FIPS: Disable SHA1 signs and EVP_PKEY_{sign,verify}

1. Deny SHA-1 signature verification in FIPS provider For RHEL, we already disable SHA-1 signatures by default in the default provider, so it is unexpected that the FIPS provider would have a more lenient configuration in this regard. Additionally, we do not think continuing to accept SHA-1 signatures is a good idea due to the published chosen-prefix collision attacks. As a consequence, disable verification of SHA-1 signatures in the FIPS provider. This requires adjusting a few tests that would otherwise fail: - 30-test_acvp: Remove the test vectors that use SHA-1. - 30-test_evp: Mark tests in evppkey_rsa_common.txt and evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default", which will not run them when the FIPS provider is enabled. - 80-test_cms: Re-generate all certificates in test/smime-certificates using the mksmime-certs.sh script, because most of them were signed with SHA-1 and thus fail verification in the FIPS provider. Keep smec3.pem, which was used to sign static test data in test/recipes/80-test_cms_data/ciphertext_from_1_1_1.cms, which would otherwise no longer verify. Note that smec3.pem was signed with a smroot.pem, which was now re-generated. This does not affect the test. Fix some other tests by explicitly running them in the default provider, where SHA-1 is available. - 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with the FIPS provider. 2. Disable EVP_PKEY_{sign,verify} in FIPS provider The APIs to compute both digest and signature in one step, EVP_DigestSign*/EVP_DigestVerify* and EVP_Sign*/EVP_Verify*, should be used instead. This ensures that the digest is computed inside of the FIPS module, and that only approved digests are used. Update documentation for EVP_PKEY_{sign,verify} to reflect this. Since the KATs use EVP_PKEY_sign/EVP_PKEY_verify, modify the tests to set the OSSL_SIGNATURE_PARAM_KAT parameter and use EVP_PKEY_sign_init_ex and EVP_PKEY_verify_init_ex where these parameters can be passed on creation and allow EVP_PKEY_sign/EVP_PKEY_verify when this parameter is set and evaluates as true. Move tests that use the EVP_PKEY API to only run in the default provider, since they would fail in the FIPS provider. This also affects a number of CMS tests where error handling is insufficient and failure to sign would only show up when verifying the CMS structure due to a parse error. Resolves: rhbz#2087147 Signed-off-by: Clemens Lang <cllang@redhat.com>
2 years ago · 389313b118
parent 87f109e9fb
commit 389313b118
3 changed files with 1578 additions and 1 deletions
--- a/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
+++ b/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
--- a/0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
+++ b/0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
@ -0,0 +1,449 @@
+From 6f7111801d960952b15cda98d9a95f79f6f0bf7e Mon Sep 17 00:00:00 2001
+From: Clemens Lang <cllang@redhat.com>
+Date: Mon, 23 May 2022 13:09:08 +0200
+Subject: [PATCH] Disable EVP_PKEY_{sign,verify} in FIPS provider
+
+The APIs to compute both digest and signature in one step,
+EVP_DigestSign*/EVP_DigestVerify* and EVP_Sign*/EVP_Verify*, should be
+used instead. This ensures that the digest is computed inside of the
+FIPS module, and that only approved digests are used.
+
+Update documentation for EVP_PKEY_{sign,verify} to reflect this.
+
+Since the KATs use EVP_PKEY_sign/EVP_PKEY_verify, modify the tests to
+set the OSSL_SIGNATURE_PARAM_KAT parameter and use EVP_PKEY_sign_init_ex
+and EVP_PKEY_verify_init_ex where these parameters can be passed on
+creation and allow EVP_PKEY_sign/EVP_PKEY_verify when this parameter is
+set and evaluates as true.
+
+Move tests that use the EVP_PKEY API to only run in the default
+provider, since they would fail in the FIPS provider. This also affects
+a number of CMS tests where error handling is insufficient and failure
+to sign would only show up when verifying the CMS structure due to
+a parse error.
