meta-security: subtree update:a85fbe980e..c20b35b527

Anton Antonov (1):
      Parsec service. Update PACKAGECONFIG definitions and README.md

Armin Kuster (20):
      python3-fail2ban: fix build failure and cleanup
      meta-parsec/README: remove rust layer req.
      opendnssec: blacklist do to ldns being blacklisted
      apparmor: Add a python 3.10 compatability patch
      tpm2-tools: update to 5.2
      openssl-tpm-engine: fix build issue with openssl 3
      tpm2-openssl: add new pkg
      tpm2-pkcs11: update to 1.7.0
      recipes: Update SRC_URI branch and protocols
      sssd: Create /var/log/sssd in runtime
      bastille: Create /var/log/Bastille in runtime
      python3-fail2ban: remove /run
      tpm2-pkcs11: update to 1.7.0
      libest: does not build with openssl 3.x
      clamav: fix useradd warning
      python3-fail2ban: update to tip
      tpm2-pkcs11: backport openssl 3.x build fixes
      packagegroup-security-tpm2: drop ibmswtpm2
      meta-integrity: drop strongswan bbappends
      meta-tpm: drop strongswan bbappends

Kai Kang (2):
      sssd: re-package to fix QA issues
      apparmor: fix warning of remove operator combined with +=

Kristian Klausen (2):
      swtpm: update to 0.6.1
      dm-verity-img.bbclass: Fix wrong override syntax for CONVERSION_DEPENDS

Liwei Song (1):
      recipes-security/chipsec: platform security assessment framework

Stefan Mueller-Klieser (1):
      tpm2-tss: fix fapi package config

Yi Zhao (2):
      openssl-tpm-engine: fix warning for append operator combined with +=
      meta-parsec/README.md: fix for append operator combined with +=

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2156e47cf3f4f45daa2b60a73e3b46be3b6a86c0
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
deleted file mode 100644
index 8250282..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/files/0001-xfrmi-Only-build-if-libcharon-is-built.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From db772305c6baa01f6c6750be74733e4bfc1d6106 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Tue, 14 Apr 2020 10:44:19 +0200
-Subject: [PATCH] xfrmi: Only build if libcharon is built
-
-The kernel-netlink plugin is only built if libcharon is.
-
-Closes strongswan/strongswan#167.
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- src/Makefile.am | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-Index: strongswan-5.8.4/src/Makefile.am
-===================================================================
---- strongswan-5.8.4.orig/src/Makefile.am
-+++ strongswan-5.8.4/src/Makefile.am
-@@ -42,6 +42,9 @@ endif
- 
- if USE_LIBCHARON
-   SUBDIRS += libcharon
-+if USE_KERNEL_NETLINK
-+  SUBDIRS += xfrmi
-+endif
- endif
- 
- if USE_FILE_CONFIG
-@@ -143,7 +146,3 @@ endif
- if USE_TPM
-   SUBDIRS += tpm_extendpcr
- endif
--
--if USE_KERNEL_NETLINK
--  SUBDIRS += xfrmi
--endif
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
deleted file mode 100644
index 497474f..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan-tpm.inc
+++ /dev/null
@@ -1,12 +0,0 @@
-FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
-
-DEPENDS = "libtspi"
-
-SRC_URI:append = " file://0001-xfrmi-Only-build-if-libcharon-is-built.patch"
-
-PACKAGECONFIG += "aikgen tpm"
-
-PACKAGECONFIG[tpm] = "--enable-tpm,--disable-tpm,,"
-PACKAGECONFIG[aikgen] = "--enable-aikgen,--disable-aikgen,,"
-
-EXTRA_OECONF += "--with-linux-headers=${STAGING_KERNEL_DIR}"
diff --git a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend b/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
deleted file mode 100644
index 34757bb..0000000
--- a/meta-security/meta-tpm/dynamic-layers/meta-networking/recipes-support/strongswan/strongswan_5.%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'tpm', 'strongswan-tpm.inc', '', d)}
diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
index 764b2e5..b8324e5 100644
--- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
+++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -18,5 +18,4 @@
     libtss2-tcti-mssim \
     tpm2-abrmd \
     tpm2-pkcs11 \
-    ibmswtpm2 \
     "
diff --git a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
index 95ba5c5..8fe62cf 100644
--- a/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
+++ b/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_0.8.7.bb
@@ -3,7 +3,7 @@
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e73f0786a936da3814896df06ad225a9"
 
 SRCREV = "f6dd8f55eab4910131ec6a6a570dcd7951bd10e4"
-SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8"
+SRC_URI = "git://github.com/stefanberger/libtpms.git;branch=stable-0.8;protocol=https"
 
