| 2022-09-22 12:09:38 |
bugproxy |
bug |
|
|
added bug |
| 2022-09-22 12:09:40 |
bugproxy |
tags |
|
architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin--- |
|
| 2022-09-22 12:09:42 |
bugproxy |
ubuntu: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2022-09-22 12:09:46 |
bugproxy |
affects |
ubuntu |
linux (Ubuntu) |
|
| 2022-09-26 14:29:28 |
Frank Heimes |
affects |
linux (Ubuntu) |
s390-tools (Ubuntu) |
|
| 2022-09-26 14:29:36 |
Frank Heimes |
bug task added |
|
ubuntu-z-systems |
|
| 2022-09-26 14:29:49 |
Frank Heimes |
bug task added |
|
s390-tools-signed (Ubuntu) |
|
| 2022-09-26 14:30:07 |
Frank Heimes |
ubuntu-z-systems: importance |
Undecided |
High |
|
| 2022-09-26 14:30:42 |
Frank Heimes |
ubuntu-z-systems: assignee |
|
Skipper Bug Screeners (skipper-screen-team) |
|
| 2022-09-27 16:40:16 |
Frank Heimes |
description |
Description: zkey: KMIP plugin fails to connection to KMIP server
Symptom:
When a zkey key repository is bound to the KMIP plugin, and the connection to the KMIP server is to be configired using command 'zkey kms configure --kmip-server <server>', it fails to connect to the specified KMIP server.
Problem:
When trying to establish a TSL connection to the KMIP server, the KMIP client sets up an OpenSSL SSL context with its certificate and its private key (which is a secure key) using OpenSSL function SSL_CTX_use_PrivateKey(). When running with OpenSSL 3.0, This calls the secure key provider's match function to check if the private key specified matches the public key of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the private key into the selector bits for the match call, although the certificate only contains the public key part.
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the OpenSSL provider's keymgmt_match() function to be not so strict with the selector bits in regards to matching different key parts.
This means, that if the public key is selected to be matched, and the public key matches (together with any also selected parameters), then the private key is no longer checked, although it may also be selected to be matched. This is according to how the OpenSSL function EVP_PKEY_eq() is supposed to behave.
Solution:
Adapt the secure key provider's match function to behave like the match functions of the providers coming with OpenSSL.
Reproduction: Configure a connection to a KMIP server on a system that comes
with OpenSSL 3.0.
Problem-ID: 198268
Preventive: yes
Upstream-ID: 6c5c5f7e558c114ddaa475e96c9ec708049aa423
Date: 2022-05-17
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Component: s390-tools
== Comment: #1 - Ingo Franzki <ifranzki@de.ibm.com> - 2022-05-17 07:40:03 ==
Upstream commit: https://github.com/ibm-s390-linux/s390-tools/commit/6c5c5f7e558c114ddaa475e96c9ec708049aa423 |
SRU Justification:
------------------
[ Impact ]
* When a zkey key repository is bound to the KMIP plugin/client,
and the connection to the KMIP server is to be configured
using the command 'zkey kms configure --kmip-server <server>',
it fails to connect to the specified KMIP server.
* When trying to establish a TSL connection to the KMIP server,
the KMIP client sets up an OpenSSL SSL context with its certificate
and its private key (which is a secure key)
using OpenSSL function SSL_CTX_use_PrivateKey().
* In case of running with OpenSSL 3.0,
this calls the secure key provider's match function to check
if the private key specified matches the public key
of the certificate using EVP_PKEY_eq().
* EVP_PKEY_eq() includes the private key into the selector bits
for the match call,
although the certificate only contains the public key part.
* OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
OpenSSL provider's keymgmt_match() function to be not so strict with
the selector bits in regards to matching different key parts.
* This means, that if the public key is selected to be matched,
and the public key matches (together with any also selected
parameters), then the private key is no longer checked,
although it may also be selected to be matched.
* This is according to how the OpenSSL function EVP_PKEY_eq()
is supposed to behave.
* The solution is to adapt the secure key provider's match function
to behave like the match functions of the providers coming
with OpenSSL.
[ Fix ]
* 6c5c5f7e 6c5c5f7e558c114ddaa475e96c9ec708049aa423 "libseckey: Adapt keymgmt_match() implementation to OpenSSL"
[ Test Plan ]
* Setup an Ubuntu Server 22.04 for s390x system (due to openssh 3.0).
* Now configure a connection to a KMIP server on a system
that comes with OpenSSL 3.0.
* Test is done indirectly, via libkmipclient,
a shared library that provides
the KMIP client to communicate with an KMIP server.
* Test will be done by IBM.
[ Where problems could occur ]
* In case of wrong logic for the case
'if the public key is selected to be matched,
and the public key matches (together with any also selected
parameters), then the private key is no longer checked'
the private key may accidentally no longer be checked
for further cases.
