meta-security: subtree update:a85fbe980e..c20b35b527
Anton Antonov (1):
Parsec service. Update PACKAGECONFIG definitions and README.md
Armin Kuster (20):
python3-fail2ban: fix build failure and cleanup
meta-parsec/README: remove rust layer req.
opendnssec: blacklist do to ldns being blacklisted
apparmor: Add a python 3.10 compatability patch
tpm2-tools: update to 5.2
openssl-tpm-engine: fix build issue with openssl 3
tpm2-openssl: add new pkg
tpm2-pkcs11: update to 1.7.0
recipes: Update SRC_URI branch and protocols
sssd: Create /var/log/sssd in runtime
bastille: Create /var/log/Bastille in runtime
python3-fail2ban: remove /run
tpm2-pkcs11: update to 1.7.0
libest: does not build with openssl 3.x
clamav: fix useradd warning
python3-fail2ban: update to tip
tpm2-pkcs11: backport openssl 3.x build fixes
packagegroup-security-tpm2: drop ibmswtpm2
meta-integrity: drop strongswan bbappends
meta-tpm: drop strongswan bbappends
Kai Kang (2):
sssd: re-package to fix QA issues
apparmor: fix warning of remove operator combined with +=
Kristian Klausen (2):
swtpm: update to 0.6.1
dm-verity-img.bbclass: Fix wrong override syntax for CONVERSION_DEPENDS
Liwei Song (1):
recipes-security/chipsec: platform security assessment framework
Stefan Mueller-Klieser (1):
tpm2-tss: fix fapi package config
Yi Zhao (2):
openssl-tpm-engine: fix warning for append operator combined with +=
meta-parsec/README.md: fix for append operator combined with +=
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2156e47cf3f4f45daa2b60a73e3b46be3b6a86c0
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
deleted file mode 100644
index 8250282..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From db772305c6baa01f6c6750be74733e4bfc1d6106 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Apr 2020 10:44:19 +0200
-Subject: [PATCH] xfrmi: Only build if libcharon is built
-
-The kernel-netlink plugin is only built if libcharon is.
-
-Closes strongswan/strongswan#167.
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- src/Makefile.am | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-Index: strongswan-5.8.4/src/Makefile.am
-===================================================================
---- strongswan-5.8.4.orig/src/Makefile.am
-+++ strongswan-5.8.4/src/Makefile.am
-@@ -42,6 +42,9 @@ endif
-
- if USE_LIBCHARON
- SUBDIRS += libcharon
-+if USE_KERNEL_NETLINK
-+ SUBDIRS += xfrmi
-+endif
- endif
-
- if USE_FILE_CONFIG
-@@ -143,7 +146,3 @@ endif
- if USE_TPM
- SUBDIRS += tpm_extendpcr
- endif
--
--if USE_KERNEL_NETLINK
-- SUBDIRS += xfrmi
--endif
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
deleted file mode 100644
index 497474f..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
+++ /dev/null
@@ -1,12 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
-
-DEPENDS = "libtspi"
-
-SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch"
-
-PACKAGECONFIG += "aikgen tpm"
-
-PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,,"
-PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,,"
-
-EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}"
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
deleted file mode 100644
index 34757bb..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'tpm', 'strongswan-tpm.inc', '', d)}
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index 764b2e5..b8324e5 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -18,5 +18,4 @@
libtss2-tcti-mssim \
tpm2-abrmd \
tpm2-pkcs11 \
- ibmswtpm2 \
"
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
index 95ba5c5..8fe62cf 100644
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
+++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
@@ -3,7 +3,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
SRCREV = "f6dd8f55eab4910131ec6a6a570dcd7951bd10e4"
-SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8;protocol=https"
PE = "1"
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
index 9ad8967..2b969ed 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -8,7 +8,7 @@
DEPENDS += "openssl trousers"
SRC_URI = "\
- git://github.com/mgerstner/openssl_tpm_engine.git \
+ git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \
file://0001-create-tpm-key-support-well-known-key-option.patch \
file://0002-libtpm-support-env-TPM_SRK_PW.patch \
file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
@@ -35,10 +35,10 @@
srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
-CFLAGS:append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
# Uncomment below line if using the plain srk password for development
-#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+#CFLAGS:append = " -DTPM_SRK_PLAIN_PW"
do_configure:prepend() {
cd ${B}
@@ -46,17 +46,17 @@
touch NEWS AUTHORS ChangeLog README
}
-FILES:${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la"
+FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la"
FILES:${PN}-dbg += "\
- ${libdir}/ssl/engines-1.1/.debug \
- ${libdir}/engines-1.1/.debug \
- ${prefix}/local/ssl/lib/engines-1.1/.debug \
+ ${libdir}/ssl/engines-3/.debug \
+ ${libdir}/engines-3/.debug \
+ ${prefix}/local/ssl/lib/engines-3/.debug \
"
FILES:${PN} += "\
- ${libdir}/ssl/engines-1.1/tpm.so* \
- ${libdir}/engines-1.1/tpm.so* \
+ ${libdir}/ssl/engines-3/tpm.so* \
+ ${libdir}/engines-3/tpm.so* \
${libdir}/libtpm.so* \
- ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \
+ ${prefix}/local/ssl/lib/engines-3/tpm.so* \
"
RDEPENDS:${PN} += "libcrypto libtspi"
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
index f8347b7..77f65ae 100644
--- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
@@ -9,7 +9,7 @@
PV = "0.1+git${SRCPV}"
SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
-SRC_URI = "git://github.com/flihp/pcr-extend.git \
+SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \
file://fix_openssl11_build.patch "
inherit autotools
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
index 644f3ac..bb93374 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
@@ -1,6 +1,6 @@
SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
LICENSE = "MIT"
-DEPENDS = "swtpm-native tpm-tools-native net-tools-native"
+DEPENDS = "swtpm-native"
inherit native
@@ -14,23 +14,19 @@
for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
exe=`basename $i`
case $exe in
- swtpm_setup.sh)
+ swtpm_setup)
cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
#! /bin/sh
#
-# Wrapper around swtpm_setup.sh which adds parameters required to
+# Wrapper around swtpm_setup which adds parameters required to
# run the setup as non-root directly from the native sysroot.
PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
export PATH
-# tcsd only allows to be run as root or tss. Pretend to be root...
-exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+exec swtpm_setup --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
EOF
;;
- swtpm_setup)
- true
- ;;
*)
cat >${WORKDIR}/${exe}_oe.sh <<EOF
#! /bin/sh
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
similarity index 68%
rename from meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
rename to meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
index 912e939..63734b9 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
@@ -3,14 +3,11 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
SECTION = "apps"
-DEPENDS = "libtasn1 coreutils-native expect socat glib-2.0 net-tools-native libtpm libtpm-native"
+# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
+DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
-# configure checks for the tools already during compilation and
-# then swtpm_setup needs them at runtime
-DEPENDS:append = " tpm-tools-native expect-native socat-native python3-pip-native python3-cryptography-native"
-
-SRCREV = "e59c0c1a7b4c8d652dbb280fd6126895a7057464"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.5 \
+SRCREV = "98187d24fe14851653a7c46eb16e9c5f0b9beaa1"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.6;protocol=https \
file://ioctl_h.patch \
file://oe_configure.patch \
"
@@ -19,7 +16,7 @@
S = "${WORKDIR}/git"
PARALLEL_MAKE = ""
-inherit autotools pkgconfig python3native
+inherit autotools pkgconfig perlnative
TSS_USER="tss"
TSS_GROUP="tss"
@@ -28,7 +25,10 @@
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
-PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
+# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
+# used by swtpm-create-tpmca (the last two is provided by gnutls)
+# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools"
PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
@@ -41,14 +41,11 @@
--no-create-home --shell /bin/false ${BPN}"
-PACKAGES =+ "${PN}-python"
-FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}"
-
PACKAGE_BEFORE_PN = "${PN}-cuse"
FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
INSANE_SKIP:${PN} += "dev-so"
-RDEPENDS:${PN} = "libtpm expect socat bash tpm-tools python3 python3-cryptography python3-twisted"
+RDEPENDS:${PN} = "libtpm"
BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
index 53cf8ff..4672bba 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -15,7 +15,7 @@
DEPENDS = "libtspi tpm-tools"
-SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools"
+SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools;branch=master"
SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
index dbe1647..3b3da4f 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -14,7 +14,7 @@
SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
SRC_URI = " \
- git://git.code.sf.net/p/trousers/tpm-tools \
+ git://git.code.sf.net/p/trousers/tpm-tools;branch=master \
file://tpm-tools-extendpcr.patch \
file://04-fix-FTBFS-clang.patch \
file://openssl1.1_fix.patch \
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index 5e03b71..192c66c 100644
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -10,7 +10,7 @@
PV = "0.3.15+git${SRCPV}"
SRC_URI = " \
- git://git.code.sf.net/p/trousers/trousers \
+ git://git.code.sf.net/p/trousers/trousers;branch=master \
file://trousers.init.sh \
file://trousers-udev.rules \
file://tcsd.service \
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
index b80ef79..1818171 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
@@ -13,7 +13,7 @@
libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
SRC_URI = "\
- git://github.com/tpm2-software/tpm2-abrmd.git \
+ git://github.com/tpm2-software/tpm2-abrmd.git;branch=master;protocol=https \
file://tpm2-abrmd-init.sh \
file://tpm2-abrmd.default \
"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
new file mode 100644
index 0000000..f6a694c
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
@@ -0,0 +1,11 @@
+SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-openssl.git;protocol=https;branch=master"
+
+SRCREV = "66e34f9e45c3697590cced1e4d3f35993a822f8b"
+
+S = "${WORKDIR}/git"
+
+inherit pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
new file mode 100644
index 0000000..ac2f92c
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
@@ -0,0 +1,1305 @@
+From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 3 Sep 2021 11:24:40 -0500
+Subject: [PATCH 1/2] ssl: compile against OSSL 3.0
+
+Compile against OpenSSL. This moves functions non-deprecated things if
+possible and ignores deprecation warnings when not. Padding manipulation
+routines seem to have been marked deprecated in OSSL 3.0, so we need to
+figure out a porting strategy here.
+
+Fixes: #686
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ src/lib/backend_esysdb.c | 5 +-
+ src/lib/backend_fapi.c | 5 +-
+ src/lib/encrypt.c | 2 +-
+ src/lib/mech.c | 72 +---
+ src/lib/object.c | 3 +-
+ src/lib/sign.c | 2 +-
+ src/lib/ssl_util.c | 531 ++++++++++++++++--------
+ src/lib/ssl_util.h | 31 +-
+ src/lib/tpm.c | 6 +-
+ src/lib/utils.c | 35 +-
+ src/lib/utils.h | 13 -
+ test/integration/pkcs-sign-verify.int.c | 94 ++---
+ 12 files changed, 441 insertions(+), 358 deletions(-)
+
+Index: git/src/lib/backend_esysdb.c
+===================================================================
+--- git.orig/src/lib/backend_esysdb.c
++++ git/src/lib/backend_esysdb.c
+@@ -3,6 +3,7 @@
+ #include "config.h"
+ #include "backend_esysdb.h"
+ #include "db.h"
++#include "ssl_util.h"
+ #include "tpm.h"
+
+ CK_RV backend_esysdb_init(void) {
+@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi
+ }
+
+ twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt;
+- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
++ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
+ if (!sealobjauth) {
+ rv = CKR_HOST_MEMORY;
+ goto error;
+@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to
+ */
+ twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt;
+
+- twist oldauth = utils_hash_pass(toldpin, oldsalt);
++ twist oldauth = ssl_util_hash_pass(toldpin, oldsalt);
+ if (!oldauth) {
+ goto out;
+ }
+Index: git/src/lib/backend_fapi.c
+===================================================================
+--- git.orig/src/lib/backend_fapi.c
++++ git/src/lib/backend_fapi.c
+@@ -11,6 +11,7 @@
+ #include "backend_fapi.h"
+ #include "emitter.h"
+ #include "parser.h"
++#include "ssl_util.h"
+ #include "utils.h"
+
+ #ifdef HAVE_FAPI
+@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping
+ }
+
+ twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt;
+- twist sealobjauth = utils_hash_pass(tpin, sealsalt);
++ twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
+ if (!sealobjauth) {
+ rv = CKR_HOST_MEMORY;
+ goto error;
+@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke
+ }
+ rv = CKR_GENERAL_ERROR;
+
+- oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
++ oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
+ if (!oldauth) {
+ goto out;
+ }
+Index: git/src/lib/encrypt.c
+===================================================================
+--- git.orig/src/lib/encrypt.c
++++ git/src/lib/encrypt.c
+@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat
+ CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) {
+
+ EVP_PKEY *pkey = NULL;
+- CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj);
++ CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+Index: git/src/lib/mech.c
+===================================================================
+--- git.orig/src/lib/mech.c
++++ git/src/lib/mech.c
+@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C
+ }
+
+ int nid = 0;
+- CK_RV rv = ec_params_to_nid(a, &nid);
++ CK_RV rv = ssl_util_params_to_nid(a, &nid);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl
+ }
+
+ /* Apply the PKCS1.5 padding */
+- int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len,