 PE = "1"
 
diff --git a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
index 9ad8967..2b969ed 100644
--- a/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.5.0.bb
@@ -8,7 +8,7 @@
 DEPENDS += "openssl trousers"
 
 SRC_URI = "\
-    git://github.com/mgerstner/openssl_tpm_engine.git \
+    git://github.com/mgerstner/openssl_tpm_engine.git;branch=master;protocol=https \
     file://0001-create-tpm-key-support-well-known-key-option.patch \
     file://0002-libtpm-support-env-TPM_SRK_PW.patch \
     file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
@@ -35,10 +35,10 @@
 srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
 srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
 
-CFLAGS:append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+CFLAGS:append = " -DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
 
 # Uncomment below line if using the plain srk password for development
-#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+#CFLAGS:append = " -DTPM_SRK_PLAIN_PW"
 
 do_configure:prepend() {
     cd ${B}
@@ -46,17 +46,17 @@
     touch NEWS AUTHORS ChangeLog README
 }
 
-FILES:${PN}-staticdev += "${libdir}/ssl/engines-1.1/tpm.la"
+FILES:${PN}-staticdev += "${libdir}/ssl/engines-3/tpm.la"
 FILES:${PN}-dbg += "\
-    ${libdir}/ssl/engines-1.1/.debug \
-    ${libdir}/engines-1.1/.debug \
-    ${prefix}/local/ssl/lib/engines-1.1/.debug \
+    ${libdir}/ssl/engines-3/.debug \
+    ${libdir}/engines-3/.debug \
+    ${prefix}/local/ssl/lib/engines-3/.debug \
 "
 FILES:${PN} += "\
-    ${libdir}/ssl/engines-1.1/tpm.so* \
-    ${libdir}/engines-1.1/tpm.so* \
+    ${libdir}/ssl/engines-3/tpm.so* \
+    ${libdir}/engines-3/tpm.so* \
     ${libdir}/libtpm.so* \
-    ${prefix}/local/ssl/lib/engines-1.1/tpm.so* \
+    ${prefix}/local/ssl/lib/engines-3/tpm.so* \
 "
 
 RDEPENDS:${PN} += "libcrypto libtspi"
diff --git a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
index f8347b7..77f65ae 100644
--- a/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
@@ -9,7 +9,7 @@
 PV = "0.1+git${SRCPV}"
 SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
 
-SRC_URI = "git://github.com/flihp/pcr-extend.git \
+SRC_URI = "git://github.com/flihp/pcr-extend.git;branch=master;protocol=https \
            file://fix_openssl11_build.patch "
 
 inherit autotools
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
index 644f3ac..bb93374 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
@@ -1,6 +1,6 @@
 SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
 LICENSE = "MIT"
-DEPENDS = "swtpm-native tpm-tools-native net-tools-native"
+DEPENDS = "swtpm-native"
 
 inherit native
 
@@ -14,23 +14,19 @@
     for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
         exe=`basename $i`
         case $exe in
-            swtpm_setup.sh)
+            swtpm_setup)
                 cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
 #! /bin/sh
 #
-# Wrapper around swtpm_setup.sh which adds parameters required to
+# Wrapper around swtpm_setup which adds parameters required to
 # run the setup as non-root directly from the native sysroot.
 
 PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
 export PATH
 
-# tcsd only allows to be run as root or tss. Pretend to be root...
-exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+exec swtpm_setup --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
 EOF
                 ;;
-            swtpm_setup)
-                true
-                ;;
             *)
                 cat >${WORKDIR}/${exe}_oe.sh <<EOF
 #! /bin/sh
diff --git a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
similarity index 68%
rename from meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
rename to meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
index 912e939..63734b9 100644
--- a/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.5.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_0.6.1.bb
@@ -3,14 +3,11 @@
 LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
 SECTION = "apps"
 
-DEPENDS = "libtasn1 coreutils-native expect socat glib-2.0 net-tools-native libtpm libtpm-native"
+# expect-native, socat-native, coreutils-native and net-tools-native are reportedly only required for the tests
+DEPENDS = "libtasn1 coreutils-native expect-native socat-native glib-2.0 net-tools-native libtpm json-glib"
 
