File s390-tools-sles15sp4-libseckey-Adapt-keymgmt_match-implementation-to-Open.patch of Package s390-tools.28248
Subject: [PATCH] [BZ 198268] libseckey: Adapt keymgmt_match() implementation to OpenSSL
From: Ingo Franzki <ifranzki@linux.ibm.com>
Description:   zkey: KMIP plugin fails to connection to KMIP server
Symptom:       When a zkey key repository is bound to the KMIP plugin, and the
               connection to the KMIP server is to be configired using command 
               'zkey kms configure --kmip-server <server>', it fails to connect
               to the specified KMIP server. 
Problem:       When trying to establish a TSL connection to the KMIP server, 
               the KMIP client sets up an OpenSSL SSL context with its 
               certificate and its private key (which is a secure key) using 
               OpenSSL function SSL_CTX_use_PrivateKey(). When running with 
               OpenSSL 3.0, This calls the secure key provider's match
               function to check if the private key specified matches the
               public key of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq()
               includes the private key into the selector bits for the match
               call, although the certificate only contains the public key 
               part.
               OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed
               the OpenSSL provider's keymgmt_match() function to be not so
               strict with the selector bits in regards to matching different
               key parts.
               This means, that if the public key is selected to be matched,
               and the public key matches (together with any also selected
               parameters), then the private key is no longer checked, although
               it may also be selected to be matched. This is according to how 
               the OpenSSL function EVP_PKEY_eq() is supposed to behave.
Solution:      Adapt the secure key provider's match function to behave like
               the match functions of the providers coming with OpenSSL.
Reproduction:  Configure a connection to a KMIP server on a system that comes
               with OpenSSL 3.0.
Upstream-ID:   6c5c5f7e558c114ddaa475e96c9ec708049aa423
Problem-ID:    198268
Upstream-Description:
              libseckey: Adapt keymgmt_match() implementation to OpenSSL
              OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
              OpenSSL provider's keymgmt_match() function to be not so strict with
              the selector bits in regards to matching different key parts.
              Adapt the secure key provider's match function accordingly.
              This means, that if the public key is selected to be matched, and
              the public key matches (together with any also selected parameters),
              then the private key is no longer checked, although it may also be
              selected to be matched. This is according to how the OpenSSL function
              EVP_PKEY_eq() is supposed to behave.
              OpenSSL function SSL_CTX_use_PrivateKey() calls the providers match
              function to check if the private key specified matches the public key
              of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the
              private key into the selector bits here, although the certificate
              only contains the public key part.
              Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
              Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
 libseckey/sk_provider.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)
--- a/libseckey/sk_provider.c
+++ b/libseckey/sk_provider.c
@@ -2216,13 +2216,23 @@ static int sk_prov_keymgmt_match(const s
 
 	if (key1->type != key2->type)
 		return 0;
+
+	if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) {
+		/* match everything except private key */
+		return default_match_fn(key1->default_key, key2->default_key,
+					selection &
+					    (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY));
+	}
+
 	if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
 		if (key1->secure_key_size != key2->secure_key_size)
 			return 0;
-		if (key1->secure_key_size > 0 &&
-		    memcmp(key1->secure_key, key2->secure_key,
-			    key1->secure_key_size) != 0)
-			return 0;
+		if (key1->secure_key_size > 0) {
+			if (memcmp(key1->secure_key, key2->secure_key,
+				   key1->secure_key_size) != 0)
+				return 0;
+			selection &= (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY);
+		}
 	}
 
 	return default_match_fn(key1->default_key, key2->default_key,