import s390utils-2.19.0-2.el9_0.3

2022-09-26 09:44:56 -04:00 · 2022-09-26 09:44:56 -04:00 · 314681f912
commit 314681f912
parent 74071ca7c2
2 changed files with 561 additions and 1 deletions
--- a/SOURCES/s390utils-2.19.0-rhel.patch
+++ b/SOURCES/s390utils-2.19.0-rhel.patch
@ -0,0 +1,547 @@
+From 55e2f3991a8f55d49d7e381dbd8d3fe347c3fc9e Mon Sep 17 00:00:00 2001
+From: Marc Hartmayer <mhartmay@linux.ibm.com>
+Date: Thu, 31 Mar 2022 14:00:31 +0000
+Subject: [PATCH 1/5] genprotimg: remove DigiCert root CA pinning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Remove the DigiCert root CA pinning. The root CA used for the chain of trust can
+change in the future therefore let's remove this check. If someone wants to
+enforce the usage of a specific root CA it can be selected by the genprotimg
+command line option `--root-ca $CA`. Make it transparent to the user which root
+CA is actually being used by printing the subject name of the root CA to stdout
+in verbose mode.
+
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
+Reviewed-and-tested-by: Nico Boehr <nrb@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d)
+---
+ genprotimg/man/genprotimg.8            |  2 +-
+ genprotimg/src/include/pv_crypto_def.h |  3 --
+ genprotimg/src/pv/pv_args.c            |  2 +-
+ genprotimg/src/pv/pv_image.c           | 27 ++++++---------
+ genprotimg/src/utils/crypto.c          | 48 +++++++++++---------------
+ genprotimg/src/utils/crypto.h          |  4 +--
+ 6 files changed, 35 insertions(+), 51 deletions(-)
+
+diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8
+index 8a481c4..6f14052 100644
+--- a/genprotimg/man/genprotimg.8
+++ b/genprotimg/man/genprotimg.8
+@@ -87,7 +87,7 @@ CRLs. Optional.
+ .TP
+ \fB\-\-root\-ca\fR=\fI\,FILE\/\fR
+ Specifies the root CA certificate for the verification. If omitted,
+-the DigiCert root CA certificate installed on the system is used. Use
+the system wide root CAs installed on the system is used. Use
+ this only if you trust the specified certificate. Optional.
+ .TP
+ \fB\-\-no-verify\fR
+diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h
+index 53984a3..3635433 100644
+--- a/genprotimg/src/include/pv_crypto_def.h
+++ b/genprotimg/src/include/pv_crypto_def.h
+@@ -29,9 +29,6 @@
+  */
+ #define PV_CERTS_SECURITY_LEVEL 2
+ 
+-/* SKID for DigiCert Assured ID Root CA */
+-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F"
+-
+ union ecdh_pub_key {
+ 	struct {
+ 		uint8_t x[80];
+diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c
+index e644ae7..bcc3784 100644
+--- a/genprotimg/src/pv/pv_args.c
+++ b/genprotimg/src/pv/pv_args.c
+@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err)
+ 	     g_strv_length(args->untrusted_cert_paths) == 0)) {
+ 		g_set_error(
+ 			err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT,
+-			_("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n"
+			_("Either specify the IBM Z signing key and intermediate CA certificate\n"
+ 			  "by using the '--cert' option, or use the '--no-verify' flag to disable the\n"
+ 			  "host-key document verification completely (at your own risk)."));
+ 		return -1;
+diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c
+index 7359240..a5f07b8 100644
+--- a/genprotimg/src/pv/pv_image.c
+++ b/genprotimg/src/pv/pv_image.c
+@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
+ 	}
+ 
+ 	/* Load all untrusted certificates (e.g. IBM Z signing key and
+-	 * DigiCert intermediate CA) that are required to establish a chain of
+-	 * trust starting from the host-key document up to the root CA (if not
+-	 * otherwise specified that's the DigiCert Assured ID Root CA).
+	 * intermediate CA) that are required to establish a chain of trust
+	 * starting from the host-key document up to the root CA (if not
+	 * otherwise specified that can be one of the system wide installed
+	 * root CAs, e.g. DigiCert).
