diff --git a/s390utils-2.29.0-rhel.patch b/s390utils-2.29.0-rhel.patch index 39e3751..bfc789e 100644 --- a/s390utils-2.29.0-rhel.patch +++ b/s390utils-2.29.0-rhel.patch @@ -1,7 +1,7 @@ From a32824922cb273703bacd44e6a29cbc33ae48cf5 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Fri, 21 Jul 2023 14:06:18 +0200 -Subject: [PATCH 01/19] zkey: Support EP11 AES keys with prepended header to +Subject: [PATCH 01/20] zkey: Support EP11 AES keys with prepended header to retain EP11 session (RHEL-11440) The pkey kernel module supports two key blob formats for EP11 AES keys. @@ -730,13 +730,13 @@ index 3000290..843e554 100644 "secure AES key"); } -- -2.50.1 +2.51.0 From df0819ca69dbef1f99321f51cd9c4d33c6374992 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Mon, 7 Aug 2023 16:56:54 +0200 -Subject: [PATCH 02/19] rust/Makefile: Fix use of Cargoflags for 'make clean' +Subject: [PATCH 02/20] rust/Makefile: Fix use of Cargoflags for 'make clean' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -763,13 +763,13 @@ index cf2fda7..420bafd 100644 rust-test: .check-cargo .no-cross-compile -- -2.50.1 +2.51.0 From b6ce8c7fc10c225c0b1d59af32edd323f5817ab7 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Mon, 7 Aug 2023 16:56:55 +0200 -Subject: [PATCH 03/19] rust/README.md: Fix some typos +Subject: [PATCH 03/20] rust/README.md: Fix some typos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -833,13 +833,13 @@ index 2622bba..61b0af8 100644 } ``` -- -2.50.1 +2.51.0 From 883d28afea6ea18b1001ebf9e3d921d86be9c593 Mon Sep 17 00:00:00 2001 From: Marc Hartmayer Date: Mon, 4 Sep 2023 14:18:50 +0200 -Subject: [PATCH 04/19] rust/**/*.rs: fix `cargo clippy` findings +Subject: [PATCH 04/20] rust/**/*.rs: fix `cargo clippy` findings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1205,13 +1205,13 @@ index 2b3e861..bf491c6 100644 let exp = get_test_asset!("exp/asrcb/null_none_default_cuid_seven"); -- -2.50.1 +2.51.0 From 4c8072cebe9add441c42e62663d4089d14d32389 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Wed, 25 Oct 2023 15:26:14 +0200 -Subject: [PATCH 05/19] rust/pv: fix Invalid write of size 1 +Subject: [PATCH 05/20] rust/pv: fix Invalid write of size 1 Fix a valgrind finding. Fix an invalid read/write of one byte after the actual struct to clear. Not fixing this may result in a illegal write or @@ -1240,13 +1240,13 @@ index cdef9ef..88287c8 100644 } std::sync::atomic::compiler_fence(std::sync::atomic::Ordering::SeqCst); -- -2.50.1 +2.51.0 From 49eabe2d13ea3909f4c522fefaf8db998c7ab888 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Wed, 4 Oct 2023 10:59:34 +0200 -Subject: [PATCH 06/19] rust: Create workspace +Subject: [PATCH 06/20] rust: Create workspace A workspaces simplifies the build and packaging process significantly. All build artifacts and binaries are now built in a single location @@ -1492,13 +1492,13 @@ index 30bbbc8..215381b 100644 +edition.workspace = true +license.workspace = true -- -2.50.1 +2.51.0 From be47ce72f4ee7dc7ed2dafb9b89079b0c2b154fa Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Wed, 4 Oct 2023 11:08:20 +0200 -Subject: [PATCH 07/19] rust: Update dependency files +Subject: [PATCH 07/20] rust: Update dependency files With the last patch introducing the rust workspace the location of Cargo.lock has changed. Therefore, remove all crate level lock-files and @@ -1912,13 +1912,13 @@ index 1db32c2..f7d1cf0 100644 name = "winapi" version = "0.3.9" -- -2.50.1 +2.51.0 From c25115c0d605c9c79efd8e17d4917a35603c0766 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 21 Nov 2023 13:27:21 +0100 -Subject: [PATCH 08/19] rust: Sanitize minimal dependencies +Subject: [PATCH 08/20] rust: Sanitize minimal dependencies The crate dependencies were a bit to slack. Due to the rust dependency resolver's strategy of always selecting the latest version this never @@ -2009,13 +2009,13 @@ index d1e75b1..e236c00 100644 pv = { path = "../pv", features = ["uvsecret", "request"] } -- -2.50.1 +2.51.0 From b6009c80b112ad85ca2aa649126b913af5af253c Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Wed, 