diff --git a/nss-3.101-fips-check-ec25519-size.patch b/nss-3.101-fips-check-ec25519-size.patch new file mode 100644 index 0000000..e9957f8 --- /dev/null +++ b/nss-3.101-fips-check-ec25519-size.patch @@ -0,0 +1,12 @@ +diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100 ++++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100 +@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source) + * key length is CKA_VALUE, which is the default */ + keyType = CKK_INVALID_KEY_TYPE; + } +- if (keyType == CKK_EC) { ++ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) { + SECOidTag curve = sftk_quickGetECCCurveOid(source); + switch (curve) { + case SEC_OID_CURVE25519: diff --git a/nss.spec b/nss.spec index 07add18..988ed0b 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 10 +%global baserelease 11 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -191,6 +191,7 @@ Patch85: nss-3.101-fix-cms-abi-break.patch Patch86: nss-3.101-long-pwd-fix.patch Patch87: nss-3.101-fix-cavs-test.patch Patch88: nss-3.101-fix-shlibsign-fips.patch +Patch89: nss-3.101-fips-check-ec25519-size.patch # RHEL-10 specific Patch90: nss-3.101-disable_dsa.patch @@ -1170,6 +1171,9 @@ fi %changelog +* Mon Nov 11 2024 Frantisek Krenzelok - 3.101.0-11 +- fips check ed25519 key size. + * Mon Nov 4 2024 Bob Relyea - 3.101.0-10 - remove dbm references in pkconfig