Don't limit using SHA1 in KDFs in non-FIPS mode.

Resolves: RHEL-5295

0049-Selectively-disallow-SHA1-signatures.patch

@@ -287,22 +287,6 @@ index 699ada7c52..e534ad0a5f 100644
      return mdnid;
  }
  
-@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
-     if (ossl_securitycheck_enabled(ctx))
-         return ossl_digest_get_approved_nid(md) != NID_undef;
- # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
-+
-+#ifndef FIPS_MODULE
-+    {
-+        int mdnid = EVP_MD_nid(md);
-+        if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
-+                && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
-+            return 0;
-+    }
-+#endif
-+
-     return 1;
- }
 diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
 index de7f0d3a0a..ce54a94fbc 100644
 --- a/providers/common/securitycheck_default.c

openssl.spec

@@ -525,6 +525,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 * Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
 - Provide relevant diagnostics when FIPS checksum is corrupted
   Resolves: RHEL-5317
+- Don't limit using SHA1 in KDFs in non-FIPS mode.
+  Resolves: RHEL-5295
 
 * Wed Jul 12 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-24
 - Make FIPS module configuration more crypto-policies friendly