import nss-3.101.0-13.el10

SOURCES/fips_algorithms.h

@@ -20,6 +20,7 @@ typedef enum {
     SFTKFIPSChkHash,  /* make sure the base hash of KDF functions is FIPS */
     SFTKFIPSChkHashTls,  /* make sure the base hash of TLS KDF functions is FIPS */
     SFTKFIPSChkHashSp800,  /* make sure the base hash of SP-800-108 KDF functions is FIPS */
+    SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
 } SFTKFIPSSpecialClass;
 
 /* set according to your security policy */
@@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
 #define AES_FB_KEY 128, 256
 #define AES_FB_STEP 64
     { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
+    { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP },
 
     /* -------------- RSA Multipart Signing Operations -------------------- */
     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

SOURCES/nss-3.101-allow-fips-rsa-oaep.patch

@@ -0,0 +1,20 @@
+diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fipsrsaoaep	2024-10-24 09:27:17.971673855 +0200
++++ ./lib/softoken/pkcs11u.c	2024-10-24 09:23:35.006352872 +0200
+@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+                 }
+             }
+             return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
++        case SFTKFIPSRSAOAEP:;
++            CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *)
++                                                mech->pParameter;
++
++            HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg);
++            HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf);
++            /* message hash and mask generation function must be the same */
++            if (hash_pad != hash_msg) return PR_FALSE;
++
++            return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE);
+         default:
+             break;
+     }

SOURCES/nss-3.101-fips-check-ec25519-size.patch

@@ -0,0 +1,12 @@
+diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_check_curver25519	2024-11-11 11:24:25.186654635 +0100
++++ ./lib/softoken/pkcs11u.c	2024-11-07 10:26:03.806562274 +0100
+@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
+          * key length is CKA_VALUE, which is the default */
+         keyType = CKK_INVALID_KEY_TYPE;
+     }
+-    if (keyType == CKK_EC) {
++    if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
+         SECOidTag curve = sftk_quickGetECCCurveOid(source);
+         switch (curve) {
+             case SEC_OID_CURVE25519:

SOURCES/nss-softokn-config.in

@@ -21,7 +21,6 @@ Options:
 Dynamic Libraries:
 	softokn3 - Requires full dynamic linking
 	freebl3  - for internal use only (and glibc for self-integrity check)
-	nssdbm3  - for internal use only
 Dymamically linked
 EOF
 	exit $1

SOURCES/nss-softokn.pc.in

@@ -7,5 +7,5 @@ Name: NSS-SOFTOKN
 Description: Network Security Services Softoken PKCS #11 Module
 Version: %SOFTOKEN_VERSION%
 Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Libs: -L${libdir} -lfreebl3 -lsoftokn3
 Cflags: -I${includedir}

SPECS/nss.spec

@@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 9
+%global baserelease 13
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@@ -191,11 +191,15 @@ Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
 Patch87:          nss-3.101-fix-cavs-test.patch
 Patch88:          nss-3.101-fix-shlibsign-fips.patch
+Patch89:          nss-3.101-fips-check-ec25519-size.patch
 
 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
 Patch91:          nss-3.101-replace-xyber_with-mlkem.patch
 
+# Allow rsa-oaep in fips mode
+Patch95:          nss-3.101-allow-fips-rsa-oaep.patch
+
 # NSS reverse patches
 Patch300:         nss-3.79-distrusted-certs.patch
 
@@ -407,7 +411,7 @@ pushd nspr_build
 %ifarch i686 x86_64
 sed -i '/^PR_MD_ASFILES/d' config/autoconf.mk
 %endif
-make
+%{make_build}
 
 date +"%e %B %Y" | tr -d '\n' > date.xml
 echo -n %{nspr_version} > version.xml
@@ -503,8 +507,8 @@ export POLICY_FILE="nss.config"
 export POLICY_PATH="/etc/crypto-policies/back-ends"
 
 
-%{__make} -C ./nss all
+%{make_build} -C ./nss all
-%{__make} -C ./nss latest
+%{make_build} -C ./nss latest
 
 # build the man pages clean
 pushd ./nss
@@ -1170,6 +1174,20 @@ fi
 
 
 %changelog
+* Mon Nov 18 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-13
+- fix the "Allow RSA-OAEP in FIPS mode" patch for the declaration after switch statement
+- fix changelog message for 3.101.0-11
+
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-12
+- Allow RSA-OAEP in FIPS mode
+
+* Mon Nov 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 3.101.0-11
+- Add SEC_OID_CURVE25519 to FIPS checks.
+- This will mark algorithm using it as FIPS unapproved.
+
+* Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-10
+- remove dbm references in pkconfig
+
 * Fri Nov 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-9
 - Add ml-kem support and remove xyber support
 - Fix shlibsign when the system is in FIPS mode