Resolves: RHEL-59582

nss-3.101-fips-check-ec25519-size.patch

@@ -0,0 +1,12 @@
+diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_check_curver25519	2024-11-11 11:24:25.186654635 +0100
++++ ./lib/softoken/pkcs11u.c	2024-11-07 10:26:03.806562274 +0100
+@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
+          * key length is CKA_VALUE, which is the default */
+         keyType = CKK_INVALID_KEY_TYPE;
+     }
+-    if (keyType == CKK_EC) {
++    if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
+         SECOidTag curve = sftk_quickGetECCCurveOid(source);
+         switch (curve) {
+             case SEC_OID_CURVE25519:

nss.spec

@@ -1,6 +1,6 @@
 %global nss_version 3.101.0
 %global nspr_version 4.35.0
-%global baserelease 8
+%global baserelease 9
 %global nss_release %baserelease
 # NOTE: To avoid NVR clashes of nspr* packages:
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@@ -200,6 +200,7 @@ Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
 Patch87:          nss-3.101-fix-shlibsign-fips.patch
+Patch88:          nss-3.101-fips-check-ec25519-size.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -1201,6 +1202,10 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
+- Add SEC_OID_CURVE25519 to FIPS checks.
+- This will mark algorithms using it as FIPS unapproved.
+
 * Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
 - fix shlibsign in FIPS mode
 - remove dbm from pkgconfig