+- inbuf, inlen);
+- if (!rc) {
++ CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen,
++ outbuf, padded_len);
++ if (rv != CKR_OK) {
+ LOGE("Applying RSA padding failed");
+- return CKR_GENERAL_ERROR;
++ return rv;
+ }
+
+ *outlen = padded_len;
+@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md
+ size_t key_bytes = *keybits / 8;
+
+ unsigned char buf[4096];
+- int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf),
+- inbuf, inlen,
+- key_bytes);
+- if (rc < 0) {
++ CK_ULONG buflen = sizeof(buf);
++ CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes,
++ buf, &buflen);
++ if (rv != CKR_OK) {
+ LOGE("Could not recover CKM_RSA_PKCS Padding");
+- return CKR_GENERAL_ERROR;
++ return rv;
+ }
+
+- /* cannot be < 0 because of check above */
+- if (!outbuf || (unsigned)rc > *outlen) {
+- *outlen = rc;
++ if (!outbuf || buflen > *outlen) {
++ *outlen = buflen;
+ return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK;
+ }
+
+- *outlen = rc;
+- memcpy(outbuf, buf, rc);
++ *outlen = buflen;
++ memcpy(outbuf, buf, buflen);
+
+ return CKR_OK;
+ }
+@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl,
+ return CKR_GENERAL_ERROR;
+ }
+
+- CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
+- if (!exp_attr) {
+- LOGE("Signing key has no CKA_PUBLIC_EXPONENT");
+- return CKR_GENERAL_ERROR;
+- }
+-
+ if (modulus_attr->ulValueLen > *outlen) {
+ LOGE("Output buffer is too small, got: %lu, required at least %lu",
+ *outlen, modulus_attr->ulValueLen);
+ return CKR_GENERAL_ERROR;
+ }
+
+- BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL);
+- if (!e) {
+- LOGE("Could not convert exponent to bignum");
+- return CKR_GENERAL_ERROR;
+- }
+-
+- BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL);
+- if (!n) {
+- LOGE("Could not convert modulus to bignum");
+- BN_free(e);
+- return CKR_GENERAL_ERROR;
+- }
+-
+- RSA *rsa = RSA_new();
+- if (!rsa) {
+- LOGE("oom");
+- return CKR_HOST_MEMORY;
+- }
+-
+- int rc = RSA_set0_key(rsa, n, e, NULL);
+- if (!rc) {
+- LOGE("Could not set modulus and exponent to OSSL RSA key");
+- BN_free(n);
+- BN_free(e);
+- RSA_free(rsa);
+- return CKR_GENERAL_ERROR;
++ EVP_PKEY *pkey = NULL;
++ rv = ssl_util_attrs_to_evp(attrs, &pkey);
++ if (rv != CKR_OK) {
++ return rv;
+ }
+
+- rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
+- inbuf, md, -1);
+- RSA_free(rsa);
+- if (!rc) {
++ rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf);
++ EVP_PKEY_free(pkey);
++ if (rv != CKR_OK) {
+ LOGE("Applying RSA padding failed");
+ return CKR_GENERAL_ERROR;
+ }
+Index: git/src/lib/object.c
+===================================================================
+--- git.orig/src/lib/object.c
++++ git/src/lib/object.c
+@@ -15,6 +15,7 @@
+ #include "object.h"
+ #include "pkcs11.h"
+ #include "session_ctx.h"
++#include "ssl_util.h"
+ #include "token.h"
+ #include "utils.h"
+
+@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject *
+ }
+
+ int nid = 0;
+- CK_RV rv = ec_params_to_nid(a, &nid);
++ CK_RV rv = ssl_util_params_to_nid(a, &nid);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+Index: git/src/lib/sign.c
+===================================================================
+--- git.orig/src/lib/sign.c
++++ git/src/lib/sign.c
+@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet
+ }
+
+ EVP_PKEY *pkey = NULL;
+- rv = ssl_util_tobject_to_evp(&pkey, tobj);
++ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+ if (rv != CKR_OK) {
+ return NULL;
+ }
+Index: git/src/lib/ssl_util.c
+===================================================================
+--- git.orig/src/lib/ssl_util.c
++++ git/src/lib/ssl_util.c
+@@ -10,6 +10,7 @@
+ #include <openssl/rsa.h>
+ #include <openssl/sha.h>
+
++#include "attrs.h"
+ #include "log.h"
+ #include "pkcs11.h"
+ #include "ssl_util.h"
+@@ -19,194 +20,228 @@
+ #include <openssl/evperr.h>
+ #endif
+
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#include <openssl/core_names.h>
++#endif
+
+ /*
+- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to
+- * create an API compatible version of it.
++ * TODO Port these routines
++ * Deprecated function block to port
++ *
++ * There are no padding routine replacements in OSSL 3.0.
++ * - per Matt Caswell (maintainer) on mailing list.
++ * Signature verification can likely be done with EVP Verify interface.
+ */
+-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
+- point_conversion_form_t form,
+- unsigned char **pbuf, BN_CTX *ctx) {
+-
+- /* Get the required buffer length */
+- size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL);
+- if (!len) {
+- return 0;
+- }
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
++#endif
+
+- /* allocate it */
+- unsigned char *buf = OPENSSL_malloc(len);
+- if (!buf) {
+- return 0;
+- }
++CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
++ const CK_BYTE_PTR inbuf, const EVP_MD *md,
++ CK_BYTE_PTR outbuf) {
+
+- /* convert it */
+- len = EC_POINT_point2oct(group, point, form, buf, len, ctx);
+- if (!len) {
+- OPENSSL_free(buf);
+- return 0;
++ RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
++ if (!rsa) {
++ return CKR_GENERAL_ERROR;
+ }
+
+- *pbuf = buf;
+- return len;
+-}
++ int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
++ inbuf, md, -1);
+
+-size_t OBJ_length(const ASN1_OBJECT *obj) {
++ return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR;
++}
+
+- if (!obj) {
+- return 0;
+- }
++CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
++ CK_BYTE_PTR outbuf, CK_ULONG outbuflen) {
+
+- return obj->length;
++ return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen,
++ inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR;
+ }
+
+-const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) {
++CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
++ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) {
+
+- if (!obj) {
+- return NULL;
++ int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen,
++ inbuf, inlen, rsa_len);
++ if (rc < 0) {
++ return CKR_GENERAL_ERROR;
+ }
+
+- return obj->data;
++ /* cannot be negative due to check above */
++ *outbuflen = rc;
++ return CKR_OK;
+ }
+
+-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) {
+- return ASN1_STRING_data((ASN1_STRING *)x);
+-}
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#pragma GCC diagnostic pop
++#endif
+
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
+
+- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
+- return 0;
+- }
++static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
++
++ OSSL_PARAM params[] = {
++ OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen),
++ OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen),
++ OSSL_PARAM_END
++ };
+
+- if (n != NULL) {
+- BN_free(r->n);
+- r->n = n;
++ /* convert params to EVP key */
++ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
++ if (!evp_ctx) {
++ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
++ return CKR_GENERAL_ERROR;
+ }
+
+- if (e != NULL) {
+- BN_free(r->e);
+- r->e = e;
++ int rc = EVP_PKEY_fromdata_init(evp_ctx);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init");
++ EVP_PKEY_CTX_free(evp_ctx);
++ return CKR_GENERAL_ERROR;
+ }
+
+- if (d != NULL) {
+- BN_free(r->d);
+- r->d = d;
++ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
++ EVP_PKEY_CTX_free(evp_ctx);
++ return CKR_GENERAL_ERROR;
+ }
+
+- return 1;
++ EVP_PKEY_CTX_free(evp_ctx);
++
++ return CKR_OK;
+ }
+
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
++static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
++
++ /*
++ * The simplest way I have found to deal with this is to convert the ASN1 object in
++ * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and
++ * then take the int nid and convert it to a friendly name like prime256v1.
++ * EVP_PKEY_fromdata can handle group by name.
++ *
++ * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value".