-# configure checks for the tools already during compilation and
-# then swtpm_setup needs them at runtime
-DEPENDS:append = " tpm-tools-native expect-native socat-native python3-pip-native python3-cryptography-native"
-
-SRCREV = "e59c0c1a7b4c8d652dbb280fd6126895a7057464"
-SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.5 \
+SRCREV = "98187d24fe14851653a7c46eb16e9c5f0b9beaa1"
+SRC_URI = "git://github.com/stefanberger/swtpm.git;branch=stable-0.6;protocol=https \
            file://ioctl_h.patch \
            file://oe_configure.patch \
            "
@@ -19,7 +16,7 @@
 S = "${WORKDIR}/git"
 
 PARALLEL_MAKE = ""
-inherit autotools pkgconfig python3native
+inherit autotools pkgconfig perlnative
 
 TSS_USER="tss"
 TSS_GROUP="tss"
@@ -28,7 +25,10 @@
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
 PACKAGECONFIG += "${@bb.utils.contains('BBFILE_COLLECTIONS', 'filesystems-layer', 'cuse', '', d)}"
 PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
-PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
+# expect, bash, tpm2-pkcs11-tools (tpm2_ptool), tpmtool and certtool is
+# used by swtpm-create-tpmca (the last two is provided by gnutls)
+# gnutls is required by: swtpm-create-tpmca, swtpm-localca and swtpm_cert
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls, gnutls, expect bash tpm2-pkcs11-tools"
 PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
 PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
 PACKAGECONFIG[seccomp] = "--with-seccomp, --without-seccomp, libseccomp"
@@ -41,14 +41,11 @@
     --no-create-home  --shell /bin/false ${BPN}"
 
 
-PACKAGES =+ "${PN}-python"
-FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}"
-
 PACKAGE_BEFORE_PN = "${PN}-cuse"
 FILES:${PN}-cuse = "${bindir}/swtpm_cuse"
 
 INSANE_SKIP:${PN}   += "dev-so"
 
-RDEPENDS:${PN} = "libtpm expect socat bash tpm-tools python3 python3-cryptography python3-twisted"
+RDEPENDS:${PN} = "libtpm"
 
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
index 53cf8ff..4672bba 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -15,7 +15,7 @@
 
 DEPENDS = "libtspi tpm-tools"
 
-SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools"
+SRC_URI = "git://git.code.sf.net/p/tpmquotetools/tpm-quote-tools;branch=master"
 SRCREV = "4511874d5c9b4504bb96e94f8a14bd6c39a36295"
 
 S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
index dbe1647..3b3da4f 100644
--- a/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -14,7 +14,7 @@
 
 SRCREV = "bf43837575c5f7d31865562dce7778eae970052e"
 SRC_URI = " \
-    git://git.code.sf.net/p/trousers/tpm-tools \
+    git://git.code.sf.net/p/trousers/tpm-tools;branch=master \
     file://tpm-tools-extendpcr.patch \
     file://04-fix-FTBFS-clang.patch \
     file://openssl1.1_fix.patch \
diff --git a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
index 5e03b71..192c66c 100644
--- a/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
+++ b/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -10,7 +10,7 @@
 PV = "0.3.15+git${SRCPV}"
 
 SRC_URI = " \
-	git://git.code.sf.net/p/trousers/trousers \
+	git://git.code.sf.net/p/trousers/trousers;branch=master \
     	file://trousers.init.sh \
     	file://trousers-udev.rules \
     	file://tcsd.service \
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
index b80ef79..1818171 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/tpm2-abrmd_2.4.0.bb
@@ -13,7 +13,7 @@
             libtss2 libtss2-mu libtss2-tcti-device libtss2-tcti-mssim"
 
