From ed5ad1f04eef5f9bd5b4784ba75b1691b8a03609 Mon Sep 17 00:00:00 2001
From: Krenzelok Frantisek <krenzelok.frantisek@gmail.com>
Date: Mon, 11 Nov 2024 12:25:56 +0100
Subject: [PATCH] Resolves: RHEL-59579

---
 nss-3.101-fips-check-ec25519-size.patch | 12 ++++++++++++
 nss.spec                                |  7 ++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 nss-3.101-fips-check-ec25519-size.patch

diff --git a/nss-3.101-fips-check-ec25519-size.patch b/nss-3.101-fips-check-ec25519-size.patch
new file mode 100644
index 0000000..e9957f8
--- /dev/null
+++ b/nss-3.101-fips-check-ec25519-size.patch
@@ -0,0 +1,12 @@
+diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_check_curver25519	2024-11-11 11:24:25.186654635 +0100
++++ ./lib/softoken/pkcs11u.c	2024-11-07 10:26:03.806562274 +0100
+@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
+          * key length is CKA_VALUE, which is the default */
+         keyType = CKK_INVALID_KEY_TYPE;
+     }
+-    if (keyType == CKK_EC) {
++    if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
+         SECOidTag curve = sftk_quickGetECCCurveOid(source);
+         switch (curve) {
+             case SEC_OID_CURVE25519:
diff --git a/nss.spec b/nss.spec
index 50acf67..540fc48 100644
--- a/nss.spec
+++ b/nss.spec
@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          8%{?dist}
+Release:          9%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -202,6 +202,7 @@ Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
 Patch87:          nss-3.101-fix-shlibsign-fips.patch
+Patch88:          nss-3.101-fips-check-ec25519-size.patch
 
 #revert patches
 Patch300:         nss-3.101-default-libpkix.patch
@@ -1000,6 +1001,10 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
+- Add SEC_OID_CURVE25519 to FIPS checks.
+- This will mark algorithm using it as FIPS unapproved.
+
 * Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-8
 - fix shlibsign to work when the system is in FIPS mode.