diff --git a/SOURCES/0001-tests-rsa_pki-default-to-sha256.patch b/SOURCES/0001-tests-rsa_pki-default-to-sha256.patch new file mode 100644 index 0000000..682793f --- /dev/null +++ b/SOURCES/0001-tests-rsa_pki-default-to-sha256.patch @@ -0,0 +1,96 @@ +From c0a9076035513521fea11ee1f99eae6b80e49e6d Mon Sep 17 00:00:00 2001 +From: Adrian Freihofer +Date: Fri, 9 Aug 2024 15:58:01 +0200 +Subject: [PATCH 1/2] tests: rsa_pki default to sha256 + +Some distributions (Fedora 41) are starting to block sha1 hashes. This +prevents this test case. Let's use sha256, which is more future-proof +and should currently be supported by all distributions. + +Removing the following 2 lines from +/etc/crypto-policies/back-ends/opensslcnf.config + [evp_properties] + rh-allow-sha1-signatures = no +allows to run the tests successfully also with sha1. + +Signed-off-by: Adrian Freihofer +--- + test/rsa_pki/etc/email.conf | 2 +- + test/rsa_pki/etc/root-ca.conf | 4 ++-- + test/rsa_pki/etc/server.conf | 2 +- + test/rsa_pki/etc/signing-ca.conf | 4 ++-- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/test/rsa_pki/etc/email.conf b/test/rsa_pki/etc/email.conf +index 8d59829..7606c38 100644 +--- a/test/rsa_pki/etc/email.conf ++++ b/test/rsa_pki/etc/email.conf +@@ -6,7 +6,7 @@ + [ req ] + default_bits = 2048 # RSA key size + encrypt_key = no +-default_md = sha1 # MD to use ++default_md = sha256 # MD to use + utf8 = yes # Input is UTF-8 + string_mask = utf8only # Emit UTF-8 strings + prompt = no # Don't prompt for DN +diff --git a/test/rsa_pki/etc/root-ca.conf b/test/rsa_pki/etc/root-ca.conf +index 69d284e..2f72eb4 100644 +--- a/test/rsa_pki/etc/root-ca.conf ++++ b/test/rsa_pki/etc/root-ca.conf +@@ -15,7 +15,7 @@ dir = testdb # Top dir + [ req ] + default_bits = 2048 # RSA key size + encrypt_key = no +-default_md = sha1 # MD to use ++default_md = sha256 # MD to use + utf8 = yes # Input is UTF-8 + string_mask = utf8only # Emit UTF-8 strings + prompt = no # Don't prompt for DN +@@ -50,7 +50,7 @@ crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file + database = $dir/ca/$ca/db/$ca.db # Index file + unique_subject = no # Require unique subject + default_days = 3652 # How long to certify for +-default_md = sha1 # MD to use ++default_md = sha256 # MD to use + policy = match_pol # Default naming policy + email_in_dn = no # Add email to cert DN + preserve = no # Keep passed DN ordering +diff --git a/test/rsa_pki/etc/server.conf b/test/rsa_pki/etc/server.conf +index 8f7b620..737fe55 100644 +--- a/test/rsa_pki/etc/server.conf ++++ b/test/rsa_pki/etc/server.conf +@@ -9,7 +9,7 @@ SAN = DNS:yourdomain.tld # Default value + [ req ] + default_bits = 2048 # RSA key size + encrypt_key = no +-default_md = sha1 # MD to use ++default_md = sha256 # MD to use + utf8 = yes # Input is UTF-8 + string_mask = utf8only # Emit UTF-8 strings + prompt = no # Don't prompt for DN +diff --git a/test/rsa_pki/etc/signing-ca.conf b/test/rsa_pki/etc/signing-ca.conf +index 912d7c3..3f9795d 100644 +--- a/test/rsa_pki/etc/signing-ca.conf ++++ b/test/rsa_pki/etc/signing-ca.conf +@@ -15,7 +15,7 @@ dir = testdb # Top dir + [ req ] + default_bits = 2048 # RSA key size + encrypt_key = no +-default_md = sha1 # MD to use ++default_md = sha256 # MD to use + utf8 = yes # Input is UTF-8 + string_mask = utf8only # Emit UTF-8 strings + prompt = no # Don't prompt for DN +@@ -50,7 +50,7 @@ crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file + database = $dir/ca/$ca/db/$ca.db # Index file + unique_subject = no # Require unique subject + default_days = 730 # How long to certify for +-default_md = sha1 # MD to use ++default_md = sha256 # MD to use + policy = match_pol # Default naming policy + email_in_dn = no # Add email to cert DN + preserve = no # Keep passed DN ordering +-- +2.47.0 + diff --git a/SOURCES/0001-tests-workaround-for-tpm2-tools-bug.patch b/SOURCES/0001-tests-workaround-for-tpm2-tools-bug.patch deleted file mode 100644 index 6f91028..0000000 --- a/SOURCES/0001-tests-workaround-for-tpm2-tools-bug.