libseckey: Adapt keymgmt_match() implementation to OpenSSL

OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
OpenSSL provider's keymgmt_match() function to be not so strict with
the selector bits in regards to matching different key parts.

Adapt the secure key provider's match function accordingly.
This means, that if the public key is selected to be matched, and
the public key matches (together with any also selected parameters),
then the private key is no longer checked, although it may also be
selected to be matched. This is according to how the OpenSSL function
EVP_PKEY_eq() is supposed to behave.

OpenSSL function SSL_CTX_use_PrivateKey() calls the providers match
function to check if the private key specified matches the public key
of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the
private key into the selector bits here, although the certificate
only contains the public key part.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>

libseckey/sk_provider.c

@@ -2216,13 +2216,23 @@ static int sk_prov_keymgmt_match(const struct sk_prov_key *key1,
 
 	if (key1->type != key2->type)
 		return 0;
+
+	if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) {
+		/* match everything except private key */
+		return default_match_fn(key1->default_key, key2->default_key,
+					selection &
+					    (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY));
+	}
+
 	if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
 		if (key1->secure_key_size != key2->secure_key_size)
 			return 0;
-		if (key1->secure_key_size > 0 &&
-		    memcmp(key1->secure_key, key2->secure_key,
-			    key1->secure_key_size) != 0)
-			return 0;
+		if (key1->secure_key_size > 0) {
+			if (memcmp(key1->secure_key, key2->secure_key,
+				   key1->secure_key_size) != 0)
+				return 0;
+			selection &= (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY);
+		}
 	}
 
 	return default_match_fn(key1->default_key, key2->default_key,