diff --git a/SOURCES/openssl-swtpm.cnf b/SOURCES/openssl-swtpm.cnf new file mode 100644 index 0000000..6195ecb --- /dev/null +++ b/SOURCES/openssl-swtpm.cnf @@ -0,0 +1,4 @@ +.include /etc/ssl/openssl.cnf + +[evp_properties] +rh-allow-sha1-signatures = yes diff --git a/SOURCES/swtpm-custom-openssl.patch b/SOURCES/swtpm-custom-openssl.patch new file mode 100644 index 0000000..6bd1b40 --- /dev/null +++ b/SOURCES/swtpm-custom-openssl.patch @@ -0,0 +1,12 @@ +Binary files swtpm-0.9.0/.git/index and swtpm-0.9.0.new/.git/index differ +diff -rup swtpm-0.9.0/src/swtpm/main.c swtpm-0.9.0.new/src/swtpm/main.c +--- swtpm-0.9.0/src/swtpm/main.c 2024-07-08 09:34:00.488080859 +0100 ++++ swtpm-0.9.0.new/src/swtpm/main.c 2024-07-08 09:33:40.057884795 +0100 +@@ -70,6 +70,7 @@ int main(int argc, char **argv) + fprintf(stderr, "Missing TPM interface type.\n"); + return 1; + } ++ setenv("OPENSSL_CONF", "/etc/ssl/openssl-swtpm.cnf", 1); + if (!strcmp(argv[1], "socket")) { + return swtpm_main(argc-1, &argv[1], argv[0], "socket"); + #ifdef WITH_CHARDEV diff --git a/SPECS/swtpm.spec b/SPECS/swtpm.spec index 649f7cd..c9104c8 100644 --- a/SPECS/swtpm.spec +++ b/SPECS/swtpm.spec @@ -8,11 +8,16 @@ Summary: TPM Emulator Name: swtpm Version: 0.8.0 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD Url: https://github.com/stefanberger/swtpm Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz Patch0001: 0001-swtpm_setup-fix-Werror-maybe-uninitialized.patch +# Prevent crypto policies disabling SHA-1. +# swtpm algorithm list is unconditional. Since it advertizes +# SHA-1, we MUST always provide a working SHA-1 impl +Source1: openssl-swtpm.cnf +Patch0002: swtpm-custom-openssl.patch BuildRequires: make BuildRequires: git-core @@ -103,6 +108,9 @@ make %{?_smp_mflags} check VERBOSE=1 rm -f $RPM_BUILD_ROOT%{_libdir}/%{name}/*.{a,la,so} rm $RPM_BUILD_ROOT%{_mandir}/man8/swtpm_cuse.8* +%__install -d %{buildroot}%{_sysconfdir}/ssl +cp %{SOURCE1} %{buildroot}/%{_sysconfdir}/ssl/ + %post for pp in /usr/share/selinux/packages/swtpm.pp \ /usr/share/selinux/packages/swtpm_svirt.pp; do @@ -130,6 +138,7 @@ fi %{_mandir}/man8/swtpm.8* %{_datadir}/selinux/packages/swtpm.pp %{_datadir}/selinux/packages/swtpm_svirt.pp +%{_sysconfdir}/ssl/openssl-swtpm.cnf %files libs %license LICENSE @@ -175,6 +184,10 @@ fi %{_datadir}/swtpm/swtpm-create-tpmca %changelog +* Mon Jul 08 2024 Marc-André Lureau - 0.8.0-2 +- Fix SHA-1 algorithm availability + Resolves: RHEL-46788 + * Tue Nov 22 2022 Marc-André Lureau - 0.8.0-1 - Update to v0.8.0 release Resolves: rhbz#2092944