From 15b0b8d16ef8a18036aee73b4b60623f7272bece Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Wed, 10 Jul 2024 03:48:39 -0400
Subject: [PATCH] Fix SHA-1 algorithm availability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves: RHEL-46754

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 openssl-swtpm.cnf          |  4 ++++
 swtpm-custom-openssl.patch | 12 ++++++++++++
 swtpm.spec                 | 12 ++++++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 openssl-swtpm.cnf
 create mode 100644 swtpm-custom-openssl.patch

diff --git a/openssl-swtpm.cnf b/openssl-swtpm.cnf
new file mode 100644
index 0000000..6195ecb
--- /dev/null
+++ b/openssl-swtpm.cnf
@@ -0,0 +1,4 @@
+.include /etc/ssl/openssl.cnf
+
+[evp_properties]
+rh-allow-sha1-signatures = yes
diff --git a/swtpm-custom-openssl.patch b/swtpm-custom-openssl.patch
new file mode 100644
index 0000000..6bd1b40
--- /dev/null
+++ b/swtpm-custom-openssl.patch
@@ -0,0 +1,12 @@
+Binary files swtpm-0.9.0/.git/index and swtpm-0.9.0.new/.git/index differ
+diff -rup swtpm-0.9.0/src/swtpm/main.c swtpm-0.9.0.new/src/swtpm/main.c
+--- swtpm-0.9.0/src/swtpm/main.c	2024-07-08 09:34:00.488080859 +0100
++++ swtpm-0.9.0.new/src/swtpm/main.c	2024-07-08 09:33:40.057884795 +0100
+@@ -70,6 +70,7 @@ int main(int argc, char **argv)
+         fprintf(stderr, "Missing TPM interface type.\n");
+         return 1;
+     }
++    setenv("OPENSSL_CONF", "/etc/ssl/openssl-swtpm.cnf", 1);
+     if (!strcmp(argv[1], "socket")) {
+         return swtpm_main(argc-1, &argv[1], argv[0], "socket");
+ #ifdef WITH_CHARDEV
diff --git a/swtpm.spec b/swtpm.spec
index 2e4533d..56e3793 100644
--- a/swtpm.spec
+++ b/swtpm.spec
@@ -12,6 +12,11 @@ Release:        1%{?dist}
 License:        BSD-3-Clause
 Url:            https://github.com/stefanberger/swtpm
 Source0:        https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:        openssl-swtpm.cnf
+# Prevent crypto policies disabling SHA-1.
+# swtpm algorithm list is unconditional. Since it advertizes
+# SHA-1, we MUST always provide a working SHA-1 impl
+Patch0002:      swtpm-custom-openssl.patch
 
 BuildRequires: make
 BuildRequires:  git-core
@@ -114,6 +119,9 @@ make %{?_smp_mflags} check VERBOSE=1
 %make_install
 rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}
 
+%__install -d %{buildroot}%{_sysconfdir}/ssl
+cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/ssl/
+
 %post selinux
 for pp in /usr/share/selinux/packages/swtpm.pp \
           /usr/share/selinux/packages/swtpm_svirt.pp \
@@ -145,6 +153,7 @@ fi
 %{_datadir}/selinux/packages/swtpm.pp
 %{_datadir}/selinux/packages/swtpm_libvirt.pp
 %{_datadir}/selinux/packages/swtpm_svirt.pp
+%{_sysconfdir}/ssl/openssl-swtpm.cnf
 
 %files libs
 %license LICENSE
@@ -193,6 +202,9 @@ fi
 %changelog
 * Tue Jul 09 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-1
 - Update to v0.9.0 release
+  Resolves: RHEL-42590
+- Fix SHA-1 algorithm availability
+  Resolves: RHEL-46754
 
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.8.1-6
 - Bump release for June 2024 mass rebuild