Prevent use of SHA1 with ECDSA

providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef
digest, so to prevent SHA1 from working with ECDSA and DSA, we must
return a negative value in securitycheck.c.

Resolves: rhbz#2031742

0049-Selectively-disallow-SHA1-signatures.patch

@@ -260,7 +260,7 @@ index fd7f7e3331..05464b0655 100644
 +                                                  int loadconfig);
  #endif
 diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
-index 699ada7c52..f3af62325d 100644
+index 699ada7c52..e534ad0a5f 100644
 --- a/providers/common/securitycheck.c
 +++ b/providers/common/securitycheck.c
 @@ -19,6 +19,7 @@
@@ -281,7 +281,7 @@ index 699ada7c52..f3af62325d 100644
 +        /* SHA1 is globally disabled, check whether we want to locally allow
 +         * it. */
 +        if (mdnid == NID_sha1 && !sha1_allowed)
-+            mdnid = NID_undef;
++            mdnid = -1;
 +#endif
 +
      return mdnid;

openssl.spec

@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 13%{?dist}
+Release: 14%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -412,6 +412,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Fri Feb 25 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-14
+- Prevent use of SHA1 with ECDSA
+- Resolves: rhbz#2031742
+
 * Fri Feb 25 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-13
 - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
 - Resolves: rhbz#1977867