+
+Resolves: rhbz#2087147
+Signed-off-by: Clemens Lang <cllang@redhat.com>
+---
+ doc/man3/EVP_PKEY_sign.pod                    |  5 ++++
+ doc/man3/EVP_PKEY_verify.pod                  |  5 ++++
+ providers/fips/self_test_kats.c               | 19 ++++++-------
+ .../implementations/signature/ecdsa_sig.c     | 28 +++++++++++++++++++
+ providers/implementations/signature/rsa_sig.c | 28 +++++++++++++++++++
+ .../30-test_evp_data/evppkey_ecdsa.txt        |  9 +-----
+ .../30-test_evp_data/evppkey_rsa_common.txt   | 14 ++++++++++
+ test/recipes/80-test_cms.t                    | 22 +++++++--------
+ 8 files changed, 101 insertions(+), 29 deletions(-)
+
+diff --git a/doc/man3/EVP_PKEY_sign.pod b/doc/man3/EVP_PKEY_sign.pod
+index 6752432bd5..f9d2b4f5d1 100644
+--- a/doc/man3/EVP_PKEY_sign.pod
+++ b/doc/man3/EVP_PKEY_sign.pod
+@@ -41,6 +41,11 @@ normally used to sign digests. For signing arbitrary messages, see the
+ L<EVP_DigestSignInit(3)> and
+ L<EVP_SignInit(3)> signing interfaces instead.
+ 
+B<WARNING>: Because FIPS 140-3 requires that a signed digest is computed in the
+same module as the signature, this API is disabled on CentOS 9 Stream and Red
+Hat Enterprise Linux in FIPS mode.  Use L<EVP_DigestSignInit(3)> and
+L<EVP_SignInit(3)> instead.
+
+ After the call to EVP_PKEY_sign_init() algorithm specific control
+ operations can be performed to set any appropriate parameters for the
+ operation (see L<EVP_PKEY_CTX_ctrl(3)>).
+diff --git a/doc/man3/EVP_PKEY_verify.pod b/doc/man3/EVP_PKEY_verify.pod
+index 77023cab87..344c39fe07 100644
+--- a/doc/man3/EVP_PKEY_verify.pod
+++ b/doc/man3/EVP_PKEY_verify.pod
+@@ -33,6 +33,11 @@ signed) is specified using the I<tbs> and I<tbslen> parameters.
+ 
+ =head1 NOTES
+ 
+B<WARNING>: Because FIPS 140-3 requires that a signed digest is computed in the
+same module as the signature, this API is disabled on CentOS 9 Stream and Red
+Hat Enterprise Linux in FIPS mode.  Use L<EVP_DigestVerifyInit(3)> and
+L<EVP_VerifyInit(3)> instead.
+
+ After the call to EVP_PKEY_verify_init() algorithm specific control
+ operations can be performed to set any appropriate parameters for the
+ operation.
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index 064794d9bf..a60cb99983 100644
+--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
+@@ -488,24 +488,23 @@ static int self_test_sign(const ST_KAT_SIGN *t,
+         || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0)
+         goto err;
+ 
+-    /* Create a EVP_PKEY_CTX to use for the signing operation */
+-    sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
+-    if (sctx == NULL
+-        || EVP_PKEY_sign_init(sctx) <= 0)
+-        goto err;
+-
+-    /* set signature parameters */
+    /* prepare signature parameters */
+     if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST,
+                                          t->mdalgorithm,
+                                          strlen(t->mdalgorithm) + 1))
+         goto err;
+    if (!OSSL_PARAM_BLD_push_int(bld, OSSL_SIGNATURE_PARAM_KAT, 1))
+        goto err;
+     params_sig = OSSL_PARAM_BLD_to_param(bld);
+-    if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+
+    /* Create a EVP_PKEY_CTX to use for the signing operation */
+    sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL);
+    if (sctx == NULL
+        || EVP_PKEY_sign_init_ex(sctx, params_sig) <= 0)
+         goto err;
+ 
+     if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0
+-        || EVP_PKEY_verify_init(sctx) <= 0
+-        || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0)
+        || EVP_PKEY_verify_init_ex(sctx, params_sig) <= 0)
+         goto err;
+ 
+     /*
+diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
+index 44a22832ec..8f10208b59 100644
+--- a/providers/implementations/signature/ecdsa_sig.c
+++ b/providers/implementations/signature/ecdsa_sig.c
+@@ -73,6 +73,9 @@ typedef struct {
+      * by their Final function.