++ */
++ int curve_id = 0;
++ CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id);
++ if (rv != CKR_OK) {
++ LOGE("Could not get nid from params");
++ return rv;
++ }
+
+- if (!r || !s) {
+- return 0;
++ /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */
++ const unsigned char *x = ecpoint->pValue;
++ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
++ if (!os) {
++ SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s");
++ return CKR_GENERAL_ERROR;
+ }
+
+- BN_free(sig->r);
+- BN_free(sig->s);
++ OSSL_PARAM params[] = {
++ OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0),
++ OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length),
++ OSSL_PARAM_END
++ };
+
+- sig->r = r;
+- sig->s = s;
++ /* convert params to EVP key */
++ EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
++ if (!evp_ctx) {
++ SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
++ OPENSSL_free(os);
++ return CKR_GENERAL_ERROR;
++ }
+
+- return 1;
+-}
++ int rc = EVP_PKEY_fromdata_init(evp_ctx);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s");
++ EVP_PKEY_CTX_free(evp_ctx);
++ OPENSSL_free(os);
++ return CKR_GENERAL_ERROR;
++ }
+
+-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) {
+- if (pkey->type != EVP_PKEY_EC) {
+- return NULL;
++ rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_PKEY_fromdata");
++ EVP_PKEY_CTX_free(evp_ctx);
++ OPENSSL_free(os);
++ return CKR_GENERAL_ERROR;
+ }
+
+- return pkey->pkey.ec;
++ EVP_PKEY_CTX_free(evp_ctx);
++ OPENSSL_free(os);
++
++ return CKR_OK;
+ }
+-#endif
+
+-static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) {
++#else
+
+- RSA *rsa = NULL;
+- BIGNUM *e = NULL, *n = NULL;
++static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
+
+- CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
+- if (!exp) {
+- LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
++ BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL);
++ if (!e) {
++ LOGE("Could not convert exponent to bignum");
+ return CKR_GENERAL_ERROR;
+ }
+
+- CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
+- if (!mod) {
+- LOGE("RSA Object must have attribute CKA_MODULUS");
++ BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL);
++ if (!n) {
++ LOGE("Could not convert modulus to bignum");
++ BN_free(e);
+ return CKR_GENERAL_ERROR;
+ }
+
+- rsa = RSA_new();
++ RSA *rsa = RSA_new();
+ if (!rsa) {
+- SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure");
+- goto error;
++ LOGE("oom");
++ return CKR_HOST_MEMORY;
+ }
+
+- e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL);
+- if (!e) {
+- SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format");
+- goto error;
++ int rc = RSA_set0_key(rsa, n, e, NULL);
++ if (!rc) {
++ LOGE("Could not set modulus and exponent to OSSL RSA key");
++ BN_free(n);
++ BN_free(e);
++ RSA_free(rsa);
++ return CKR_GENERAL_ERROR;
+ }
+
+- n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL);
+- if (!n) {
+- SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format");
+- goto error;
++ /* assigned to RSA key */
++ n = e = NULL;
++
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ SSL_UTIL_LOGE("EVP_PKEY_new");
++ RSA_free(rsa);
++ return CKR_GENERAL_ERROR;
+ }
+
+- if (!RSA_set0_key(rsa, n, e, NULL)) {
+- SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components");
++ rc = EVP_PKEY_assign_RSA(pkey, rsa);
++ if (rc != 1) {
+ RSA_free(rsa);
+- BN_free(e);
+- BN_free(n);
+- goto error;
++ EVP_PKEY_free(pkey);
++ return CKR_GENERAL_ERROR;
+ }
+
+- *outkey = rsa;
++ *out_pkey = pkey;
+
+ return CKR_OK;
+-
+-error:
+- RSA_free(rsa);
+- if (e) {
+- BN_free(e);
+- }
+- if (n) {
+- BN_free(n);
+- }
+-
+- return CKR_GENERAL_ERROR;
+ }
+
+-static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) {
++static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
+
+- EC_KEY *key = EC_KEY_new();
+- if (!key) {
++ EC_KEY *ecc = EC_KEY_new();
++ if (!ecc) {
+ LOGE("oom");
+ return CKR_HOST_MEMORY;
+ }
+
+- CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
+- if (!ecparams) {
+- LOGE("ECC Key must have attribute CKA_EC_PARAMS");
+- return CKR_GENERAL_ERROR;
+- }
+-
+- CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
+- if (!ecpoint) {
+- LOGE("ECC Key must have attribute CKA_EC_POINT");
+- return CKR_GENERAL_ERROR;
+- }
+-
+ /* set params */
+ const unsigned char *x = ecparams->pValue;
+- EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen);
++ EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen);
+ if (!k) {
+ SSL_UTIL_LOGE("Could not update key with EC Parameters");
+- EC_KEY_free(key);
++ EC_KEY_free(ecc);
+ return CKR_GENERAL_ERROR;
+ }
+
+@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY *
+ ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
+ if (os) {
+ x = os->data;
+- k = o2i_ECPublicKey(&key, &x, os->length);
++ k = o2i_ECPublicKey(&ecc, &x, os->length);
+ ASN1_STRING_free(os);
+ if (!k) {
+ SSL_UTIL_LOGE("Could not update key with EC Points");
+- EC_KEY_free(key);
++ EC_KEY_free(ecc);
+ return CKR_GENERAL_ERROR;
+ }
+ }
+
+- *outkey = key;
++ EVP_PKEY *pkey = EVP_PKEY_new();
++ if (!pkey) {
++ SSL_UTIL_LOGE("EVP_PKEY_new");
++ EC_KEY_free(ecc);
++ return CKR_GENERAL_ERROR;
++ }
++
++ int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc);
++ if (!rc) {
++ SSL_UTIL_LOGE("Could not set pkey with ec key");
++ EC_KEY_free(ecc);
++ EVP_PKEY_free(pkey);
++ return CKR_GENERAL_ERROR;
++ }
++
++ *out_pkey = pkey;
+ return CKR_OK;
+ }
++#endif
+
+-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) {
++CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) {
+
+- CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE);
++ CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE);
+ if (!a) {
+ LOGE("Expected object to have attribute CKA_KEY_TYPE");
+ return CKR_KEY_TYPE_INCONSISTENT;
+@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY *
+ return CKR_OK;
+ }
+
+- EVP_PKEY *pkey = EVP_PKEY_new();
+- if (!pkey) {
+- LOGE("oom");
+- return CKR_HOST_MEMORY;
+- }
++ EVP_PKEY *pkey = NULL;
+
+ if (key_type == CKK_EC) {
+- EC_KEY *e = NULL;
+- rv = convert_pubkey_ECC(&e, obj->attrs);
+- if (rv != CKR_OK) {
+- return rv;
++
++ CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
++ if (!ecparams) {
++ LOGE("ECC Key must have attribute CKA_EC_PARAMS");
++ return CKR_GENERAL_ERROR;
