Ubuntu
s390-tools package

[Ubuntu 22.04] zkey: KMIP plugin fails to connection to KMIP server

Bug #1990524 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
s390-tools (Ubuntu)
Fix Released
Undecided
Skipper Bug Screeners
Jammy
Fix Released
Undecided
Unassigned
s390-tools-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification:
------------------

[ Impact ]

 * When a zkey key repository is bound to the KMIP plugin/client,
   and the connection to the KMIP server is to be configured
   using the command 'zkey kms configure --kmip-server <server>',
   it fails to connect to the specified KMIP server.

 * When trying to establish a TSL connection to the KMIP server,
   the KMIP client sets up an OpenSSL SSL context with its certificate
   and its private key (which is a secure key)
   using OpenSSL function SSL_CTX_use_PrivateKey().

 * In case of running with OpenSSL 3.0,
   this calls the secure key provider's match function to check
   if the private key specified matches the public key
   of the certificate using EVP_PKEY_eq().

 * EVP_PKEY_eq() includes the private key into the selector bits
   for the match call,
   although the certificate only contains the public key part.

 * OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
   OpenSSL provider's keymgmt_match() function to be not so strict with
   the selector bits in regards to matching different key parts.

 * This means, that if the public key is selected to be matched,
   and the public key matches (together with any also selected
   parameters), then the private key is no longer checked,
   although it may also be selected to be matched.

 * This is according to how the OpenSSL function EVP_PKEY_eq()
   is supposed to behave.

 * The solution is to adapt the secure key provider's match function
   to behave like the match functions of the providers coming
   with OpenSSL.

[ Fix ]

 * 6c5c5f7e 6c5c5f7e558c114ddaa475e96c9ec708049aa423 "libseckey: Adapt keymgmt_match() implementation to OpenSSL"

[ Test Plan ]

 * Setup an Ubuntu Server 22.04 for s390x system (due to openssh 3.0).

 * Now configure a connection to a KMIP server on a system
   that comes with OpenSSL 3.0.

 * Test is done indirectly, via libkmipclient,
   a shared library that provides
   the KMIP client to communicate with an KMIP server.

 * Test will be done by IBM.

[ Where problems could occur ]

 * In case of wrong logic for the case
   'if the public key is selected to be matched,
   and the public key matches (together with any also selected
   parameters), then the private key is no longer checked'
   the private key may accidentally no longer be checked
   for further cases.

 * The memcpy and the key_sizes might be broken,
   which may lead to wrong or incomplete content.

 * The default_match_fn function may return of a wrong value
   in case the pointers to the keys are incorrect.

[ Other Info ]

 * The s390-tools version v2.23 in kinetic already incl. this fix,
   hence it's not affected, nor versions for Ubuntu releases (in service)
   older than jammy are affected.

__________

Description: zkey: KMIP plugin fails to connection to KMIP server

Symptom:
When a zkey key repository is bound to the KMIP plugin, and the connection to the KMIP server is to be configired using command 'zkey kms configure --kmip-server <server>', it fails to connect to the specified KMIP server.

Problem:
When trying to establish a TSL connection to the KMIP server, the KMIP client sets up an OpenSSL SSL context with its certificate and its private key (which is a secure key) using OpenSSL function SSL_CTX_use_PrivateKey(). When running with OpenSSL 3.0, This calls the secure key provider's match function to check if the private key specified matches the public key of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the private key into the selector bits for the match call, although the certificate only contains the public key part.
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the OpenSSL provider's keymgmt_match() function to be not so strict with the selector bits in regards to matching different key parts.
This means, that if the public key is selected to be matched, and the public key matches (together with any also selected parameters), then the private key is no longer checked, although it may also be selected to be matched. This is according to how the OpenSSL function EVP_PKEY_eq() is supposed to behave.

Solution:
Adapt the secure key provider's match function to behave like the match functions of the providers coming with OpenSSL.

Reproduction: Configure a connection to a KMIP server on a system that comes
               with OpenSSL 3.0.