 SRC_URI = "\
-    git://github.com/tpm2-software/tpm2-abrmd.git \
+    git://github.com/tpm2-software/tpm2-abrmd.git;branch=master;protocol=https \
     file://tpm2-abrmd-init.sh \
     file://tpm2-abrmd.default \
 "
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
new file mode 100644
index 0000000..f6a694c
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-openssl/tpm2-openssl_1.0.bb
@@ -0,0 +1,11 @@
+SUMMARY = "Provider for integration of TPM 2.0 to OpenSSL 3.0"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b75785ac083d3c3ca04d99d9e4e1fbab"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-openssl.git;protocol=https;branch=master"
+
+SRCREV = "66e34f9e45c3697590cced1e4d3f35993a822f8b"
+
+S = "${WORKDIR}/git"
+
+inherit pkgconfig
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
new file mode 100644
index 0000000..ac2f92c
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
@@ -0,0 +1,1305 @@
+From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 3 Sep 2021 11:24:40 -0500
+Subject: [PATCH 1/2] ssl: compile against OSSL 3.0
+
+Compile against OpenSSL. This moves functions non-deprecated things if
+possible and ignores deprecation warnings when not. Padding manipulation
+routines seem to have been marked deprecated in OSSL 3.0, so we need to
+figure out a porting strategy here.
+
+Fixes: #686
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ src/lib/backend_esysdb.c                |   5 +-
+ src/lib/backend_fapi.c                  |   5 +-
+ src/lib/encrypt.c                       |   2 +-
+ src/lib/mech.c                          |  72 +---
+ src/lib/object.c                        |   3 +-
+ src/lib/sign.c                          |   2 +-
+ src/lib/ssl_util.c                      | 531 ++++++++++++++++--------
+ src/lib/ssl_util.h                      |  31 +-
+ src/lib/tpm.c                           |   6 +-
+ src/lib/utils.c                         |  35 +-
+ src/lib/utils.h                         |  13 -
+ test/integration/pkcs-sign-verify.int.c |  94 ++---
+ 12 files changed, 441 insertions(+), 358 deletions(-)
+
+Index: git/src/lib/backend_esysdb.c
+===================================================================
+--- git.orig/src/lib/backend_esysdb.c
++++ git/src/lib/backend_esysdb.c
+@@ -3,6 +3,7 @@
+ #include "config.h"
+ #include "backend_esysdb.h"
+ #include "db.h"
++#include "ssl_util.h"
+ #include "tpm.h"
+ 
+ CK_RV backend_esysdb_init(void) {
+@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi
+     }
+ 
+     twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt;
+-    twist sealobjauth = utils_hash_pass(tpin, sealsalt);
++    twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
+     if (!sealobjauth) {
+         rv = CKR_HOST_MEMORY;
+         goto error;
+@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to
+      */
+     twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt;
+ 
+-    twist oldauth = utils_hash_pass(toldpin, oldsalt);
++    twist oldauth = ssl_util_hash_pass(toldpin, oldsalt);
+     if (!oldauth) {
+         goto out;
+     }
+Index: git/src/lib/backend_fapi.c
+===================================================================
+--- git.orig/src/lib/backend_fapi.c
++++ git/src/lib/backend_fapi.c
+@@ -11,6 +11,7 @@
+ #include "backend_fapi.h"
+ #include "emitter.h"
+ #include "parser.h"
++#include "ssl_util.h"
+ #include "utils.h"
+ 
+ #ifdef HAVE_FAPI
+@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping
+     }
+ 
+     twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt;
+-    twist sealobjauth = utils_hash_pass(tpin, sealsalt);
++    twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
+     if (!sealobjauth) {
+         rv = CKR_HOST_MEMORY;
+         goto error;
+@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke
+     }
+     rv = CKR_GENERAL_ERROR;
+ 
+-    oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
++    oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
+     if (!oldauth) {
+         goto out;
+     }
+Index: git/src/lib/encrypt.c
+===================================================================
+--- git.orig/src/lib/encrypt.c
++++ git/src/lib/encrypt.c
+@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat
+ CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) {
+ 
+     EVP_PKEY *pkey = NULL;
+-    CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj);
++    CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+     if (rv != CKR_OK) {
+         return rv;
+     }
+Index: git/src/lib/mech.c
+===================================================================
+--- git.orig/src/lib/mech.c
++++ git/src/lib/mech.c
+@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C
+     }
+ 
+     int nid = 0;
+-    CK_RV rv = ec_params_to_nid(a, &nid);
++    CK_RV rv = ssl_util_params_to_nid(a, &nid);
+     if (rv != CKR_OK) {
+         return rv;
+     }
+@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl
+     }
+ 
+     /* Apply the PKCS1.5 padding */
+-    int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len,
+-            inbuf, inlen);