+ }
+- int rc = EVP_PKEY_assign_EC_KEY(pkey, e);
+- if (!rc) {
+- SSL_UTIL_LOGE("Could not set pkey with ec key");
+- EC_KEY_free(e);
+- EVP_PKEY_free(pkey);
++
++ CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
++ if (!ecpoint) {
++ LOGE("ECC Key must have attribute CKA_EC_POINT");
+ return CKR_GENERAL_ERROR;
+ }
+- } else if (key_type == CKK_RSA) {
+- RSA *r = NULL;
+- rv = convert_pubkey_RSA(&r, obj->attrs);
++
++ rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+- int rc = EVP_PKEY_assign_RSA(pkey, r);
+- if (!rc) {
+- SSL_UTIL_LOGE("Could not set pkey with rsa key");
+- RSA_free(r);
+- EVP_PKEY_free(pkey);
++
++ } else if (key_type == CKK_RSA) {
++
++ CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
++ if (!exp) {
++ LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
+ return CKR_GENERAL_ERROR;
+ }
++
++ CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
++ if (!mod) {
++ LOGE("RSA Object must have attribute CKA_MODULUS");
++ return CKR_GENERAL_ERROR;
++ }
++
++ rv = get_RSA_evp_pubkey(exp, mod, &pkey);
++ if (rv != CKR_OK) {
++ return rv;
++ }
++
+ } else {
+ LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type);
+- EVP_PKEY_free(pkey);
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+
++ assert(pkey);
+ *outpkey = pkey;
+
+ return CKR_OK;
+@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
+ }
+ }
+
+- rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
+- if (!rc) {
+- SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
+- goto error;
++ if (md) {
++ rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
++ if (!rc) {
++ SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
++ goto error;
++ }
+ }
+
+ *outpkey_ctx = pkey_ctx;
+@@ -421,21 +482,12 @@ error:
+ return CKR_GENERAL_ERROR;
+ }
+
+-static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
+- int padding, const EVP_MD *md,
+- CK_BYTE_PTR digest, CK_ULONG digest_len,
+- CK_BYTE_PTR signature, CK_ULONG signature_len) {
++static CK_RV sig_verify(EVP_PKEY_CTX *ctx,
++ const unsigned char *sig, size_t siglen,
++ const unsigned char *tbs, size_t tbslen) {
+
+ CK_RV rv = CKR_GENERAL_ERROR;
+-
+- EVP_PKEY_CTX *pkey_ctx = NULL;
+- rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
+- EVP_PKEY_verify_init, &pkey_ctx);
+- if (rv != CKR_OK) {
+- return rv;
+- }
+-
+- int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len);
++ int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen);
+ if (rc < 0) {
+ SSL_UTIL_LOGE("EVP_PKEY_verify failed");
+ } else if (rc == 1) {
+@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY
+ rv = CKR_SIGNATURE_INVALID;
+ }
+
+- EVP_PKEY_CTX_free(pkey_ctx);
+ return rv;
+ }
+
+-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
++static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen,
++ unsigned char **outbuf, size_t *outlen) {
+
+ if (siglen & 1) {
+ LOGE("Expected ECDSA signature length to be even, got : %lu",
+@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT
+ return CKR_GENERAL_ERROR;
+ }
+
+- *outsig = ossl_sig;
++ int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL);
++ if (sig_len <= 0) {
++ if (rc < 0) {
++ SSL_UTIL_LOGE("ECDSA_do_verify failed");
++ } else {
++ LOGE("Expected length to be greater than 0");
++ }
++ ECDSA_SIG_free(ossl_sig);
++ return CKR_GENERAL_ERROR;
++ }
++
++ unsigned char *buf = calloc(1, sig_len);
++ if (!buf) {
++ LOGE("oom");
++ ECDSA_SIG_free(ossl_sig);
++ return CKR_HOST_MEMORY;
++ }
++
++ unsigned char *p = buf;
++ int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p);
++ if (sig_len2 < 0) {
++ SSL_UTIL_LOGE("ECDSA_do_verify failed");
++ ECDSA_SIG_free(ossl_sig);
++ free(buf);
++ return CKR_GENERAL_ERROR;
++ }
++
++ assert(sig_len == sig_len2);
++
++ ECDSA_SIG_free(ossl_sig);
++
++ *outbuf = buf;
++ *outlen = sig_len;
+
+ return CKR_OK;
+ }
+
+ static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
++ const EVP_MD *md,
+ CK_BYTE_PTR digest, CK_ULONG digest_len,
+ CK_BYTE_PTR signature, CK_ULONG signature_len) {
+
+- EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
+- if (!eckey) {
+- LOGE("Expected EC Key");
+- return CKR_GENERAL_ERROR;
+- }
+-
+ /*
+ * OpenSSL expects ASN1 framed signatures, PKCS11 does flat
+ * R + S signatures, so convert it to ASN1 framing.
+@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY *
+ * https://github.com/tpm2-software/tpm2-pkcs11/issues/277
+ * For details.
+ */
+- ECDSA_SIG *ossl_sig = NULL;
+- CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
++ unsigned char *buf = NULL;
++ size_t buflen = 0;
++ CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+
+- int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
+- if (rc < 0) {
+- ECDSA_SIG_free(ossl_sig);
+- SSL_UTIL_LOGE("ECDSA_do_verify failed");
+- return CKR_GENERAL_ERROR;
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md,
++ EVP_PKEY_verify_init, &pkey_ctx);
++ if (rv != CKR_OK) {
++ free(buf);
++ return rv;
+ }
+- ECDSA_SIG_free(ossl_sig);
+
+- return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
++ rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len);
++
++ EVP_PKEY_CTX_free(pkey_ctx);
++ free(buf);
++
++ return rv;
++}
++
++static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
++ int padding, const EVP_MD *md,
++ CK_BYTE_PTR digest, CK_ULONG digest_len,
++ CK_BYTE_PTR signature, CK_ULONG signature_len) {
++
++ CK_RV rv = CKR_GENERAL_ERROR;
++
++ EVP_PKEY_CTX *pkey_ctx = NULL;
++ rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
++ EVP_PKEY_verify_init, &pkey_ctx);
++ if (rv != CKR_OK) {
++ return rv;
++ }
++
++ rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len);
++
++ EVP_PKEY_CTX_free(pkey_ctx);
++ return rv;
+ }
+
+ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
+@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey
+ digest, digest_len,
+ signature, signature_len);
+ case EVP_PKEY_EC:
+- return do_sig_verify_ec(pkey, digest, digest_len,
++ return do_sig_verify_ec(pkey, md, digest, digest_len,
+ signature, signature_len);
+ default:
+ LOGE("Unknown PKEY type, got: %d", type);
+@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY *
+ EVP_PKEY_CTX_free(pkey_ctx);
+ return rv;
+ }
++
++twist ssl_util_hash_pass(const twist pin, const twist salt) {
++
++
++ twist out = NULL;
++ unsigned char md[SHA256_DIGEST_LENGTH];
++
++ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
++ if (!ctx) {
++ SSL_UTIL_LOGE("EVP_MD_CTX_new");
++ return NULL;
++ }
++
++ int rc = EVP_DigestInit(ctx, EVP_sha256());
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestInit");
++ goto error;
++ }
++
++ rc = EVP_DigestUpdate(ctx, pin, twist_len(pin));
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestUpdate");
++ goto error;
++ }
++
++ rc = EVP_DigestUpdate(ctx, salt, twist_len(salt));
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestUpdate");
++ goto error;
++ }
++
++ unsigned int len = sizeof(md);
++ rc = EVP_DigestFinal(ctx, md, &len);
++ if (rc != 1) {
++ SSL_UTIL_LOGE("EVP_DigestFinal");
++ goto error;
++ }
++
++ /* truncate the password to 32 characters */
++ out = twist_hex_new((char *)md, sizeof(md)/2);
++
++error:
++ EVP_MD_CTX_free(ctx);
++
++ return out;
++}
++
++CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
++
++ const unsigned char *p = ecparams->pValue;
++
++ ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
++ if (!a) {
++ LOGE("Unknown CKA_EC_PARAMS value");
++ return CKR_ATTRIBUTE_VALUE_INVALID;
++ }
++
++ *nid = OBJ_obj2nid(a);
++ ASN1_OBJECT_free(a);
++
++ return CKR_OK;
++}
+Index: git/src/lib/ssl_util.h
+===================================================================
+--- git.orig/src/lib/ssl_util.h
++++ git/src/lib/ssl_util.h
+@@ -11,8 +11,8 @@
+
+ #include "pkcs11.h"
+
++#include "attrs.h"
+ #include "log.h"
+-#include "object.h"
+ #include "twist.h"
+
+ #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+@@ -22,6 +22,10 @@
+ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
+ #endif
+
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
++#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
++#endif
++
+ /* OpenSSL Backwards Compat APIs */
+ #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+ #include <string.h>
+@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const
+
+ #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
+
+-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj);
++CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
+
+ CK_RV ssl_util_encrypt(EVP_PKEY *pkey,
+ int padding, twist label, const EVP_MD *md,
+@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
+ fn_EVP_PKEY_init init_fn,
+ EVP_PKEY_CTX **outpkey_ctx);
+
++CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
++ const CK_BYTE_PTR inbuf, const EVP_MD *md,
++ CK_BYTE_PTR outbuf);
++
++CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
++ CK_BYTE_PTR outbuf, CK_ULONG outbuflen);
++
++CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
++ CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen);
++
++twist ssl_util_hash_pass(const twist pin, const twist salt);
++
++/**
++ * Given an attribute of CKA_EC_PARAMS returns the nid value.
++ * @param ecparams
++ * The DER X9.62 parameters value
++ * @param nid
++ * The nid to set
++ * @return
++ * CKR_OK on success.
++ */
++CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
++
+ #endif /* SRC_LIB_SSL_UTIL_H_ */
+Index: git/src/lib/tpm.c
+===================================================================
+--- git.orig/src/lib/tpm.c
++++ git/src/lib/tpm.c
+@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT
+ tpm_key_data *keydat = (tpm_key_data *)udata;
+
+ int nid = 0;
+- CK_RV rv = ec_params_to_nid(attr, &nid);
++ CK_RV rv = ssl_util_params_to_nid(attr, &nid);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_
+ goto out;
+ }
+
+- int rc = EC_POINT_set_affine_coordinates_GFp(group,
++ int rc = EC_POINT_set_affine_coordinates(group,
+ pub_key_point_tmp,
+ bn_x,
+ bn_y,
+@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct
+ goto out;
+ }
+
+- rv = ssl_util_tobject_to_evp(&pkey, tobj);
++ rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+ if (rv != CKR_OK) {
+ goto out;
+ }
+Index: git/src/lib/utils.c
+===================================================================
+--- git.orig/src/lib/utils.c
++++ git/src/lib/utils.c
+@@ -7,6 +7,7 @@
+ #include <openssl/sha.h>
+
+ #include "log.h"
++#include "ssl_util.h"
+ #include "token.h"
+ #include "utils.h"
+
+@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist
+ pin_to_use = newpin;
+ }
+
+- *newauthhex = utils_hash_pass(pin_to_use, salt_to_use);
++ *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use);
+ if (!*newauthhex) {
+ goto out;
+ }
+@@ -330,22 +331,6 @@ out:
+
+ }
+
+-twist utils_hash_pass(const twist pin, const twist salt) {
+-
+-
+- unsigned char md[SHA256_DIGEST_LENGTH];
+-
+- SHA256_CTX sha256;
+- SHA256_Init(&sha256);
+-
+- SHA256_Update(&sha256, pin, twist_len(pin));
+- SHA256_Update(&sha256, salt, twist_len(salt));
+- SHA256_Final(md, &sha256);
+-
+- /* truncate the password to 32 characters */
+- return twist_hex_new((char *)md, sizeof(md)/2);
+-}
+-
+ size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) {
+
+ switch(mttype) {
+@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp
+
+ return CKR_OK;
+ }
+-
+-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
+-
+- const unsigned char *p = ecparams->pValue;
+-
+- ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
+- if (!a) {
+- LOGE("Unknown CKA_EC_PARAMS value");
+- return CKR_ATTRIBUTE_VALUE_INVALID;
+- }
+-
+- *nid = OBJ_obj2nid(a);
+- ASN1_OBJECT_free(a);
+-
+- return CKR_OK;
+-}
+
+ CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen,
+ CK_BYTE_PTR out, CK_ULONG_PTR outlen) {
+Index: git/src/lib/utils.h
+===================================================================
+--- git.orig/src/lib/utils.h
++++ git/src/lib/utils.h
+@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U
+ memcpy(dst, src, src_len);
+ }
+
+-twist utils_hash_pass(const twist pin, const twist salt);
+-
+ twist aes256_gcm_decrypt(const twist key, const twist objauth);
+
+ twist aes256_gcm_encrypt(twist keybin, twist plaintextbin);
+@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra
+ CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth);
+
+ /**
+- * Given an attribute of CKA_EC_PARAMS returns the nid value.
+- * @param ecparams
+- * The DER X9.62 parameters value
+- * @param nid
+- * The nid to set
+- * @return
+- * CKR_OK on success.
+- */
+-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
+-
+-/**
+ * Removes a PKCS7 padding on a 16 byte block.
+ * @param in
+ * The PKCS5 padded input.