+ 	 */
+ 	untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err);
+ 	if (!untrusted_certs_with_path)
+@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
+ 	 * For this we must check:
+ 	 *
+ 	 * 1. Can a chain of trust be established ending in a root CA
+-	 * 2. Is the correct root CA ued? It has either to be the
+-	 *    'DigiCert Assured ID Root CA' or the root CA specified via
+-	 *    command line.
+	 * 2. Is the correct root CA used? It has either to be a system CA
+	 *    or the root CA specified via command line.
+ 	 */
+ 	for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) {
+ 		X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i);
+@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
+ 		if (verify_cert(ibm_signing_cert, ctx, err) < 0)
+ 			goto error;
+ 
+-		/* Verify the build chain of trust chain. If the user passes a
+-		 * trusted root CA on the command line then the check for the
+-		 * Subject Key Identifier (SKID) is skipped, otherwise let's
+-		 * check if the SKID meets our expectation.
+		/* If there is a chain of trust using either the provided root
+		 * CA on the command line or a system wide trusted root CA.
+ 		 */
+-		if (!root_ca_path &&
+-		    check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
+-					   get_digicert_assured_id_root_ca_skid(),
+-					   err) < 0) {
+		if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
+					   err) < 0)
+ 			goto error;
+-		}
+ 
+ 		ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err);
+ 		if (!ibm_signing_crls) {
+@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err)
+ 		g_warning(_("host-key document verification is disabled. Your workload is not secured."));
+ 
+ 	if (args->root_ca_path)
+-		g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted."));
+		g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted."));
+ 
+ 	ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err);
+ 	if (!ret->comps)
+diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
+index 087de37..9d1fdb0 100644
+--- a/genprotimg/src/utils/crypto.c
+++ b/genprotimg/src/utils/crypto.c
+@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err)
+ 		g_abort();
+ 
+ 	/* The maximum depth level of the chain of trust for the verification of
+-	 * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert)
+-	 * intermediate CA -> (DigiCert) root CA
+	 * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA
+	 * -> root CA
+ 	 */
+ 	X509_VERIFY_PARAM_set_depth(param, 2);
+ 
+@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level)
+ 	return security_bits[level];
+ }
+ 
+-static ASN1_OCTET_STRING *digicert_assured_id_root_ca;
+-
+-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void)
+-{
+-	pv_crypto_init();
+-	return digicert_assured_id_root_ca;
+-}
+-
+ /* Used for the caching of the downloaded CRLs */
+ static GHashTable *cached_crls;
+ 
+ void pv_crypto_init(void)
+ {
+-	if (digicert_assured_id_root_ca)
+	if (cached_crls)
+ 		return;
+-
+ 	cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
+ 					    (GDestroyNotify)X509_CRL_free);
+-	digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING(
+-		NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID);
+ }
+ 
+ void pv_crypto_cleanup(void)
+ {
+-	if (!digicert_assured_id_root_ca)
+	if (!cached_crls)
+ 		return;
+ 	g_clear_pointer(&cached_crls, g_hash_table_destroy);
+-	g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free);
+ }
+ 
+ gint check_chain_parameters(const STACK_OF_X509 *chain,
+-			    const ASN1_OCTET_STRING *skid, GError **err)
+			    GError **err)
+ {
+-	const ASN1_OCTET_STRING *ca_skid = NULL;
+	const X509_NAME *ca_x509_subject = NULL;
+	g_autofree gchar *ca_subject = NULL;
+ 	gint len = sk_X509_num(chain);
+ 	X509 *ca = NULL;
+ 
+-	g_assert(skid);
+ 	/* at least one root and one leaf certificate must be defined */
+-	g_assert(len >= 2);
+	if (len < 2) {
+		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+			    _("there must be at least on root and one leaf certificate in the chain of trust"));
+		return -1;
+	}
+ 
+ 	/* get the root certificate of the chain of trust */
+ 	ca = sk_X509_value(chain, len - 1);
+@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain,
+ 		return -1;
+ 	}
+ 
+-	ca_skid = X509_get0_subject_key_id(ca);
+-	if (!ca_skid) {
+-		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA,
+-			    _("malformed root certificate"));
+	ca_x509_subject = X509_get_subject_name(ca);
+	if (!ca_x509_subject) {
+		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+			    _("subject of the root CA cannot be retrieved"));
