[Ubuntu 22.04] zkey: KMIP plugin fails to connection to KMIP server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
s390-tools-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification:
------------------
[ Impact ]
* When a zkey key repository is bound to the KMIP plugin/client,
and the connection to the KMIP server is to be configured
using the command 'zkey kms configure --kmip-server <server>',
it fails to connect to the specified KMIP server.
* When trying to establish a TSL connection to the KMIP server,
the KMIP client sets up an OpenSSL SSL context with its certificate
and its private key (which is a secure key)
using OpenSSL function SSL_CTX_
* In case of running with OpenSSL 3.0,
this calls the secure key provider's match function to check
if the private key specified matches the public key
of the certificate using EVP_PKEY_eq().
* EVP_PKEY_eq() includes the private key into the selector bits
for the match call,
although the certificate only contains the public key part.
* OpenSSL commit ee22a3741e3fc27
OpenSSL provider's keymgmt_match() function to be not so strict with
the selector bits in regards to matching different key parts.
* This means, that if the public key is selected to be matched,
and the public key matches (together with any also selected
parameters), then the private key is no longer checked,
although it may also be selected to be matched.
* This is according to how the OpenSSL function EVP_PKEY_eq()
is supposed to behave.
* The solution is to adapt the secure key provider's match function
to behave like the match functions of the providers coming
with OpenSSL.
[ Fix ]
* 6c5c5f7e 6c5c5f7e558c114
[ Test Plan ]
* Setup an Ubuntu Server 22.04 for s390x system (due to openssh 3.0).
* Now configure a connection to a KMIP server on a system
that comes with OpenSSL 3.0.
* Test is done indirectly, via libkmipclient,
a shared library that provides
the KMIP client to communicate with an KMIP server.
* Test will be done by IBM.
[ Where problems could occur ]
* In case of wrong logic for the case
'if the public key is selected to be matched,
and the public key matches (together with any also selected
parameters), then the private key is no longer checked'
the private key may accidentally no longer be checked
for further cases.
* The memcpy and the key_sizes might be broken,
which may lead to wrong or incomplete content.
* The default_match_fn function may return of a wrong value
in case the pointers to the keys are incorrect.
[ Other Info ]
* The s390-tools version v2.23 in kinetic already incl. this fix,
hence it's not affected, nor versions for Ubuntu releases (in service)
older than jammy are affected.
__________
Description: zkey: KMIP plugin fails to connection to KMIP server
Symptom:
When a zkey key repository is bound to the KMIP plugin, and the connection to the KMIP server is to be configired using command 'zkey kms configure --kmip-server <server>', it fails to connect to the specified KMIP server.
Problem:
When trying to establish a TSL connection to the KMIP server, the KMIP client sets up an OpenSSL SSL context with its certificate and its private key (which is a secure key) using OpenSSL function SSL_CTX_
OpenSSL commit ee22a3741e3fc27
This means, that if the public key is selected to be matched, and the public key matches (together with any also selected parameters), then the private key is no longer checked, although it may also be selected to be matched. This is according to how the OpenSSL function EVP_PKEY_eq() is supposed to behave.
Solution:
Adapt the secure key provider's match function to behave like the match functions of the providers coming with OpenSSL.
Reproduction: Configure a connection to a KMIP server on a system that comes
with OpenSSL 3.0.
Problem-ID: 198268
Preventive: yes
Upstream-ID: 6c5c5f7e558c114
Date: 2022-05-17
Author: Ingo Franzki <email address hidden>
Component: s390-tools
== Comment: #1 - Ingo Franzki <email address hidden> - 2022-05-17 07:40:03 ==
Upstream commit: https:/
tags: | added: architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin--- |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
description: | updated |
Changed in ubuntu-z-systems: | |
status: | New → In Progress |
Changed in s390-tools (Ubuntu): | |
status: | New → In Progress |
Changed in s390-tools-signed (Ubuntu): | |
status: | New → In Progress |
Changed in s390-tools (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in s390-tools (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in s390-tools-signed (Ubuntu): | |
status: | In Progress → Fix Released |
tags: |
added: targetmilestone-inin2204 removed: targetmilestone-inin--- |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
A set of test packages is now available via the PPA below that are supposed to fix LP#1990524 as well as LP#1990520: /launchpad. net/~fheimes/ +archive/ ubuntu/ lp1990520+ lp1990524
https:/