+      */
+     unsigned int flag_allow_md : 1;
+    /* Flag indicating that this context is used in a combined digest/sign or
+     * digest/verify operation. */
+    unsigned int flag_is_digest_sigver : 1;
+ 
+     /* The Algorithm Identifier of the combined signature algorithm */
+     unsigned char aid_buf[OSSL_MAX_ALGORITHM_ID_SIZE];
+@@ -134,6 +137,26 @@ static int ecdsa_signverify_init(void *vctx, void *ec,
+             || ctx == NULL)
+         return 0;
+ 
+#ifdef FIPS_MODULE
+    {
+        const OSSL_PARAM *katparam = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
+        if (katparam != NULL) {
+            int kattests = 0;
+            if (OSSL_PARAM_get_int(katparam, &kattests) && kattests) {
+                ctx->flag_is_digest_sigver = 1;
+            }
+        }
+    }
+
+    if (!ctx->flag_is_digest_sigver) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
+            "ECDSA signatures are not supported using the "
+            "EVP_PKEY_sign/EVP_PKEY_verify API in FIPS mode, use "
+            "EVP_DigestSign and EVP_DigestVerify.");
+        return 0;
+    }
+#endif
+
+     if (ec == NULL && ctx->ec == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+         return 0;
+@@ -287,6 +310,11 @@ static int ecdsa_digest_signverify_init(void *vctx, const char *mdname,
+     if (!ossl_prov_is_running())
+         return 0;
+ 
+    if (ctx == NULL)
+        return 0;
+
+    ctx->flag_is_digest_sigver = 1;
+
+     if (!ecdsa_signverify_init(vctx, ec, params, operation)
+         || !ecdsa_setup_md(ctx, mdname, NULL))
+         return 0;
+diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
+index 9a25b6a3de..a0d7b4707d 100644
+--- a/providers/implementations/signature/rsa_sig.c
+++ b/providers/implementations/signature/rsa_sig.c
+@@ -88,6 +88,9 @@ typedef struct {
+      */
+     unsigned int flag_allow_md : 1;
+     unsigned int mgf1_md_set : 1;
+    /* Flag indicating that this context is used in a combined digest/sign or
+     * digest/verify operation. */
+    unsigned int flag_is_digest_sigver : 1;
+ 
+     /* main digest */
+     EVP_MD *md;
+@@ -394,6 +397,26 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa,
+     if (!ossl_prov_is_running() || prsactx == NULL)
+         return 0;
+ 
+#ifdef FIPS_MODULE
+    {
+        const OSSL_PARAM *katparam = OSSL_PARAM_locate_const(params, OSSL_SIGNATURE_PARAM_KAT);
+        if (katparam != NULL) {
+            int kattests = 0;
+            if (OSSL_PARAM_get_int(katparam, &kattests) && kattests) {
+                prsactx->flag_is_digest_sigver = 1;
+            }
+        }
+    }
+
+    if (!prsactx->flag_is_digest_sigver) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_NOT_SUPPORTED,
+            "RSA signatures are not supported using the "
+            "EVP_PKEY_sign/EVP_PKEY_verify API in FIPS mode, use "
+            "EVP_DigestSign and EVP_DigestVerify.");
+        return 0;
+    }
+#endif
+
+     if (vrsa == NULL && prsactx->rsa == NULL) {
+         ERR_raise(ERR_LIB_PROV, PROV_R_NO_KEY_SET);
+         return 0;
+@@ -851,6 +874,11 @@ static int rsa_digest_signverify_init(void *vprsactx, const char *mdname,
+     if (!ossl_prov_is_running())
+         return 0;
+ 
+    if (prsactx == NULL)
+        return 0;
+
+    prsactx->flag_is_digest_sigver = 1;
+
+     if (!rsa_signverify_init(vprsactx, vrsa, params, operation))
+         return 0;
+ 
+diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+index a96940f026..ac934a2096 100644
+--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt
+@@ -111,6 +111,7 @@ Input = "Hello World"
+ Output = 3046022100e7515177ec3817b77a4a94066ab3070817b7aa9d44a8a09f040da250116e8972022100ba59b0f631258e59a9026be5d84f60685f4cf22b9165a0c2736d5c21c8ec1862
+ 
+ # Test that mdsize != tbssize fails
+Availablein = default
+ Sign = P-256
+ Ctrl = digest:SHA256
+ Input = "0123456789ABCDEF1234"
+@@ -197,14 +198,6 @@ Key = B-163
+ Input = "Hello World"
+ Result = DIGESTSIGNINIT_ERROR