* The memcpy and the key_sizes might be broken,
which may lead to wrong or incomplete content.
* The default_match_fn function may return of a wrong value
in case the pointers to the keys are incorrect.
[ Other Info ]
* The s390-tools version v2.23 in kinetic already incl. this fix,
hence it's not affected, nor versions for Ubuntu releases (in service)
older than jammy are affected.
__________
Description: zkey: KMIP plugin fails to connection to KMIP server
Symptom:
When a zkey key repository is bound to the KMIP plugin, and the connection to the KMIP server is to be configired using command 'zkey kms configure --kmip-server <server>', it fails to connect to the specified KMIP server.
Problem:
When trying to establish a TSL connection to the KMIP server, the KMIP client sets up an OpenSSL SSL context with its certificate and its private key (which is a secure key) using OpenSSL function SSL_CTX_use_PrivateKey(). When running with OpenSSL 3.0, This calls the secure key provider's match function to check if the private key specified matches the public key of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the private key into the selector bits for the match call, although the certificate only contains the public key part.
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the OpenSSL provider's keymgmt_match() function to be not so strict with the selector bits in regards to matching different key parts.
This means, that if the public key is selected to be matched, and the public key matches (together with any also selected parameters), then the private key is no longer checked, although it may also be selected to be matched. This is according to how the OpenSSL function EVP_PKEY_eq() is supposed to behave.
Solution:
Adapt the secure key provider's match function to behave like the match functions of the providers coming with OpenSSL.
Reproduction: Configure a connection to a KMIP server on a system that comes
with OpenSSL 3.0.
Problem-ID: 198268
Preventive: yes
Upstream-ID: 6c5c5f7e558c114ddaa475e96c9ec708049aa423
Date: 2022-05-17
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Component: s390-tools
== Comment: #1 - Ingo Franzki <ifranzki@de.ibm.com> - 2022-05-17 07:40:03 ==
Upstream commit: https://github.com/ibm-s390-linux/s390-tools/commit/6c5c5f7e558c114ddaa475e96c9ec708049aa423 |
|
| 2022-09-27 16:40:30 |
Frank Heimes |
ubuntu-z-systems: status |
New |
In Progress |
|
| 2022-09-27 16:40:35 |
Frank Heimes |
s390-tools (Ubuntu): status |
New |
In Progress |
|
| 2022-09-27 16:40:39 |
Frank Heimes |
s390-tools-signed (Ubuntu): status |
New |
In Progress |
|
| 2022-10-11 13:22:31 |
Simon Chopin |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-10-11 13:22:31 |
Simon Chopin |
bug task added |
|
s390-tools (Ubuntu Jammy) |
|
| 2022-10-11 13:22:31 |
Simon Chopin |
bug task added |
|
s390-tools-signed (Ubuntu Jammy) |
|
| 2022-10-11 13:22:39 |
Simon Chopin |
s390-tools (Ubuntu Jammy): status |
New |
Triaged |
|
| 2022-10-11 13:22:42 |
Simon Chopin |
s390-tools-signed (Ubuntu Jammy): status |
New |
Triaged |
|
| 2022-10-11 13:23:04 |
Simon Chopin |
s390-tools (Ubuntu): status |
In Progress |
Fix Released |
|
| 2022-10-11 13:23:07 |
Simon Chopin |
s390-tools-signed (Ubuntu): status |
In Progress |
Fix Released |
|
| 2022-12-02 00:46:11 |
Łukasz Zemczak |
s390-tools (Ubuntu Jammy): status |
Triaged |
Fix Committed |
|
| 2022-12-02 00:46:12 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-12-02 00:46:14 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2022-12-02 00:46:16 |
Łukasz Zemczak |
tags |
architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin--- |
architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin--- verification-needed verification-needed-jammy |
|
| 2022-12-02 00:49:53 |
Łukasz Zemczak |
s390-tools-signed (Ubuntu Jammy): status |
Triaged |
Fix Committed |
|
| 2022-12-05 09:40:00 |
bugproxy |
tags |
architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin--- verification-needed verification-needed-jammy |
architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin--- verification-done verification-done-jammy |
|
| 2022-12-05 10:50:35 |
Frank Heimes |
ubuntu-z-systems: status |
In Progress |
Fix Committed |
|
| 2023-01-09 01:39:30 |
bugproxy |
tags |
architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin--- verification-done verification-done-jammy |
architecture-s39064 bugnameltc-198269 severity-high targetmilestone-inin2204 verification-done verification-done-jammy |
|
| 2023-01-10 19:46:41 |
Launchpad Janitor |
s390-tools (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-01-10 19:46:49 |
Launchpad Janitor |
s390-tools-signed (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2023-01-10 19:47:07 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2023-01-10 20:21:37 |
Frank Heimes |
ubuntu-z-systems: status |
Fix Committed |
Fix Released |
|