29 Nov 2023 17:06:50 +0100 -Subject: [PATCH 09/19] rust: Use default panic behaviour +Subject: [PATCH 09/20] rust: Use default panic behaviour Reviewed-by: Marc Hartmayer Signed-off-by: Steffen Eiden @@ -2034,13 +2034,13 @@ index 65a70a9..7ba1faa 100644 lto = true -panic = "abort" -- -2.50.1 +2.51.0 From c4e48d060b7d92d7c6cd150728ecb55b301afa62 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Thu, 30 Nov 2023 16:02:16 +0100 -Subject: [PATCH 10/19] rust/pv: Update mockito to version 1 +Subject: [PATCH 10/20] rust/pv: Update mockito to version 1 Signed-off-by: Steffen Eiden (cherry picked from commit 21662d38e68b58bad033cdb1fca99987dd07cf78) @@ -2732,13 +2732,13 @@ index 1c0d2b5..5ca2e71 100644 .with_body_from_file(res_path) .create() -- -2.50.1 +2.51.0 From 66783f1901dcaca6f567ad13b05acc7dbe412ff0 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Wed, 20 Dec 2023 13:31:18 +0100 -Subject: [PATCH 11/19] rust/Makefile: Fix CC/AR variables for TEST_TARGETS +Subject: [PATCH 11/20] rust/Makefile: Fix CC/AR variables for TEST_TARGETS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -2766,13 +2766,13 @@ index e4e9885..fa3cf04 100644 $(PV_TARGETS): .check-dep-pvtools $(PV_TARGETS) $(CARGO_TARGETS): .check-cargo .no-cross-compile -- -2.50.1 +2.51.0 From d54a8aa4d7b77338fd5511d895eadbb074b6024a Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Fri, 15 Dec 2023 11:30:14 +0100 -Subject: [PATCH 12/19] rust/pv: Provide access for SecretList members +Subject: [PATCH 12/20] rust/pv: Provide access for SecretList members MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -3044,13 +3044,13 @@ index 6943bd3..72a05b2 100644 fn dump_secret_entry() { const EXP: &[u8] = &[ -- -2.50.1 +2.51.0 From e75bbd754e5912d34c0aedfe35ccedd54ca850be Mon Sep 17 00:00:00 2001 From: Harald Freudenberger Date: Fri, 1 Dec 2023 12:10:20 +0100 -Subject: [PATCH 13/19] rust/pvapconfig: Introduce new tool pvapconfig +Subject: [PATCH 13/20] rust/pvapconfig: Introduce new tool pvapconfig MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -5715,13 +5715,13 @@ index 0000000..2f98bd5 + } +} -- -2.50.1 +2.51.0 From 6b69de3c519971a88c5953075586b322e1efdc3e Mon Sep 17 00:00:00 2001 From: Joern Siglen Date: Wed, 25 Oct 2023 15:01:11 +0200 -Subject: [PATCH 14/19] dbginfo.sh: enhance ethtool collection for ROCE +Subject: [PATCH 14/20] dbginfo.sh: enhance ethtool collection for ROCE (RHEL-24110) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -5752,13 +5752,13 @@ index 9226a8b..f70cf6e 100755 else pr_skip "ethtool: no devices" -- -2.50.1 +2.51.0 From 90943f11e0feef6bc6cde3bf0b80ad0a21c55d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Wed, 10 Apr 2024 11:27:58 +0200 -Subject: [PATCH 15/19] rust/pv: Support `Armonk` in IBM signing key subject +Subject: [PATCH 15/20] rust/pv: Support `Armonk` in IBM signing key subject (RHEL-30398) New IBM signing keys will have Armonk as locality in the subject. @@ -6064,13 +6064,13 @@ index 5ca2e71..e4c60c5 100644 verifier.verify(&hkd_exp), Err(Error::HkdVerify(AfterValidity)) -- -2.50.1 +2.51.0 From e1423607a66ee37f8ae581fbf5fa013f5ab80ae8 Mon Sep 17 00:00:00 2001 From: Marc Hartmayer Date: Thu, 14 Mar 2024 16:05:09 +0000 -Subject: [PATCH 16/19] genprotimg: support `Armonk` in IBM signing key subject +Subject: [PATCH 16/20] genprotimg: support `Armonk` in IBM signing key subject (RHEL-30398) New IBM signing certificates will have 'Armonk' as locality in the @@ -6396,13 +6396,13 @@ index fdf66de..e45e57d 100644 WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIO, BIO_free_all) WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BN_CTX, BN_CTX_free) -- -2.50.1 +2.51.0 From 1605e9c0033e245f8a6690e2ce95a27e383722df Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Tue, 12 Mar 2024 10:14:43 +0100 -Subject: [PATCH 17/19] libpv: Support `Armonk` in IBM signing key subject +Subject: [PATCH 17/20] libpv: Support `Armonk` in IBM signing key subject (RHEL-30398) New IBM signing keys will have Armonk as locality in the subject. @@ -6645,13 +6645,13 @@ index c8bb8cc..f4774fc 100644 for (int