Bug 2087147

Summary: openssl in FIPS mode verifies SHA-1 signatures, but should not
Product: Red Hat Enterprise Linux 9 Reporter: Clemens Lang <cllang>
Component: opensslAssignee: Clemens Lang <cllang>
Status: CLOSED CURRENTRELEASE QA Contact: Alicja Kario <hkario>
Severity: medium Docs Contact:
Priority: high    
Version: 9.1CC: dbelyavs, hkario, jpazdziora, ssorce
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-3.0.1-35.el9_0 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2087234 (view as bug list) Environment:
Last Closed: 2023-06-05 15:54:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2087234    

Description Clemens Lang 2022-05-17 12:58:53 UTC 
Description of problem:
OpenSSL allows SHA-1 signature verification in FIPS mode.

$> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1

should fail saying the SHA-1 is unsupported, but does not.

Version-Release number of selected component (if applicable):
3.0.1-20.el9_0

How reproducible:


Steps to Reproduce:
1. On a non-FIPS machine:
1.1. openssl genrsa -out key.pem 2048
1.2. openssl dgst -sha1 -binary -out sha1 infile
1.3. openssl pkeyutil -inkey key.pem -sign -in sha1 -out sig -pkeyopt digest:sha1
1.4. Copy infile, sha1, key.pem, and sig to a FIPS machine
2. On a FIPS machine:
2.1. openssl pkeyutil -inkey key.pem -verify -sigfile sig -in sha1 -pkeyopt digest:sha1

Actual results:
Verification passes

Expected results:
Verification fails

Additional info:
NIST SP 800-131Ar2 table 8 allows SHA-1 verification for legacy use, but since we do not support this in the default configuration of RHEL-9, we also do not want to allow it in FIPS mode.
Comment 4 Dmitry Belyavskiy 2022-05-18 13:18:26 UTC 
*** Bug 2042448 has been marked as a duplicate of this bug. ***
Comment 10 Clemens Lang 2023-06-05 15:54:31 UTC 
RHEL 9.1 contains openssl-3.0.1-43.el9_0.