+-    if (!rc) {
++    CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen,
++            outbuf, padded_len);
++    if (rv != CKR_OK) {
+         LOGE("Applying RSA padding failed");
+-        return CKR_GENERAL_ERROR;
++        return rv;
+     }
+ 
+     *outlen = padded_len;
+@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md
+     size_t key_bytes = *keybits / 8;
+ 
+     unsigned char buf[4096];
+-    int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf),
+-                                       inbuf, inlen,
+-                                       key_bytes);
+-    if (rc < 0) {
++    CK_ULONG buflen = sizeof(buf);
++    CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes,
++            buf, &buflen);
++    if (rv != CKR_OK) {
+         LOGE("Could not recover CKM_RSA_PKCS Padding");
+-        return CKR_GENERAL_ERROR;
++        return rv;
+     }
+ 
+-    /* cannot be < 0 because of check above */
+-    if (!outbuf || (unsigned)rc > *outlen) {
+-        *outlen = rc;
++    if (!outbuf || buflen > *outlen) {
++        *outlen = buflen;
+         return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK;
+     }
+ 
+-    *outlen = rc;
+-    memcpy(outbuf, buf, rc);
++    *outlen = buflen;
++    memcpy(outbuf, buf, buflen);
+ 
+     return CKR_OK;
+ }
+@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl,
+         return CKR_GENERAL_ERROR;
+     }
+ 
+-    CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
+-    if (!exp_attr) {
+-        LOGE("Signing key has no CKA_PUBLIC_EXPONENT");
+-        return CKR_GENERAL_ERROR;
+-    }
+-
+     if (modulus_attr->ulValueLen > *outlen) {
+         LOGE("Output buffer is too small, got: %lu, required at least %lu",
+                 *outlen, modulus_attr->ulValueLen);
+         return CKR_GENERAL_ERROR;
+     }
+ 
+-    BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL);
+-    if (!e) {
+-        LOGE("Could not convert exponent to bignum");
+-        return CKR_GENERAL_ERROR;
+-    }
+-
+-    BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL);
+-    if (!n) {
+-        LOGE("Could not convert modulus to bignum");
+-        BN_free(e);
+-        return CKR_GENERAL_ERROR;
+-    }
+-
+-    RSA *rsa = RSA_new();
+-    if (!rsa) {
+-        LOGE("oom");
+-        return CKR_HOST_MEMORY;
+-    }
+-
+-    int rc = RSA_set0_key(rsa, n, e, NULL);
+-    if (!rc) {
+-        LOGE("Could not set modulus and exponent to OSSL RSA key");
+-        BN_free(n);
+-        BN_free(e);
+-        RSA_free(rsa);
+-        return CKR_GENERAL_ERROR;
++    EVP_PKEY *pkey = NULL;
++    rv = ssl_util_attrs_to_evp(attrs, &pkey);
++    if (rv != CKR_OK) {
++        return rv;
+     }
+ 
+-    rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
+-            inbuf, md, -1);
+-    RSA_free(rsa);
+-    if (!rc) {
++    rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf);
++    EVP_PKEY_free(pkey);
++    if (rv != CKR_OK) {
+         LOGE("Applying RSA padding failed");
+         return CKR_GENERAL_ERROR;
+     }
+Index: git/src/lib/object.c
+===================================================================
+--- git.orig/src/lib/object.c
++++ git/src/lib/object.c
+@@ -15,6 +15,7 @@
+ #include "object.h"
+ #include "pkcs11.h"
+ #include "session_ctx.h"
++#include "ssl_util.h"
+ #include "token.h"
+ #include "utils.h"
+ 
+@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject *
+         }
+ 
+         int nid = 0;
+-        CK_RV rv = ec_params_to_nid(a, &nid);
++        CK_RV rv = ssl_util_params_to_nid(a, &nid);
+         if (rv != CKR_OK) {
+             return rv;
+         }
+Index: git/src/lib/sign.c
+===================================================================
+--- git.orig/src/lib/sign.c
++++ git/src/lib/sign.c
+@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet
+     }
+ 
+     EVP_PKEY *pkey = NULL;
+-    rv = ssl_util_tobject_to_evp(&pkey, tobj);
++    rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+     if (rv != CKR_OK) {
+         return NULL;
+     }
+Index: git/src/lib/ssl_util.c
+===================================================================
+--- git.orig/src/lib/ssl_util.c
++++ git/src/lib/ssl_util.c
+@@ -10,6 +10,7 @@
+ #include <openssl/rsa.h>
+ #include <openssl/sha.h>
+ 
++#include "attrs.h"
+ #include "log.h"
+ #include "pkcs11.h"
+ #include "ssl_util.h"
+@@ -19,194 +20,228 @@
+ #include <openssl/evperr.h>
+ #endif
+ 
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#include <openssl/core_names.h>
++#endif
+ 
+ /*
+- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to
+- * create an API compatible version of it.
++ * TODO Port these routines
++ * Deprecated function block to port
++ *
++ * There are no padding routine replacements in OSSL 3.0.
++ *   - per Matt Caswell (maintainer) on mailing list.
++ * Signature verification can likely be done with EVP Verify interface.
+  */
+-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
+-                          point_conversion_form_t form,
+-                          unsigned char **pbuf, BN_CTX *ctx) {