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d46a3ae2d3f06852388eb8439a9c06d97a8d3ca2 Mon Sep 17 00:00:00 2001 -From: Adrian Freihofer -Date: Wed, 27 Mar 2024 08:27:37 +0100 -Subject: [PATCH] tests: workaround for tpm2-tools bug - -The test fails because of a bug in the tpm2-tools: -https://github.com/tpm2-software/tpm2-tools/pull/3374 ---- - test/ec_createak_x509_index.sh | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/test/ec_createak_x509_index.sh b/test/ec_createak_x509_index.sh -index 4323475..7476c23 100755 ---- a/test/ec_createak_x509_index.sh -+++ b/test/ec_createak_x509_index.sh -@@ -2,6 +2,11 @@ - # SPDX-License-Identifier: BSD-3-Clause - set -eufx - -+# Temporary workaround for https://github.com/tpm2-software/tpm2-tools/pull/3374 -+if uname -m | grep s390; then -+ exit 77 -+fi -+ - # create EK - tpm2_createek -G ecc -c ek_rsa.ctx - --- -2.44.0 - diff --git a/SOURCES/0002-tests-do-not-test-sha1-by-default.patch b/SOURCES/0002-tests-do-not-test-sha1-by-default.patch new file mode 100644 index 0000000..2d5480f --- /dev/null +++ b/SOURCES/0002-tests-do-not-test-sha1-by-default.patch @@ -0,0 +1,56 @@ +From 1839c987c86752602b51981963132234ac7554a2 Mon Sep 17 00:00:00 2001 +From: Petr Gotthard +Date: Sun, 6 Oct 2024 22:11:15 +0200 +Subject: [PATCH 2/2] tests: do not test sha1 by default + +Note: Chagnes on files which are not in the release tar are skipped on +purpose since the patch is applied against the release tar by the spec +file. +--- + test/ecdsa_genpkey_sign_rawin.sh | 2 +- + test/rsa_genpkey_sign_rawin.sh | 2 +- + test/rsapss_genpkey_sign_rawin.sh | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/test/ecdsa_genpkey_sign_rawin.sh b/test/ecdsa_genpkey_sign_rawin.sh +index 01403cf..7266049 100755 +--- a/test/ecdsa_genpkey_sign_rawin.sh ++++ b/test/ecdsa_genpkey_sign_rawin.sh +@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p + openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub + + # check various digests +-for HASH in sha1 sha256 sha384 sha512; do ++for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do + # skip unsupported algorithms + tpm2_getcap algorithms | grep $HASH || continue + +diff --git a/test/rsa_genpkey_sign_rawin.sh b/test/rsa_genpkey_sign_rawin.sh +index 267cea9..f2b9a94 100755 +--- a/test/rsa_genpkey_sign_rawin.sh ++++ b/test/rsa_genpkey_sign_rawin.sh +@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr + openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub + + # check default scheme with various digests +-for HASH in sha1 sha256 sha384 sha512; do ++for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do + # skip unsupported algorithms + tpm2_getcap algorithms | grep $HASH || continue + +diff --git a/test/rsapss_genpkey_sign_rawin.sh b/test/rsapss_genpkey_sign_rawin.sh +index 28447b2..99f8d63 100755 +--- a/test/rsapss_genpkey_sign_rawin.sh ++++ b/test/rsapss_genpkey_sign_rawin.sh +@@ -5,7 +5,7 @@ set -eufx + echo -n "abcde12345abcde12345" > testdata + + # check default scheme with various digests +-for HASH in sha1 sha256 sha384 sha512; do ++for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do + # skip unsupported algorithms + tpm2_getcap algorithms | grep $HASH || continue + +-- +2.47.0 + diff --git a/SPECS/tpm2-openssl.spec b/SPECS/tpm2-openssl.spec index b43cec2..d635aa4 100644 --- a/SPECS/tpm2-openssl.spec +++ b/SPECS/tpm2-openssl.spec @@ -1,6 +1,6 @@ Name:tpm2-openssl Version: 1.2.0 -Release: 3%{?candidate:.%{candidate}}%{?dist} +Release: 4%{?candidate:.%{candidate}}%{?dist} Summary: Provider for integration of TPM 2.0 to OpenSSL 3.0 License: BSD-3-Clause @@ -10,7 +10,10 @@ Source1: https://github.com/tpm2-software/%{name}/%{?candidate:archive/refs/tags Source2: gpgkey-B7201FE8031B07AF11F5423C6329CFCB6BE6FD76.gpg # Will be included in Source0 after https://github.com/tpm2-software/tpm2-openssl/pull/100 Source3: run-with-simulator -Patch0: 0001-tests-workaround-for-tpm2-tools-bug.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=2301337 +Patch1: 0001-tests-rsa_pki-default-to-sha256.patch +Patch2: 0002-tests-do-not-test-sha1-by-default.patch BuildRequires: gnupg2 BuildRequires: gcc @@ -61,6 +64,10 @@ cp %{_sourcedir}/run-with-simulator %{_builddir}/%{name}-%{version}%{?candidate: %{_libdir}/ossl-modules/tpm2.so %changelog +* Fri Oct 25 2024 Dmitry Belyavskiy - 1.2.0-4 +- Skip SHA1-based tests, use SHA256 when possible + Resolves: RHEL-64906 + * Mon Jun 24 2024 Troy Dawson - 1.2.0-3 - Bump release for June 2024 mass rebuild