+Index: git/test/integration/pkcs-sign-verify.int.c
+===================================================================
+--- git.orig/test/integration/pkcs-sign-verify.int.c
++++ git/test/integration/pkcs-sign-verify.int.c
+@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_
+ assert_int_equal(rv, CKR_OK);
+ }
+
+-static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
+-
+- CK_ULONG i;
+- for (i=0; i < attr_len; i++) {
+- CK_ATTRIBUTE_PTR a = &attrs[i];
+- if (a->type == type) {
+- return a;
+- }
+- }
+-
+- return NULL;
+-}
+-
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
+-#endif
+-
+-RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
+-
+- RSA *ssl_rsa_key = NULL;
+- BIGNUM *e = NULL, *n = NULL;
+-
+- /* get the exponent */
+- CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len);
+- assert_non_null(a);
+-
+- e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL);
+- assert_non_null(e);
+-
+- /* get the modulus */
+- a = get_attr(CKA_MODULUS, attrs, attr_len);
+- assert_non_null(a);
+-
+- n = BN_bin2bn(a->pValue, a->ulValueLen,
+- NULL);
+- assert_non_null(n);
+-
+- ssl_rsa_key = RSA_new();
+- assert_non_null(ssl_rsa_key);
+-
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+- ssl_rsa_key->e = e;
+- ssl_rsa_key->n = n;
+-#else
+- int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL);
+- assert_int_equal(rc, 1);
+-#endif
+-
+- return ssl_rsa_key;
+-}
+-
+-static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
+-
+- EVP_PKEY *pkey = EVP_PKEY_new();
+- assert_non_null(pkey);
+-
+- int rc = EVP_PKEY_set1_RSA(pkey, pub);
+- assert_int_equal(rc, 1);
++static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
+
+ EVP_MD_CTX *ctx = EVP_MD_CTX_create();
+ const EVP_MD* md = EVP_get_digestbyname("SHA256");
+ assert_non_null(md);
+
+- rc = EVP_DigestInit_ex(ctx, md, NULL);
++ int rc = EVP_DigestInit_ex(ctx, md, NULL);
+ assert_int_equal(rc, 1);
+
+ rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR
+ rc = EVP_DigestVerifyFinal(ctx, sig, sig_len);
+ assert_int_equal(rc, 1);
+
+- EVP_PKEY_free(pkey);
+ EVP_MD_CTX_destroy(ctx);
+ }
+
+@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void
+ assert_int_equal(siglen, 256);
+
+ /* build an OSSL RSA key from parts */
+- CK_BYTE _tmp_bufs[2][1024];
++ CK_BYTE _tmp_bufs[3][1024];
+ CK_ATTRIBUTE attrs[] = {
+- { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
+- { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] },
++ { .type = CKA_KEY_TYPE, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
++ { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] },
++ { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] },
+ };
+
+ rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs));
+ assert_int_equal(rv, CKR_OK);
+
+- RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs));
+- assert_non_null(r);
++ CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD;
++ rv = attr_CK_KEY_TYPE(&attrs[0], &key_type);
++ assert_int_equal(rv, CKR_OK);
++
++ EVP_PKEY *pkey = NULL;
++ attr_list *l = attr_list_new();
++
++ bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type);
++ assert_true(res);
+
+- verify(r, msg, sizeof(msg) - 1, sig, siglen);
+- RSA_free(r);
++ res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen);
++ assert_true(res);
++
++ res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen);
++ assert_true(res);
++
++ rv = ssl_util_attrs_to_evp(l, &pkey);
++ assert_int_equal(rv, CKR_OK);
++ attr_list_free(l);
++
++ verify(pkey, msg, sizeof(msg) - 1, sig, siglen);
++ EVP_PKEY_free(pkey);
+ }
+
+ static void test_sign_verify_context_specific_good(void **state) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
new file mode 100644
index 0000000..ef0a6dc
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
@@ -0,0 +1,93 @@
+From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 3 Sep 2021 11:30:50 -0500
+Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater
+
+THIS DROPS SUPPORT FOR OSSL 1.0.2.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ configure.ac | 2 +-
+ src/lib/ssl_util.h | 43 +++++--------------------------------------
+ 2 files changed, 6 insertions(+), 39 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a7aeaf5..94fb5d4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0],
+ # require sqlite3 and libcrypto
+ PKG_CHECK_MODULES([SQLITE3], [sqlite3])
+ PKG_CHECK_MODULES([YAML], [yaml-0.1])
+-PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g])
++PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.1.0])
+
+ # check for pthread
+ AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])])
+diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h
+index 9909fd6..2591728 100644
+--- a/src/lib/ssl_util.h
++++ b/src/lib/ssl_util.h
+@@ -15,51 +15,18 @@
+ #include "log.h"
+ #include "twist.h"
+
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
+-/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */
+-#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
+ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
+ #endif
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111)
++#include <openssl/evperr.h>
+ #endif
+
+-/* OpenSSL Backwards Compat APIs */
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+-#include <string.h>
+-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
+- point_conversion_form_t form,
+- unsigned char **pbuf, BN_CTX *ctx);
+-
+-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
+-
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+-
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+-
+-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
+-
+-static inline void *OPENSSL_memdup(const void *dup, size_t l) {
+-
+- void *p = OPENSSL_malloc(l);
+- if (!p) {
+- return NULL;
+- }
+-
+- memcpy(p, dup, l);
+- return p;
+-}
+-
+-#endif
+-
+-#ifndef RSA_PSS_SALTLEN_DIGEST
+-#define RSA_PSS_SALTLEN_DIGEST -1
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
++#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
+ #endif
+
+-/* Utility APIs */
+-
+ #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
+
+ CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
+--
+2.25.1
+
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
deleted file mode 100644
index 5c91a5e..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 13:32:05 -0500
-Subject: [PATCH 1/4] test: fix build for gcc11
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes 0 size regions by ignoring them. The test code intentionally does
-bad things.
-
-test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’:
-test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in a region of size 0 [-Werror=stringop-overflow=]
- 327 | actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-
-Upstream-Status: Pending
-Fix out for merge to offical repo
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- test/unit/test_twist.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
-index ec66f69f..58d4530a 100644
---- a/test/unit/test_twist.c
-+++ b/test/unit/test_twist.c
-@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) {
- void test_twistbin_new_overflow_1(void **state) {
- (void) state;
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- twist actual = twistbin_new((void *) 0xDEADBEEF, ~0);
- assert_null(actual);
-+#pragma GCC diagnostic pop
- }
-
- void test_twistbin_new_overflow_2(void **state) {
- (void) state;
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *));
- assert_null(actual);
-+#pragma GCC diagnostic pop
- }
-
- void test_twistbin_new_overflow_3(void **state) {
-@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) {
- twist actual = twistbin_aappend(expected, NULL, 42);
- assert_ptr_equal((void * )actual, (void * )expected);
-
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
- assert_ptr_equal((void * )actual, (void * )expected);
-+#pragma GCC diagnostic pop
-
- twist_free(actual);
- }
-
-From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 11:52:23 -0500
-Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy
-
-cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
-| make: *** Waiting for unfinished jobs....
-| In file included from src/lib/mutex.h:10,
-| from src/lib/session_ctx.h:6,
-| from src/lib/digest.h:13,
-| from src/lib/tpm.c:28:
-| In function 'str_padded_copy',
-| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
-| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread]
-| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
-| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-| src/lib/utils.h: In function 'tpm_get_token_info':
-| src/lib/tpm.c:739:19: note: source object declared here
-| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
-| | ^~~~~~~~~~~~~~
-| cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
-| WARNING: exit code 1 from a shell command.