+ 
+-# Test that SHA1 is not allowed in fips mode for signing
+-Availablein = fips
+-Sign = P-256
+-Securitycheck = 1
+-Ctrl = digest:SHA1
+-Input = "0123456789ABCDEF1234"
+-Result = PKEY_CTRL_ERROR
+-
+ # Invalid non-approved digest
+ Availablein = fips
+ DigestVerify = MD5
+diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+index 37e542e1c2..e8209996ef 100644
+--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt
+@@ -103,11 +103,13 @@ Input = "0123456789ABCDEF1234"
+ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+ 
+ # Truncated digest
+Availablein = default
+ Sign = RSA-2048
+ Ctrl = digest:SHA512-224
+ Input = "0123456789ABCDEF123456789ABC"
+ Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17
+ 
+Availablein = default
+ Verify = RSA-2048
+ Ctrl = digest:SHA512-224
+ Input = "0123456789ABCDEF123456789ABC"
+@@ -218,6 +220,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
+ # no padding
+ 
+ # Too small input
+Availablein = default
+ Sign = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = "0123456789ABCDEF123456789ABC"
+@@ -225,6 +228,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2
+ Result = KEYOP_ERROR
+ 
+ # Digest set before padding
+Availablein = default
+ Sign = RSA-2048
+ Ctrl = digest:sha256
+ Ctrl = rsa_padding_mode:none
+@@ -233,6 +237,7 @@ Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e37
+ Result = PKEY_CTRL_ERROR
+ 
+ # Digest set after padding
+Availablein = default
+ Sign = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Ctrl = digest:sha256
+@@ -240,23 +245,27 @@ Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567
+ Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
+ Result = PKEY_CTRL_ERROR
+ 
+Availablein = default
+ Sign = RSA-2048
+ Ctrl = rsa_padding_mode:none
+ Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
+ 
+Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:none
+ Input = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
+ 
+ # Plaintext modified
+Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:none
+ Input = 0223456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ Output = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
+ Result = VERIFY_ERROR
+ 
+Availablein = default
+ VerifyRecover = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:none
+ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e3775a85ae8ef75e000ca5498d772e3e797012ac8e462d72e567eb4afae0d1df72ffc84b3117045c58eb13aabb427fd6591577089dfa36d8d07ebd0670e4473683659b53b050c32397752cdee7c08de667f8de0ec01db01d440e433986e57ead2f877356b7d4985daf6c7ba09e46c061fe2372baa90cbd77557ef1143f46e27abf65c276f165a753e1f09e3719d1bfd8b32efe4aed2e97b502aa96ce472d3d91a09fae47b1a5103c448039ada73a57d7a001542bfb0b58c8b4bcb705a108a643434bb7ff997b58ba8b76425d7510aeff3e60f17af82191500517653fa5f3
+@@ -370,6 +379,7 @@ rQPeR+HETwIDAQAB
+ PrivPubKeyPair = RSA-PSS:RSA-PSS-BAD2
+ 
+ # Zero salt length makes output deterministic
+Availablein = default
+ Sign = RSA-2048
+ Ctrl = digest:sha256
+ Ctrl = rsa_padding_mode:pss
+@@ -378,6 +388,7 @@ Input="0123456789ABCDEF0123456789ABCDEF"
+ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A
+ 
+ # Verify of above signature
+Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+@@ -395,6 +406,7 @@ Input="0123456789ABCDEF0123"
+ Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B
+ 
+ # Digest too short
+Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+@@ -404,6 +416,7 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
+ Result = VERIFY_ERROR
+ 
+ # Digest too long
+Availablein = default
+ Verify = RSA-2048-PUBLIC
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:0
+@@ -413,6 +426,7 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD
+ Result = VERIFY_ERROR
+ 
+ # Wrong salt length
+Availablein = default
+ Verify = RSA-2048
+ Ctrl = rsa_padding_mode:pss
+ Ctrl = rsa_pss_saltlen:2
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 9e7c721eab..d32833f42c 100644
+--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
