Fix SHA-1 algorithm availability

Resolves: RHEL-46754 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2024-07-10 03:48:39 -04:00 · 2024-07-10 03:48:39 -04:00 · 15b0b8d16e
commit 15b0b8d16e
parent f048978c31
3 changed files with 28 additions and 0 deletions
--- a/openssl-swtpm.cnf
+++ b/openssl-swtpm.cnf
@ -0,0 +1,4 @@
+.include /etc/ssl/openssl.cnf
+
+[evp_properties]
+rh-allow-sha1-signatures = yes
--- a/swtpm-custom-openssl.patch
+++ b/swtpm-custom-openssl.patch
@ -0,0 +1,12 @@
+Binary files swtpm-0.9.0/.git/index and swtpm-0.9.0.new/.git/index differ
+diff -rup swtpm-0.9.0/src/swtpm/main.c swtpm-0.9.0.new/src/swtpm/main.c
+--- swtpm-0.9.0/src/swtpm/main.c	2024-07-08 09:34:00.488080859 +0100
+++ swtpm-0.9.0.new/src/swtpm/main.c	2024-07-08 09:33:40.057884795 +0100
+@@ -70,6 +70,7 @@ int main(int argc, char **argv)
+         fprintf(stderr, "Missing TPM interface type.\n");
+         return 1;
+     }
+    setenv("OPENSSL_CONF", "/etc/ssl/openssl-swtpm.cnf", 1);
+     if (!strcmp(argv[1], "socket")) {
+         return swtpm_main(argc-1, &argv[1], argv[0], "socket");
+ #ifdef WITH_CHARDEV
--- a/swtpm.spec
+++ b/swtpm.spec
@ -12,6 +12,11 @@ Release:        1%{?dist}
 License:        BSD-3-Clause
 Url:            https://github.com/stefanberger/swtpm
 Source0:        https://github.com/stefanberger/swtpm/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:        openssl-swtpm.cnf
+# Prevent crypto policies disabling SHA-1.
+# swtpm algorithm list is unconditional. Since it advertizes
+# SHA-1, we MUST always provide a working SHA-1 impl
+Patch0002:      swtpm-custom-openssl.patch

 BuildRequires: make
 BuildRequires:  git-core
@ -114,6 +119,9 @@ make %{?_smp_mflags} check VERBOSE=1
 %make_install
 rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so}

+%__install -d %{buildroot}%{_sysconfdir}/ssl
+cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/ssl/
+
 %post selinux
 for pp in /usr/share/selinux/packages/swtpm.pp \
          /usr/share/selinux/packages/swtpm_svirt.pp \
@ -145,6 +153,7 @@ fi
 %{_datadir}/selinux/packages/swtpm.pp
 %{_datadir}/selinux/packages/swtpm_libvirt.pp
 %{_datadir}/selinux/packages/swtpm_svirt.pp
+%{_sysconfdir}/ssl/openssl-swtpm.cnf

 %files libs
 %license LICENSE
@ -193,6 +202,9 @@ fi
 %changelog
 * Tue Jul 09 2024 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.9.0-1
 - Update to v0.9.0 release
+  Resolves: RHEL-42590
+- Fix SHA-1 algorithm availability
+  Resolves: RHEL-46754

 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.8.1-6
 - Bump release for June 2024 mass rebuild