SOURCES/0001-tests-rsa_pki-default-to-sha256.patch

@@ -1,96 +0,0 @@
-From c0a9076035513521fea11ee1f99eae6b80e49e6d Mon Sep 17 00:00:00 2001
-From: Adrian Freihofer <adrian.freihofer@gmail.com>
-Date: Fri, 9 Aug 2024 15:58:01 +0200
-Subject: [PATCH 1/2] tests: rsa_pki default to sha256
-
-Some distributions (Fedora 41) are starting to block sha1 hashes. This
-prevents this test case. Let's use sha256, which is more future-proof
-and should currently be supported by all distributions.
-
-Removing the following 2 lines from
-/etc/crypto-policies/back-ends/opensslcnf.config
-  [evp_properties]
-  rh-allow-sha1-signatures = no
-allows to run the tests successfully also with sha1.
-
-Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
----
- test/rsa_pki/etc/email.conf      | 2 +-
- test/rsa_pki/etc/root-ca.conf    | 4 ++--
- test/rsa_pki/etc/server.conf     | 2 +-
- test/rsa_pki/etc/signing-ca.conf | 4 ++--
- 4 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/test/rsa_pki/etc/email.conf b/test/rsa_pki/etc/email.conf
-index 8d59829..7606c38 100644
---- a/test/rsa_pki/etc/email.conf
-+++ b/test/rsa_pki/etc/email.conf
-@@ -6,7 +6,7 @@
- [ req ]
- default_bits            = 2048                  # RSA key size
- encrypt_key             = no
--default_md              = sha1                  # MD to use
-+default_md              = sha256                # MD to use
- utf8                    = yes                   # Input is UTF-8
- string_mask             = utf8only              # Emit UTF-8 strings
- prompt                  = no                    # Don't prompt for DN
-diff --git a/test/rsa_pki/etc/root-ca.conf b/test/rsa_pki/etc/root-ca.conf
-index 69d284e..2f72eb4 100644
---- a/test/rsa_pki/etc/root-ca.conf
-+++ b/test/rsa_pki/etc/root-ca.conf
-@@ -15,7 +15,7 @@ dir                     = testdb                # Top dir
- [ req ]
- default_bits            = 2048                  # RSA key size
- encrypt_key             = no
--default_md              = sha1                  # MD to use
-+default_md              = sha256                # MD to use
- utf8                    = yes                   # Input is UTF-8
- string_mask             = utf8only              # Emit UTF-8 strings
- prompt                  = no                    # Don't prompt for DN
-@@ -50,7 +50,7 @@ crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
- database                = $dir/ca/$ca/db/$ca.db # Index file
- unique_subject          = no                    # Require unique subject
- default_days            = 3652                  # How long to certify for
--default_md              = sha1                  # MD to use
-+default_md              = sha256                # MD to use
- policy                  = match_pol             # Default naming policy
- email_in_dn             = no                    # Add email to cert DN
- preserve                = no                    # Keep passed DN ordering
-diff --git a/test/rsa_pki/etc/server.conf b/test/rsa_pki/etc/server.conf
-index 8f7b620..737fe55 100644
---- a/test/rsa_pki/etc/server.conf
-+++ b/test/rsa_pki/etc/server.conf
-@@ -9,7 +9,7 @@ SAN                     = DNS:yourdomain.tld    # Default value
- [ req ]
- default_bits            = 2048                  # RSA key size
- encrypt_key             = no
--default_md              = sha1                  # MD to use
-+default_md              = sha256                # MD to use
- utf8                    = yes                   # Input is UTF-8
- string_mask             = utf8only              # Emit UTF-8 strings
- prompt                  = no                    # Don't prompt for DN
-diff --git a/test/rsa_pki/etc/signing-ca.conf b/test/rsa_pki/etc/signing-ca.conf
-index 912d7c3..3f9795d 100644
---- a/test/rsa_pki/etc/signing-ca.conf
-+++ b/test/rsa_pki/etc/signing-ca.conf
-@@ -15,7 +15,7 @@ dir                     = testdb                # Top dir
- [ req ]
- default_bits            = 2048                  # RSA key size
- encrypt_key             = no
--default_md              = sha1                  # MD to use
-+default_md              = sha256                # MD to use
- utf8                    = yes                   # Input is UTF-8
- string_mask             = utf8only              # Emit UTF-8 strings
- prompt                  = no                    # Don't prompt for DN
-@@ -50,7 +50,7 @@ crlnumber               = $dir/ca/$ca/db/$ca.crl.srl # CRL number file
- database                = $dir/ca/$ca/db/$ca.db # Index file
- unique_subject          = no                    # Require unique subject
- default_days            = 730                   # How long to certify for
--default_md              = sha1                  # MD to use
-+default_md              = sha256                # MD to use
- policy                  = match_pol             # Default naming policy
- email_in_dn             = no                    # Add email to cert DN
- preserve                = no                    # Keep passed DN ordering
--- 
-2.47.0
-