-
-Fixes #676
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.c | 8 ++++----
- src/lib/general.h | 2 +-
- src/lib/slot.c | 4 ++--
- src/lib/token.c | 4 ++--
- src/lib/tpm.c | 7 +++----
- src/lib/utils.h | 6 ++++--
- 6 files changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/src/lib/general.c b/src/lib/general.c
-index 9b7327c1..eaddaf82 100644
---- a/src/lib/general.c
-+++ b/src/lib/general.c
-@@ -19,8 +19,8 @@
- #define VERSION "UNKNOWN"
- #endif
-
--#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
--#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io"
-+static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki";
-+static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io";
-
- #define CRYPTOKI_VERSION { \
- .major = CRYPTOKI_VERSION_MAJOR, \
-@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) {
-
- static CK_INFO *_info = NULL;
- if (!_info) {
-- str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID));
-- str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription));
-+ str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER);
-+ str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION);
-
- parse_lib_version(&_info_.libraryVersion.major,
- &_info_.libraryVersion.minor);
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 14a18e46..356c142d 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -10,7 +10,7 @@
- #define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
- #define TPM2_TOKEN_MANUFACTURER "Intel"
- #define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
--#define TPM2_TOKEN_SERIAL_NUMBER "0000000000000000"
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
- #define TPM2_TOKEN_HW_VERSION { 0, 0 }
- #define TPM2_TOKEN_FW_VERSION { 0, 0 }
-
-diff --git a/src/lib/slot.c b/src/lib/slot.c
-index 548d22b5..6db5bb93 100644
---- a/src/lib/slot.c
-+++ b/src/lib/slot.c
-@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
- return CKR_GENERAL_ERROR;
- }
-
-- str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
-- str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
-+ str_padded_copy(info->manufacturerID, token_info.manufacturerID);
-+ str_padded_copy(info->slotDescription, token_info.label);
-
- info->hardwareVersion = token_info.hardwareVersion;
- info->firmwareVersion = token_info.firmwareVersion;
-diff --git a/src/lib/token.c b/src/lib/token.c
-index 6d7ebd27..c7211296 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) {
- }
-
- // Identification
-- str_padded_copy(info->label, t->label, sizeof(info->label));
-- str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber));
-+ str_padded_copy(info->label, t->label);
-+ str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER);
-
-
- // Memory: TODO not sure what memory values should go here, the platform?
-diff --git a/src/lib/tpm.c b/src/lib/tpm.c
-index 1639df48..7f9f052a 100644
---- a/src/lib/tpm.c
-+++ b/src/lib/tpm.c
-@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
- unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
- UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
- memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
-- str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
-+ str_padded_copy(info->manufacturerID, manufacturerID);
-
- // Map human readable Manufacturer String, if available,
- // otherwise 4 byte ID was already padded and will be used.
- for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){
- if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) {
- str_padded_copy(info->manufacturerID,
-- (unsigned char *)TPM2_MANUFACTURER_MAP[i][1],
-- sizeof(info->manufacturerID));
-+ (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]);
- }
- }
-
-@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
- vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value);
- vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value);
- vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value);
-- str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model));
-+ str_padded_copy(info->model, (unsigned char*) &vendor);
-
- return CKR_OK;
- }
-diff --git a/src/lib/utils.h b/src/lib/utils.h
-index 81c61fae..cf357464 100644
---- a/src/lib/utils.h
-+++ b/src/lib/utils.h
-@@ -39,9 +39,11 @@
-
- int str_to_ul(const char *val, size_t *res);
-
--static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) {
-+#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src)))
-+static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
- memset(dst, ' ', dst_len);
-- memcpy(dst, src, strnlen((char *)(src), dst_len));
-+ memcpy(dst, src, src_len);
-+ LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
- }
-
- twist utils_hash_pass(const twist pin, const twist salt);
-
-From afeae8a3846e06152fafb180077fbad4381a124d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:09:27 -0500
-Subject: [PATCH 3/4] general: drop unused macros
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 356c142d..b3089554 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,17 +7,7 @@
-
- #include "pkcs11.h"
-
--#define TPM2_TOKEN_LABEL "TPM2 PKCS#11 Token"
--#define TPM2_TOKEN_MANUFACTURER "Intel"
--#define TPM2_TOKEN_MODEL "TPM2 PKCS#11"
- static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--#define TPM2_TOKEN_HW_VERSION { 0, 0 }
--#define TPM2_TOKEN_FW_VERSION { 0, 0 }
--
--#define TPM2_SLOT_DESCRIPTION "Intel TPM2.0 Cryptoki"
--#define TPM2_SLOT_MANUFACTURER TPM2_TOKEN_MANUFACTURER
--#define TPM2_SLOT_HW_VERSION TPM2_TOKEN_HW_VERSION
--#define TPM2_SLOT_FW_VERSION TPM2_TOKEN_FW_VERSION
-
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
-
-From 8b43a99c5ff604d890bdc23fd2fa5f98aa087d83 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:11:04 -0500
-Subject: [PATCH 4/4] token: move TPM2_TOKEN_SERIAL_NUMBER local to use
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 2 --
- src/lib/token.c | 2 ++
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index b3089554..9afd61ec 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,8 +7,6 @@
-
- #include "pkcs11.h"
-
--static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
- CK_RV general_get_info(CK_INFO *info);
-diff --git a/src/lib/token.c b/src/lib/token.c
-index c7211296..63a9a71b 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -20,6 +20,8 @@
- #include "token.h"
- #include "utils.h"
-
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
-+
- void pobject_config_free(pobject_config *c) {
-
- if (c->is_transient) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
similarity index 89%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
index fdeda26..3a0917a 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
@@ -6,13 +6,14 @@
DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master \
+SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \
file://bootstrap_fixup.patch \
file://0001-remove-local-binary-checkes.patch \
- file://677.patch \
+ file://0001-ssl-compile-against-OSSL-3.0.patch \
+ file://0002-ossl-require-version-1.1.0-or-greater.patch \
"
-SRCREV = "c2d53cc1af6b9df13c832715442853b21048c273"
+SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851"
S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 47113d2..2bf1eed 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -4,7 +4,7 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
+SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git;branch=master;protocol=https \
file://configure_oe_fixup.patch \
file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \
file://fix_header_file.patch \
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
similarity index 80%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index dbd324a..6e95a0e 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -8,6 +8,6 @@
SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
-SRC_URI[sha256sum] = "e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1"
+SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630"
inherit autotools pkgconfig bash-completion
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
index dfebc07..d324e33 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
@@ -10,7 +10,7 @@
PE = "1"
SRCREV = "96a1448753a48974149003bc90ea3990ae8e8d0b"
-SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git"
+SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=master;protocol=https"
inherit autotools-brokensep pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
index 3069b1f..4d1f425 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
@@ -9,7 +9,7 @@
DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x"
+SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x;protocol=https"
inherit autotools-brokensep pkgconfig systemd
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
index 6470879..1a36a5b 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
@@ -15,7 +15,7 @@
PACKAGECONFIG ??= ""
PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
-PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c "
+PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c "
EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/"
EXTRA_OECONF:remove = " --disable-static"
@@ -73,6 +73,11 @@
${libdir}/libtss2*so"
FILES:libtss2-staticdev = "${libdir}/libtss*a"
-FILES:${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev"
+FILES:${PN} = "\
+ ${libdir}/udev \
+ ${nonarch_base_libdir}/udev \
+ ${sysconfdir}/tmpfiles.d \
+ ${sysconfdir}/tpm2-tss \
+ ${sysconfdir}/sysusers.d"
RDEPENDS:libtss2 = "libgcrypt"