/legacydb/Makefile
+--- ./lib/softoken/legacydb/Makefile.ppc_no_init	2024-11-12 11:51:16.535343581 +0100
++++ ./lib/softoken/legacydb/Makefile	2024-11-12 12:09:58.968187800 +0100
+@@ -23,16 +23,17 @@ include $(CORE_DEPTH)/coreconf/config.mk
+ ifdef NSS_NO_INIT_SUPPORT
+     DEFINES += -DNSS_NO_INIT_SUPPORT
+ endif
+-ifeq ($(OS_TARGET),Linux)
+-ifeq ($(CPU_ARCH),ppc)
+-ifdef USE_64
+-    DEFINES += -DNSS_NO_INIT_SUPPORT
+-endif # USE_64
+-endif # ppc
+-else # !Linux
++#ifeq ($(OS_TARGET),Linux)
++#ifeq ($(CPU_ARCH),ppc)
++#ifdef USE_64
++#    DEFINES += -DNSS_NO_INIT_SUPPORT
++#endif # USE_64
++#endif # ppc
++#else # !Linux
++ifneq ($(OS_TARGET),Linux)
+     # turn off no init support everywhere for now
+     DEFINES += -DNSS_NO_INIT_SUPPORT
+-endif # Linux
++endif # !Linux
+ 
+ #######################################################################
+ # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 5c7faba..c64cb49 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          7%{?dist}
+Release:          11%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -201,6 +201,9 @@ Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=676100
 Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
+Patch87:          nss-3.101-fix-shlibsign-fips.patch
+Patch88:          nss-3.101-fips-check-ec25519-size.patch
+Patch89:          nss-3.101-allow-fips-rsa-oaep.patch
 
 #revert patches
 Patch300:         nss-3.101-default-libpkix.patch
@@ -999,6 +1002,19 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Tue Nov 12 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-11
+- don't define -DNSS_NO_INIT_SUPPORT for legacydb on pcc systems
+
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-10
+- Allow RSA-OAEP in FIPS mode
+
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
+- Add SEC_OID_CURVE25519 to FIPS checks.
+- This will mark algorithm using it as FIPS unapproved.
+
+* Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-8
+- fix shlibsign to work when the system is in FIPS mode.
+
 * Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
 - fix cms abi breakage
 - fix long password issue on pbmac encodings