Problem-ID: 198268
Preventive: yes

Upstream-ID: 6c5c5f7e558c114ddaa475e96c9ec708049aa423

Date: 2022-05-17
Author: Ingo Franzki <email address hidden>
Component: s390-tools

== Comment: #1 - Ingo Franzki <email address hidden> - 2022-05-17 07:40:03 ==
Upstream commit: https://github.com/ibm-s390-linux/s390-tools/commit/6c5c5f7e558c114ddaa475e96c9ec708049aa423

See original description
bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → linux (Ubuntu)
Frank Heimes (fheimes)
affects: linux (Ubuntu) → s390-tools (Ubuntu)
Changed in ubuntu-z-systems:
importance: Undecided → High
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Revision history for this message
Frank Heimes (fheimes) wrote :

A set of test packages is now available via the PPA below that are supposed to fix LP#1990524 as well as LP#1990520:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1990520+lp1990524

Revision history for this message
Frank Heimes (fheimes) wrote :

This bug will be fixed as part of LP#1990520.
So please see https://bugs.launchpad.net/bugs/1990520 (comment #2)
for the debdiffs.

Frank Heimes (fheimes)
description: updated
Changed in ubuntu-z-systems:
status: New → In Progress
Changed in s390-tools (Ubuntu):
status: New → In Progress
Changed in s390-tools-signed (Ubuntu):
status: New → In Progress
Simon Chopin (schopin)
Changed in s390-tools (Ubuntu Jammy):
status: New → Triaged
Changed in s390-tools-signed (Ubuntu Jammy):
status: New → Triaged
Changed in s390-tools (Ubuntu):
status: In Progress → Fix Released
Changed in s390-tools-signed (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted s390-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in s390-tools (Ubuntu Jammy):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-jammy
Changed in s390-tools-signed (Ubuntu Jammy):
status: Triaged → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello bugproxy, or anyone else affected,

Accepted s390-tools-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools-signed/2.20.0-0ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-12-05 04:31 EDT-------
I have successfully tested this with the updated packages from https://launchpad.net/ubuntu/+source/s390-tools/2.20.0-0ubuntu3.2

With this update connecting to a KMIP server works.

tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Frank Heimes (fheimes) wrote :

Many thx for the verification, Ingo!

Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
bugproxy (bugproxy)
tags: added: targetmilestone-inin2204
removed: targetmilestone-inin---
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 2.20.0-0ubuntu3.2

---------------
s390-tools (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Fix zipl segfaults when "parameters=" is missing (LP: #1974109) with:
    d/p/6ff8202f-zipl-Add-missing-check-for-a-nullpointer.patch
  * Add KVM Secure Execution Attestation Userspace Tool to enhance secure
    execution (hardware feature: FC 115) exploitation (LP: #1959987) with:
    d/p/38639269-libpv-New-library-for-PV-tools.patch
    d/p/3ab06d77-pvattest-Create-perform-and-verify-attestation-measu.patch
    d/p/26148740-pvattest-tools-Add-tool-for-attestation.patch
  * Fix re-enciphering of EP11 identity key of KMIP plugin (LP: #1990520) with:
    d/p/4e2ebe03-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  * Fix KMIP plugin fails to connection to KMIP server (LP: #1990524) with:
    d/p/6c5c5f7e-libseckey-Adapt-keymgmt_match-implementation-to-Open.patch
  * d/p/5768d55-zipl-boot-add-secure-boot-trailer.patch
    Add secure boot trailer in zipl stage 3 to keep compatibility with
    upcoming IBM zSystems firmware updates. (LP: #1996069)
  * Add d/p/92b8409-dbginfo.sh-ensure-type-commands-compatible-with-dash.patch
    and d/p/9f93af6-dbginfo.sh-ensure-compatibility-with-bin-dash.patch
    to achieve dbginfo.sh compatibility with /bin/dash shell. (LP: #1996477)

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:14:00 +0200

Changed in s390-tools (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools-signed - 2.20.0-0ubuntu3.2

---------------
s390-tools-signed (2.20.0-0ubuntu3.2) jammy; urgency=medium

  * Rebuild against 2.20.0-0ubuntu3.2:
    LP: #1974109, LP: #1959987, LP: #1990520,
    LP: #1990524, LP: #1996069, LP: #1996477

 -- Frank Heimes <email address hidden> Wed, 16 Nov 2022 18:27:10 +0200

Changed in s390-tools-signed (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2023-01-15 11:06 EDT-------
Fix has been released to jammy -updates, therefore we can close this bug.
Thanks everyone for your work!

==> Changing the status to: CLOSED

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.