i = 0; i < sk_X509_CRL_num(ret); i++) { X509_CRL *crl = sk_X509_CRL_value(ret, i); -- -2.50.1 +2.51.0 From 3bd5cce64692d4b630b313cf465a55595971bed4 Mon Sep 17 00:00:00 2001 From: Steffen Eiden Date: Wed, 20 Mar 2024 15:36:52 +0100 -Subject: [PATCH 18/19] pvattest: Fix root-ca parsing (RHEL-30398) +Subject: [PATCH 18/20] pvattest: Fix root-ca parsing (RHEL-30398) The parser setup falsely set the argument type as filename array, but code expected a single filename. Fixed by setting up the parser @@ -6691,13 +6691,13 @@ index fe5662f..5924ddc 100644 /* NOTE REQUIRED */ -- -2.50.1 +2.51.0 From a1b83b44def87915acaf0d9668bdf96824d0e781 Mon Sep 17 00:00:00 2001 From: Ingo Franzki Date: Thu, 3 Apr 2025 11:26:47 +0200 -Subject: [PATCH 19/19] zkey: Adjust CCA host library version detection for +Subject: [PATCH 19/20] zkey: Adjust CCA host library version detection for newer CCA versions (RHEL-105487) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -6748,5 +6748,73 @@ index 71c08ad..9d79c4b 100644 warnx("CCA formware version is invalid: %s", version_data); return -EINVAL; -- -2.50.1 +2.51.0 + + +From 8b98ad7e7e273b2327ad50bdf31935d4a439a618 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 11 Sep 2025 08:37:38 +0200 +Subject: [PATCH 20/20] libekmfweb: Fix generation of certificate or CSR with + RSA-PSS instead of RSA (RHEL-114130) + +Currently a certificate or certificate signing request generated by the +zkey EKMFWeb library erroneously always uses RSA-PSS as signing algorithm, +although EKMFWeb does not support RSA-PSS certificates in all versions. + +This bug was introduced with the rework to use libseckey for secure +key crypto operations. + +Fixes: 26c34a49b1e4 ("libekmfweb: Make use of the new libseckey") +Signed-off-by: Ingo Franzki +Reviewed-by: Finn Callies +Signed-off-by: Steffen Eiden +(cherry picked from commit e4dcf084c5a54f8030da39707c5fa0fbb7ae9681) +--- + libekmfweb/ekmfweb.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/libekmfweb/ekmfweb.c b/libekmfweb/ekmfweb.c +index ee25fc0..3a822e7 100644 +--- a/libekmfweb/ekmfweb.c ++++ b/libekmfweb/ekmfweb.c +@@ -5099,14 +5099,15 @@ int ekmf_generate_csr(const struct ekmf_config *config, + } + } + +- +- _ekmf_copy_pss_params(rsa_pss_params, &pss_params); ++ if (rsa_pss_params != NULL) ++ _ekmf_copy_pss_params(rsa_pss_params, &pss_params); + + rc = SK_OPENSSL_generate_csr(key_blob, key_blob_size, + subject_rdns, num_subject_rdns, + subject_utf8, cert, + extensions, num_extensions, +- digest_nid, &pss_params, &req, ++ digest_nid, rsa_pss_params != NULL ? ++ &pss_params : NULL, &req, + &ext_lib_info.ext_lib, verbose); + if (rc != 0) { + pr_verbose(verbose, "SK_OPENSSL_generate_csr failed " +@@ -5245,14 +5246,16 @@ int ekmf_generate_ss_cert(const struct ekmf_config *config, + } + } + +- _ekmf_copy_pss_params(rsa_pss_params, &pss_params); ++ if (rsa_pss_params != NULL) ++ _ekmf_copy_pss_params(rsa_pss_params, &pss_params); + + rc = SK_OPENSSL_generate_ss_cert(key_blob, key_blob_size, + subject_rdns, num_subject_rdns, + subject_utf8, rcert, + extensions, num_extensions, + validity_days, digest_nid, +- &pss_params, &cert, ++ rsa_pss_params != NULL ? ++ &pss_params : NULL, &cert, + &ext_lib_info.ext_lib, verbose); + if (rc != 0) { + pr_verbose(verbose, "SK_OPENSSL_generate_ss_cert failed " +-- +2.51.0 diff --git a/s390utils.spec b/s390utils.spec index 1096817..85d2ca5 100644 --- a/s390utils.spec +++ b/s390utils.spec @@ -18,7 +18,7 @@ Name: s390utils Summary: Utilities and daemons for IBM z Systems Version: 2.29.0 -Release: 3%{?dist}.2 +Release: 3%{?dist}.3 Epoch: 2 License: MIT #URL: http://www.ibm.com/developerworks/linux/linux390/s390-tools.html @@ -1174,6 +1174,10 @@ User-space development files for the s390/s390x architecture. %changelog +* Mon Sep 15 2025 Dan Horák - 2:2.29.0-3.3 +- libekmfweb: Fix generation of certificate or CSR with RSA-PSS instead of RSA (RHEL-114130) +- Resolves: RHEL-114130 + * Thu Aug 07 2025 Dan Horák - 2:2.29.0-3.2 - zkey: Fix CCA host version detection for newer CCA versions (RHEL-105487) - Resolves: RHEL-105487