+@@ -72,7 +72,7 @@ my @smime_pkcs7_tests = (
+     [ "signed content DER format, RSA key",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
+         "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}",  @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+      [ "{cmd2}",  @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -80,7 +80,7 @@ my @smime_pkcs7_tests = (
+     [ "signed detached content DER format, RSA key",
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+         "-CAfile", $smroot, "-out", "{output}.txt",
+         "-content", $smcont ],
+       \&final_compare
+@@ -90,7 +90,7 @@ my @smime_pkcs7_tests = (
+       [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
+         "-stream",
+         "-signer", $smrsa1, "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -117,7 +117,7 @@ my @smime_pkcs7_tests = (
+         "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ],
+       [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER",
+         "-signer", $smrsa1, "-out", "{output}2.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}2.cms", "-inform", "DER",
+         "-CAfile", $smroot, "-out", "{output}.txt",
+         "-content", $smcont ],
+       \&final_compare
+@@ -140,20 +140,20 @@ my @smime_pkcs7_tests = (
+         "-signer", catfile($smdir, "smdsa1.pem"),
+         "-signer", catfile($smdir, "smdsa2.pem"),
+         "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+ 
+     [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS",
+-      [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER",
+      [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "DER",
+         "-noattr", "-nodetach", "-stream",
+         "-signer", $smrsa1,
+         "-signer", catfile($smdir, "smrsa2.pem"),
+         "-signer", catfile($smdir, "smdsa1.pem"),
+         "-signer", catfile($smdir, "smdsa2.pem"),
+         "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "DER",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -182,7 +182,7 @@ my @smime_pkcs7_tests = (
+         "-signer", catfile($smdir, "smdsa1.pem"),
+         "-signer", catfile($smdir, "smdsa2.pem"),
+         "-stream", "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -194,7 +194,7 @@ my @smime_pkcs7_tests = (
+         "-signer", catfile($smdir, "smdsa1.pem"),
+         "-signer", catfile($smdir, "smdsa2.pem"),
+         "-stream", "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+@@ -504,11 +504,11 @@ my @smime_cms_param_tests = (
+     ],
+ 
+     [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes",
+-      [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+      [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach",
+         "-noattr", "-signer", $smrsa1,
+         "-keyopt", "rsa_padding_mode:pss",
+         "-out", "{output}.cms" ],
+-      [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
+      [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM",
+         "-CAfile", $smroot, "-out", "{output}.txt" ],
+       \&final_compare
+     ],
+-- 
+2.35.3
+
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 30%{?dist}
+Release: 31%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -116,6 +116,9 @@ Patch57: 0057-strcasecmp-fix.patch
 Patch58: 0058-FIPS-limit-rsa-encrypt.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2069235
 Patch60: 0060-FIPS-KAT-signature-tests.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
+Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
+Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch

 License: ASL 2.0
 URL: http://www.openssl.org/
@ -446,6 +449,11 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31
+- Disable SHA-1 signature verification in FIPS mode
+- Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode
+  Resolves: rhbz#2087147
+
 * Mon May 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-30
 - Use KAT for ECDSA signature tests
 - Resolves: rhbz#2069235