Resolves: RHEL-59579

nss-3.101-fips-check-ec25519-size.patch

@@ -0,0 +1,12 @@
+diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_check_curver25519	2024-11-11 11:24:25.186654635 +0100
++++ ./lib/softoken/pkcs11u.c	2024-11-07 10:26:03.806562274 +0100
+@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
+          * key length is CKA_VALUE, which is the default */
+         keyType = CKK_INVALID_KEY_TYPE;
+     }
+-    if (keyType == CKK_EC) {
++    if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
+         SECOidTag curve = sftk_quickGetECCCurveOid(source);
+         switch (curve) {
+             case SEC_OID_CURVE25519:

nss.spec

@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          8%{?dist}
+Release:          9%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -202,6 +202,7 @@ Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
 Patch87:          nss-3.101-fix-shlibsign-fips.patch
+Patch88:          nss-3.101-fips-check-ec25519-size.patch
 
 #revert patches
 Patch300:         nss-3.101-default-libpkix.patch
@@ -1000,6 +1001,10 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
+- Add SEC_OID_CURVE25519 to FIPS checks.
+- This will mark algorithm using it as FIPS unapproved.
+
 * Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-8
 - fix shlibsign to work when the system is in FIPS mode.