diff --git a/SOURCES/libica-3.6.1-key-length.patch b/SOURCES/libica-3.6.1-key-length.patch
new file mode 100644
index 0000000..295036d
--- /dev/null
+++ b/SOURCES/libica-3.6.1-key-length.patch
@@ -0,0 +1,40 @@
+From db1ad6f64d96c6dba2be5af5a4ecd7ceb8f92cf2 Mon Sep 17 00:00:00 2001
+From: Joerg Schmidbauer <jschmidb@de.ibm.com>
+Date: Wed, 18 Mar 2020 16:48:43 +0100
+Subject: [PATCH] Fix DES and TDES key length.
+
+Although a DES key has only 56 effective bits, all 64 bits must be
+considered, because the parity bits are spread over all 8 bytes of
+the key.
+
+Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
+---
+ src/ica_api.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/ica_api.c b/src/ica_api.c
+index b80c6e3..eb6b154 100644
+--- a/src/ica_api.c
++++ b/src/ica_api.c
+@@ -48,6 +48,8 @@
+ #define DEFAULT2_CRYPT_DEVICE "/dev/z90crypt"
+ #define DEFAULT3_CRYPT_DEVICE "/dev/zcrypt"
+ 
++#define DES_KEY_LEN64		(64/8)
++
+ #define MAX_VERSION_LENGTH 16
+ 
+ int ica_fallbacks_enabled = 1;
+@@ -125,9 +127,9 @@ static unsigned int check_des_parms(unsigned int mode,
+ 
+ #ifdef ICA_FIPS
+ static unsigned int fips_check_3des_key(const ica_des_key_triple_t *key) {
+-	if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LENGTH)
+-	    | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LENGTH)
+-	    | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LENGTH))
++	if (!CRYPTO_memcmp(key->key1, key->key2, DES_KEY_LEN64)
++	    | !CRYPTO_memcmp(key->key1, key->key3, DES_KEY_LEN64)
++	    | !CRYPTO_memcmp(key->key2, key->key3, DES_KEY_LEN64))
+ 		return EINVAL;
+ 
+ 	return 0;
diff --git a/SPECS/libica.spec b/SPECS/libica.spec
index 3834c1b..d8e8f24 100644
--- a/SPECS/libica.spec
+++ b/SPECS/libica.spec
@@ -1,7 +1,7 @@
 Summary: Library for accessing ICA hardware crypto on IBM z Systems
 Name: libica
 Version: 3.6.1
-Release: 2%{?dist}
+Release: 2%{?dist}.1
 License: CPL
 Group: System Environment/Libraries
 URL: https://github.com/opencryptoki/
@@ -12,6 +12,9 @@ Patch1: %{name}-3.3.3-annotate.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1789052
 # https://github.com/opencryptoki/libica/commit/58c1073a585443146332c5a3b5536eb5e6c6493d
 Patch2: %{name}-3.6.1-counter.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1847535
+# https://github.com/opencryptoki/libica/commit/db1ad6f64d96c6dba2be5af5a4ecd7ceb8f92cf2
+Patch3: %{name}-3.6.1-key-length.patch
 BuildRequires: gcc
 BuildRequires: openssl-devel
 BuildRequires: autoconf
@@ -80,6 +83,10 @@ fi
 
 
 %changelog
+* Thu Jun 25 2020 Dan Horák <dhorak@redhat.com> - 3.6.1-2.1
+- fix DES and TDES key length (#1847535)
+- Resolves: #1847535
+
 * Thu Jan 09 2020 Dan Horák <dhorak@redhat.com> - 3.6.1-2
 - fix overflow in icastats counters (#1789052)
 - Resolves: #1789052