Resolves: RHEL-60565

nss-3.101-fips-check-ec25519-size.patch

@@ -0,0 +1,12 @@
+diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_check_curver25519	2024-11-11 11:24:25.186654635 +0100
++++ ./lib/softoken/pkcs11u.c	2024-11-07 10:26:03.806562274 +0100
+@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
+          * key length is CKA_VALUE, which is the default */
+         keyType = CKK_INVALID_KEY_TYPE;
+     }
+-    if (keyType == CKK_EC) {
++    if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
+         SECOidTag curve = sftk_quickGetECCCurveOid(source);
+         switch (curve) {
+             case SEC_OID_CURVE25519:

nss.spec

@@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 10
+%global baserelease 11
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@@ -191,6 +191,7 @@ Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
 Patch87:          nss-3.101-fix-cavs-test.patch
 Patch88:          nss-3.101-fix-shlibsign-fips.patch
+Patch89:          nss-3.101-fips-check-ec25519-size.patch
 
 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
@@ -1170,6 +1171,9 @@ fi
 
 
 %changelog
+* Mon Nov 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 3.101.0-11
+- fips check ed25519 key size.
+
 * Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-10
 - remove dbm references in pkconfig