+ 		return -1;
+ 	}
+ 
+-	if (ASN1_STRING_cmp(ca_skid, skid) != 0) {
+-		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED,
+-			    _("expecting DigiCert root CA to be used"));
+	ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0);
+	if (!ca_subject) {
+		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+			    _("subject name of the root CA cannot be retrieved"));
+ 		return -1;
+ 	}
+ 
+	g_info("Root CA used: '%s'", ca_subject);
+ 	return 0;
+ }
+ 
+diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h
+index 3cda450..fdf66de 100644
+--- a/genprotimg/src/utils/crypto.h
+++ b/genprotimg/src/utils/crypto.h
+@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert,
+ 			     gint verify_flags, GError **err);
+ void pv_crypto_init(void);
+ void pv_crypto_cleanup(void);
+-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void);
+ gint verify_host_key(X509 *host_key, GSList *issuer_pairs,
+ 		     gint verify_flags, int level, GError **err);
+ X509 *load_cert_from_file(const char *path, GError **err);
+@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path,
+ int store_set_verify_param(X509_STORE *store, GError **err);
+ X509_CRL *load_crl_by_cert(X509 *cert, GError **err);
+ STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path);
+-gint check_chain_parameters(const STACK_OF_X509 *chain,
+-			    const ASN1_OCTET_STRING *skid, GError **err);
+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err);
+ X509_NAME *c2b_name(const X509_NAME *name);
+ 
+ STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs);
+-- 
+2.37.1
+
+
+From 666cd637519efad9b9c4ca68a5d99b86e92d48ff Mon Sep 17 00:00:00 2001
+From: Viktor Mihajlovski <mihajlov@linux.ibm.com>
+Date: Tue, 15 Mar 2022 12:55:02 +0100
+Subject: [PATCH 2/5] genprotimg/check_hostkeydoc: relax default issuer check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While the original default issuer's organizationalUnitName (OU)
+was defined as "IBM Z Host Key Signing Service", any OU ending
+with "Key Signing Service" is considered legal.
+
+Let's relax the default issuer check by stripping off characters
+preceding "Key Signing Service".
+
+Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
+Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit 673ff375d939d3cde674f8f99a62d456f8b1673d)
+---
+ genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc
+index a96576f..6a83739 100755
+--- a/genprotimg/samples/check_hostkeydoc
+++ b/genprotimg/samples/check_hostkeydoc
+@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
+ ISSUER_DN_FILE=$(mktemp)
+ SUBJECT_DN_FILE=$(mktemp)
+ DEF_ISSUER_DN_FILE=$(mktemp)
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
+ CRL_SERIAL_FILE=$(mktemp)
+ 
+ # Cleanup on exit
+@@ -30,7 +31,7 @@ cleanup()
+ {
+     rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
+         $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
+-        $CRL_SERIAL_FILE
+        $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
+ }
+ trap cleanup EXIT
+ 
+@@ -121,20 +122,31 @@ default_issuer()
+     commonName                = International Business Machines Corporation
+     countryName               = US
+     localityName              = Poughkeepsie
+-    organizationalUnitName    = IBM Z Host Key Signing Service
+    organizationalUnitName    = Key Signing Service
+     organizationName          = International Business Machines Corporation
+     stateOrProvinceName       = New York
+ EOF
+ }
+ 
+-verify_issuer_files()
+# As organizationalUnitName can have an arbitrary prefix but must
+# end with "Key Signing Service" let's normalize the OU name by
+# stripping off the prefix
+verify_default_issuer()
+ {
+     default_issuer > $DEF_ISSUER_DN_FILE
+ 
+-    if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
+    sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
+	$ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
+
+    if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
+     then
+         echo Incorrect default issuer >&2 && exit 1
+     fi
+}
+
+verify_issuer_files()
+{
+    verify_default_issuer
+ 
+     if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
+     then
+-- 
+2.37.1
+
+
+From b4dc45d6f3fff7c57fd5a97cdab357a842ef021e Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Mon, 4 Apr 2022 16:38:41 +0200
+Subject: [PATCH 3/5] libseckey: Fix re-enciphering of EP11 secure key
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The re-enciphering of EP11 asymmetric secure keys does not work.