+-
+-    /* Get the required buffer length */
+-    size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL);
+-    if (!len) {
+-        return 0;
+-    }
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
++#endif
+ 
+-    /* allocate it */
+-    unsigned char *buf = OPENSSL_malloc(len);
+-    if (!buf) {
+-        return 0;
+-    }
++CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
++        const CK_BYTE_PTR inbuf, const EVP_MD *md,
++        CK_BYTE_PTR outbuf) {
+ 
+-    /* convert it */
+-    len = EC_POINT_point2oct(group, point, form, buf, len, ctx);
+-    if (!len) {
+-        OPENSSL_free(buf);
+-        return 0;
++    RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
++    if (!rsa) {
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    *pbuf = buf;
+-    return len;
+-}
++    int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
++        inbuf, md, -1);
+ 
+-size_t OBJ_length(const ASN1_OBJECT *obj) {
++    return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR;
++}
+ 
+-    if (!obj) {
+-        return 0;
+-    }
++CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
++        CK_BYTE_PTR outbuf, CK_ULONG outbuflen) {
+ 
+-    return obj->length;
++    return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen,
++            inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR;
+ }
+ 
+-const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) {
++CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
++        CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) {
+ 
+-    if (!obj) {
+-        return NULL;
++    int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen,
++               inbuf, inlen, rsa_len);
++    if (rc < 0) {
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    return obj->data;
++    /* cannot be negative due to check above */
++    *outbuflen = rc;
++    return CKR_OK;
+ }
+ 
+-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) {
+-    return ASN1_STRING_data((ASN1_STRING *)x);
+-}
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
++#pragma GCC diagnostic pop
++#endif
+ 
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
+ 
+-    if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
+-        return 0;
+-    }
++static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
++
++    OSSL_PARAM params[] = {
++        OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen),
++        OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen),
++        OSSL_PARAM_END
++    };
+ 
+-    if (n != NULL) {
+-        BN_free(r->n);
+-        r->n = n;
++    /* convert params to EVP key */
++    EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
++    if (!evp_ctx) {
++        SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    if (e != NULL) {
+-        BN_free(r->e);
+-        r->e = e;
++    int rc = EVP_PKEY_fromdata_init(evp_ctx);
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_PKEY_fromdata_init");
++        EVP_PKEY_CTX_free(evp_ctx);
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    if (d != NULL) {
+-        BN_free(r->d);
+-        r->d = d;
++    rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_PKEY_fromdata");
++        EVP_PKEY_CTX_free(evp_ctx);
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    return 1;
++    EVP_PKEY_CTX_free(evp_ctx);
++
++    return CKR_OK;
+ }
+ 
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
++static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
++
++    /*
++     * The simplest way I have found to deal with this is to convert the ASN1 object in
++     * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and
++     * then take the int nid and convert it to a friendly name like prime256v1.
++     * EVP_PKEY_fromdata can handle group by name.
++     *
++     * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value".
++     */
++    int curve_id = 0;
++    CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id);
++    if (rv != CKR_OK) {
++        LOGE("Could not get nid from params");
++        return rv;
++    }
+ 
+-    if (!r || !s) {
+-        return 0;
++    /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */
++    const unsigned char *x = ecpoint->pValue;
++    ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
++    if (!os) {
++        SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s");
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    BN_free(sig->r);
+-    BN_free(sig->s);
++    OSSL_PARAM params[] = {
++        OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0),
++        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length),
++        OSSL_PARAM_END
++    };
+ 
+-    sig->r = r;
+-    sig->s = s;
++    /* convert params to EVP key */
++    EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
++    if (!evp_ctx) {
++        SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
++        OPENSSL_free(os);
++        return CKR_GENERAL_ERROR;
++    }
+ 
+-    return 1;
+-}
++    int rc = EVP_PKEY_fromdata_init(evp_ctx);
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s");