SOURCES/0001-tests-workaround-for-tpm2-tools-bug.patch

@@ -0,0 +1,30 @@
+From d46a3ae2d3f06852388eb8439a9c06d97a8d3ca2 Mon Sep 17 00:00:00 2001
+From: Adrian Freihofer <adrian.freihofer@gmail.com>
+Date: Wed, 27 Mar 2024 08:27:37 +0100
+Subject: [PATCH] tests: workaround for tpm2-tools bug
+
+The test fails because of a bug in the tpm2-tools:
+https://github.com/tpm2-software/tpm2-tools/pull/3374
+---
+ test/ec_createak_x509_index.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/test/ec_createak_x509_index.sh b/test/ec_createak_x509_index.sh
+index 4323475..7476c23 100755
+--- a/test/ec_createak_x509_index.sh
++++ b/test/ec_createak_x509_index.sh
+@@ -2,6 +2,11 @@
+ # SPDX-License-Identifier: BSD-3-Clause
+ set -eufx
+ 
++# Temporary workaround for https://github.com/tpm2-software/tpm2-tools/pull/3374
++if uname -m | grep s390; then
++    exit 77
++fi
++
+ # create EK
+ tpm2_createek -G ecc -c ek_rsa.ctx
+ 
+-- 
+2.44.0
+

SOURCES/0002-tests-do-not-test-sha1-by-default.patch

@@ -1,56 +0,0 @@
-From 1839c987c86752602b51981963132234ac7554a2 Mon Sep 17 00:00:00 2001
-From: Petr Gotthard <petr.gotthard@advantech.cz>
-Date: Sun, 6 Oct 2024 22:11:15 +0200
-Subject: [PATCH 2/2] tests: do not test sha1 by default
-
-Note: Chagnes on files which are not in the release tar are skipped on
-purpose since the patch is applied against the release tar by the spec
-file.
----
- test/ecdsa_genpkey_sign_rawin.sh  | 2 +-
- test/rsa_genpkey_sign_rawin.sh    | 2 +-
- test/rsapss_genpkey_sign_rawin.sh | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/test/ecdsa_genpkey_sign_rawin.sh b/test/ecdsa_genpkey_sign_rawin.sh
-index 01403cf..7266049 100755
---- a/test/ecdsa_genpkey_sign_rawin.sh
-+++ b/test/ecdsa_genpkey_sign_rawin.sh
-@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p
- openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
- 
- # check various digests
--for HASH in sha1 sha256 sha384 sha512; do
-+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
-     # skip unsupported algorithms
-     tpm2_getcap algorithms | grep $HASH || continue
- 
-diff --git a/test/rsa_genpkey_sign_rawin.sh b/test/rsa_genpkey_sign_rawin.sh
-index 267cea9..f2b9a94 100755
---- a/test/rsa_genpkey_sign_rawin.sh
-+++ b/test/rsa_genpkey_sign_rawin.sh
-@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr
- openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
- 
- # check default scheme with various digests
--for HASH in sha1 sha256 sha384 sha512; do
-+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
-     # skip unsupported algorithms
-     tpm2_getcap algorithms | grep $HASH || continue
- 
-diff --git a/test/rsapss_genpkey_sign_rawin.sh b/test/rsapss_genpkey_sign_rawin.sh
-index 28447b2..99f8d63 100755
---- a/test/rsapss_genpkey_sign_rawin.sh
-+++ b/test/rsapss_genpkey_sign_rawin.sh
-@@ -5,7 +5,7 @@ set -eufx
- echo -n "abcde12345abcde12345" > testdata
- 
- # check default scheme with various digests
--for HASH in sha1 sha256 sha384 sha512; do
-+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
-     # skip unsupported algorithms
-     tpm2_getcap algorithms | grep $HASH || continue
- 
--- 
-2.47.0
-

SPECS/tpm2-openssl.spec

@@ -1,6 +1,6 @@
 Name:tpm2-openssl
 Version: 1.2.0
-Release: 5%{?candidate:.%{candidate}}%{?dist}
+Release: 3%{?candidate:.%{candidate}}%{?dist}
 Summary: Provider for integration of TPM 2.0 to OpenSSL 3.0
 
 License: BSD-3-Clause
@@ -10,10 +10,7 @@ Source1: https://github.com/tpm2-software/%{name}/%{?candidate:archive/refs/tags
 Source2: gpgkey-B7201FE8031B07AF11F5423C6329CFCB6BE6FD76.gpg
 # Will be included in Source0 after https://github.com/tpm2-software/tpm2-openssl/pull/100
 Source3: run-with-simulator
-
+Patch0: 0001-tests-workaround-for-tpm2-tools-bug.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2301337
-Patch1: 0001-tests-rsa_pki-default-to-sha256.patch
-Patch2: 0002-tests-do-not-test-sha1-by-default.patch
 
 BuildRequires: gnupg2
 BuildRequires: gcc
@@ -64,14 +61,6 @@ cp %{_sourcedir}/run-with-simulator %{_builddir}/%{name}-%{version}%{?candidate:
 %{_libdir}/ossl-modules/tpm2.so
 
 %changelog
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.2.0-5
-- Bump release for October 2024 mass rebuild:
-  Resolves: RHEL-64018
-
-* Fri Oct 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1.2.0-4
-- Skip SHA1-based tests, use SHA256 when possible
-  Resolves: RHEL-64906
-
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.2.0-3
 - Bump release for June 2024 mass rebuild