+First, the result of the re-encipher operation of the private key
+part must be copied back into the user supplied key token buffer.
+Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
+(SPKI) structure must also be re-enciphered (i.e. re-MACed), since
+the MAC is calculated with the EP11 master key.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397)
+---
+ libseckey/sk_ep11.c | 53 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/libseckey/sk_ep11.c b/libseckey/sk_ep11.c
+index b867626..e3bd3c9 100644
+--- a/libseckey/sk_ep11.c
+++ b/libseckey/sk_ep11.c
+@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct sk_ext_ep11_lib *ep11_lib,
+ 		return -EIO;
+ 	}
+ 
+	memcpy(blob, lrb.payload, lrb.pllen);
+
+	/* re-encipher MACed SPKI */
+	rb.domain = domain;
+	lrb.domain = domain;
+
+	resp_len = sizeof(resp);
+	req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
+					 &rb, NULL, key_token + hdr->len,
+					 key_token_length - hdr->len);
+	if (req_len < 0) {
+		sk_debug(debug, "Failed to build XCP command block");
+		return -EIO;
+	}
+
+	rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
+			      0, ep11_lib->target);
+	if (rv != CKR_OK || resp_len == 0) {
+		sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
+			 "rc = 0x%lx, resp_len = %ld", rv, resp_len);
+		return -EIO;
+	}
+
+	rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
+	if (rc != 0) {
+		sk_debug(debug, "Failed to parse response. rc = %d", rc);
+		return -EIO;
+	}
+
+	if (rv != CKR_OK) {
+		sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
+			 "rc = 0x%lx", rv);
+		switch (rv) {
+		case CKR_IBM_WKID_MISMATCH:
+			sk_debug(debug, "The EP11 secure key is currently "
+				 "encrypted under a different master that does "
+				 "not match the master key in the CURRENT "
+				 "master key register of APQN %02X.%04X",
+				 card, domain);
+			break;
+		}
+		return -EIO;
+	}
+
+	if (key_token_length - hdr->len != lrb.pllen) {
+		sk_debug(debug, "Re-encrypted EP11 secure key size has "
+			 "changed: org-len: %lu, new-len: %lu",
+			 hdr->len - sizeof(*hdr), lrb.pllen);
+		return -EIO;
+	}
+
+	memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
+
+ 	return 0;
+ }
+ 
+-- 
+2.37.1
+
+
+From bf4d971adb286fc42f6f5bcb45b6fb484eb9519b Mon Sep 17 00:00:00 2001
+From: Mete Durlu <meted@linux.ibm.com>
+Date: Fri, 10 Jun 2022 10:13:33 +0200
+Subject: [PATCH 4/5] hyptop: increase initial update interval
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Increase initial update interval from 200ms to 1 seconds to avoid
+fluctuations on the initial data output.