++        EVP_PKEY_CTX_free(evp_ctx);
++        OPENSSL_free(os);
++        return CKR_GENERAL_ERROR;
++    }
+ 
+-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) {
+-    if (pkey->type != EVP_PKEY_EC) {
+-        return NULL;
++    rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_PKEY_fromdata");
++        EVP_PKEY_CTX_free(evp_ctx);
++        OPENSSL_free(os);
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    return pkey->pkey.ec;
++    EVP_PKEY_CTX_free(evp_ctx);
++    OPENSSL_free(os);
++
++    return CKR_OK;
+ }
+-#endif
+ 
+-static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) {
++#else
+ 
+-    RSA *rsa = NULL;
+-    BIGNUM *e = NULL, *n = NULL;
++static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
+ 
+-    CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
+-    if (!exp) {
+-        LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
++    BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL);
++    if (!e) {
++        LOGE("Could not convert exponent to bignum");
+         return CKR_GENERAL_ERROR;
+     }
+ 
+-    CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
+-    if (!mod) {
+-        LOGE("RSA Object must have attribute CKA_MODULUS");
++    BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL);
++    if (!n) {
++        LOGE("Could not convert modulus to bignum");
++        BN_free(e);
+         return CKR_GENERAL_ERROR;
+     }
+ 
+-    rsa = RSA_new();
++    RSA *rsa = RSA_new();
+     if (!rsa) {
+-        SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure");
+-        goto error;
++        LOGE("oom");
++        return CKR_HOST_MEMORY;
+     }
+ 
+-    e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL);
+-    if (!e) {
+-        SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format");
+-        goto error;
++    int rc = RSA_set0_key(rsa, n, e, NULL);
++    if (!rc) {
++        LOGE("Could not set modulus and exponent to OSSL RSA key");
++        BN_free(n);
++        BN_free(e);
++        RSA_free(rsa);
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL);
+-    if (!n) {
+-        SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format");
+-        goto error;
++    /* assigned to RSA key */
++    n = e = NULL;
++
++    EVP_PKEY *pkey = EVP_PKEY_new();
++    if (!pkey) {
++        SSL_UTIL_LOGE("EVP_PKEY_new");
++        RSA_free(rsa);
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    if (!RSA_set0_key(rsa, n, e, NULL)) {
+-        SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components");
++    rc = EVP_PKEY_assign_RSA(pkey, rsa);
++    if (rc != 1) {
+         RSA_free(rsa);
+-        BN_free(e);
+-        BN_free(n);
+-        goto error;
++        EVP_PKEY_free(pkey);
++        return CKR_GENERAL_ERROR;
+     }
+ 
+-    *outkey = rsa;
++    *out_pkey = pkey;
+ 
+     return CKR_OK;
+-
+-error:
+-    RSA_free(rsa);
+-    if (e) {
+-        BN_free(e);
+-    }
+-    if (n) {
+-        BN_free(n);
+-    }
+-
+-    return CKR_GENERAL_ERROR;
+ }
+ 
+-static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) {
++static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
+ 
+-    EC_KEY *key = EC_KEY_new();
+-    if (!key) {
++    EC_KEY *ecc = EC_KEY_new();
++    if (!ecc) {
+         LOGE("oom");
+         return CKR_HOST_MEMORY;
+     }
+ 
+-    CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
+-    if (!ecparams) {
+-        LOGE("ECC Key must have attribute CKA_EC_PARAMS");
+-        return CKR_GENERAL_ERROR;
+-    }
+-
+-    CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
+-    if (!ecpoint) {
+-        LOGE("ECC Key must have attribute CKA_EC_POINT");
+-        return CKR_GENERAL_ERROR;
+-    }
+-
+     /* set params */
+     const unsigned char *x = ecparams->pValue;
+-    EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen);
++    EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen);
+     if (!k) {
+         SSL_UTIL_LOGE("Could not update key with EC Parameters");
+-        EC_KEY_free(key);
++        EC_KEY_free(ecc);
+         return CKR_GENERAL_ERROR;
+     }
+ 
+@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY *
+     ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
+     if (os) {
+         x = os->data;
+-        k = o2i_ECPublicKey(&key, &x, os->length);
++        k = o2i_ECPublicKey(&ecc, &x, os->length);
+         ASN1_STRING_free(os);
+         if (!k) {
+             SSL_UTIL_LOGE("Could not update key with EC Points");
+-            EC_KEY_free(key);
++            EC_KEY_free(ecc);
+             return CKR_GENERAL_ERROR;
+         }
+     }
+ 
+-    *outkey = key;
++    EVP_PKEY *pkey = EVP_PKEY_new();
++    if (!pkey) {
++        SSL_UTIL_LOGE("EVP_PKEY_new");
++        EC_KEY_free(ecc);
++        return CKR_GENERAL_ERROR;
++    }
++
++    int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc);
++    if (!rc) {
++        SSL_UTIL_LOGE("Could not set pkey with ec key");
++        EC_KEY_free(ecc);
++        EVP_PKEY_free(pkey);
++        return CKR_GENERAL_ERROR;
++    }