+
+Signed-off-by: Mete Durlu <meted@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit 80e54ac888d6232d99a485c74071fc2173f3dfbf)
+---
+ hyptop/sd.h      | 2 +-
+ hyptop/sd_core.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hyptop/sd.h b/hyptop/sd.h
+index 9ba3192..1aed707 100644
+--- a/hyptop/sd.h
+++ b/hyptop/sd.h
+@@ -17,7 +17,7 @@
+ #include "helper.h"
+ #include "table.h"
+ 
+-#define SD_DG_INIT_INTERVAL_MS	200
+#define SD_DG_INIT_INTERVAL_SEC	1
+ #define SD_SYS_ID_SIZE		9
+ 
+ /*
+diff --git a/hyptop/sd_core.c b/hyptop/sd_core.c
+index f1cb631..47b5b59 100644
+--- a/hyptop/sd_core.c
+++ b/hyptop/sd_core.c
+@@ -150,7 +150,7 @@ void sd_update(void)
+  */
+ void sd_dg_register(struct sd_dg *dg, int has_core_data)
+ {
+-	struct timespec ts = {0, SD_DG_INIT_INTERVAL_MS * 1000000};
+	struct timespec ts = {SD_DG_INIT_INTERVAL_SEC, 0};
+ 	struct sd_sys_item *sys_item;
+ 	struct sd_cpu_item *cpu_item;
+ 	unsigned int i;
+-- 
+2.37.1
+
+
+From 0c7fa7ed53e0187ea9d89f05299f17378daf046e Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 12 May 2022 11:06:16 +0200
+Subject: [PATCH 5/5] libseckey: Adapt keymgmt_match() implementation to
+ OpenSSL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
+OpenSSL provider's keymgmt_match() function to be not so strict with
+the selector bits in regards to matching different key parts.
+
+Adapt the secure key provider's match function accordingly.
+This means, that if the public key is selected to be matched, and
+the public key matches (together with any also selected parameters),
+then the private key is no longer checked, although it may also be
+selected to be matched. This is according to how the OpenSSL function
+EVP_PKEY_eq() is supposed to behave.
+
+OpenSSL function SSL_CTX_use_PrivateKey() calls the providers match
+function to check if the private key specified matches the public key
+of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the
+private key into the selector bits here, although the certificate
+only contains the public key part.
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit 6c5c5f7e558c114ddaa475e96c9ec708049aa423)
+---
+ libseckey/sk_provider.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/libseckey/sk_provider.c b/libseckey/sk_provider.c
+index 10f56c0..0abe99d 100644
+--- a/libseckey/sk_provider.c
+++ b/libseckey/sk_provider.c
+@@ -2216,13 +2216,23 @@ static int sk_prov_keymgmt_match(const struct sk_prov_key *key1,
+ 
+ 	if (key1->type != key2->type)
+ 		return 0;
+
+	if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) {
+		/* match everything except private key */
+		return default_match_fn(key1->default_key, key2->default_key,
+					selection &
+					    (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY));
+	}
+
+ 	if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
+ 		if (key1->secure_key_size != key2->secure_key_size)
+ 			return 0;
+-		if (key1->secure_key_size > 0 &&
+-		    memcmp(key1->secure_key, key2->secure_key,
+-			    key1->secure_key_size) != 0)
+-			return 0;
+		if (key1->secure_key_size > 0) {
+			if (memcmp(key1->secure_key, key2->secure_key,
+				   key1->secure_key_size) != 0)
+				return 0;
+			selection &= (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY);
+		}
+ 	}
+ 
+ 	return default_match_fn(key1->default_key, key2->default_key,
+-- 
+2.37.1
+
--- a/SPECS/s390utils.spec
+++ b/SPECS/s390utils.spec
@ -6,7 +6,7 @@
 Name:           s390utils
 Summary:        Utilities and daemons for IBM z Systems
 Version:        2.19.0
-Release:        2%{?dist}
+Release:        2%{?dist}.3
 Epoch:          2
 License:        MIT
 ExclusiveArch:  s390 s390x
@ -875,6 +875,19 @@ User-space development files for the s390/s390x architecture.


 %changelog
+* Wed Jul 20 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-2.3
+- zkey: KMIP plugin fails to connection to KMIP server (#2109102)
+- Resolves: #2109102
+
+* Tue Jul 12 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-2.2
+- hyptop: observable value fluctuations on initial iteration (#2101808)
+- Resolves: #2101808
+
+* Tue May 03 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-2.1
+- genprotimg: certificate verification is too strict (#2081271)
+- zkey: fix re-enciphering of EP11 identity key of KMIP plugin (#2081272)
+- Resolves: #2081271 #2081272
+
 * Tue Dec 14 2021 Dan Horák <dan[at]danny.cz> - 2:2.19.0-2
 - update ccw udev rules for synthetic events (#2027357)
 - Resolves: #2027357