++
++    *out_pkey = pkey;
+     return CKR_OK;
+ }
++#endif
+ 
+-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) {
++CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) {
+ 
+-    CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE);
++    CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE);
+     if (!a) {
+         LOGE("Expected object to have attribute CKA_KEY_TYPE");
+         return CKR_KEY_TYPE_INCONSISTENT;
+@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY *
+            return CKR_OK;
+     }
+ 
+-    EVP_PKEY *pkey = EVP_PKEY_new();
+-    if (!pkey) {
+-        LOGE("oom");
+-        return CKR_HOST_MEMORY;
+-    }
++    EVP_PKEY *pkey = NULL;
+ 
+     if (key_type == CKK_EC) {
+-        EC_KEY *e = NULL;
+-        rv = convert_pubkey_ECC(&e, obj->attrs);
+-        if (rv != CKR_OK) {
+-            return rv;
++
++        CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
++        if (!ecparams) {
++            LOGE("ECC Key must have attribute CKA_EC_PARAMS");
++            return CKR_GENERAL_ERROR;
+         }
+-        int rc = EVP_PKEY_assign_EC_KEY(pkey, e);
+-        if (!rc) {
+-            SSL_UTIL_LOGE("Could not set pkey with ec key");
+-            EC_KEY_free(e);
+-            EVP_PKEY_free(pkey);
++
++        CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
++        if (!ecpoint) {
++            LOGE("ECC Key must have attribute CKA_EC_POINT");
+             return CKR_GENERAL_ERROR;
+         }
+-    } else if (key_type == CKK_RSA) {
+-        RSA *r = NULL;
+-        rv = convert_pubkey_RSA(&r, obj->attrs);
++
++        rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey);
+         if (rv != CKR_OK) {
+             return rv;
+         }
+-        int rc = EVP_PKEY_assign_RSA(pkey, r);
+-        if (!rc) {
+-            SSL_UTIL_LOGE("Could not set pkey with rsa key");
+-            RSA_free(r);
+-            EVP_PKEY_free(pkey);
++
++    } else if (key_type == CKK_RSA) {
++
++        CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
++        if (!exp) {
++            LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
+             return CKR_GENERAL_ERROR;
+         }
++
++        CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
++        if (!mod) {
++            LOGE("RSA Object must have attribute CKA_MODULUS");
++            return CKR_GENERAL_ERROR;
++        }
++
++        rv = get_RSA_evp_pubkey(exp, mod, &pkey);
++        if (rv != CKR_OK) {
++            return rv;
++        }
++
+     } else {
+         LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type);
+-        EVP_PKEY_free(pkey);
+         return CKR_KEY_TYPE_INCONSISTENT;
+     }
+ 
++    assert(pkey);
+     *outpkey = pkey;
+ 
+     return CKR_OK;
+@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
+         }
+     }
+ 
+-    rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
+-    if (!rc) {
+-        SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
+-        goto error;
++    if (md) {
++        rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
++        if (!rc) {
++            SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
++            goto error;
++        }
+     }
+ 
+     *outpkey_ctx = pkey_ctx;
+@@ -421,21 +482,12 @@ error:
+     return CKR_GENERAL_ERROR;
+ }
+ 
+-static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
+-        int padding, const EVP_MD *md,
+-        CK_BYTE_PTR digest, CK_ULONG digest_len,
+-        CK_BYTE_PTR signature, CK_ULONG signature_len) {
++static CK_RV sig_verify(EVP_PKEY_CTX *ctx,
++        const unsigned char *sig, size_t siglen,
++        const unsigned char *tbs, size_t tbslen) {
+ 
+     CK_RV rv = CKR_GENERAL_ERROR;
+-
+-    EVP_PKEY_CTX *pkey_ctx = NULL;
+-    rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
+-            EVP_PKEY_verify_init, &pkey_ctx);
+-    if (rv != CKR_OK) {
+-        return rv;
+-    }
+-
+-    int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len);
++    int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen);
+     if (rc < 0) {
+         SSL_UTIL_LOGE("EVP_PKEY_verify failed");
+     } else if (rc == 1) {
+@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY
+         rv = CKR_SIGNATURE_INVALID;
+     }
+ 
+-    EVP_PKEY_CTX_free(pkey_ctx);
+     return rv;
+ }
+ 
+-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
++static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen,
++        unsigned char  **outbuf, size_t *outlen) {
+ 
+     if (siglen & 1) {
+         LOGE("Expected ECDSA signature length to be even, got : %lu",
+@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT
+         return CKR_GENERAL_ERROR;
+     }
+ 
+-    *outsig = ossl_sig;
++    int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL);
++    if (sig_len <= 0) {
++        if (rc < 0) {
++            SSL_UTIL_LOGE("ECDSA_do_verify failed");
++        } else {
++            LOGE("Expected length to be greater than 0");
++        }
++        ECDSA_SIG_free(ossl_sig);
++        return CKR_GENERAL_ERROR;
++    }
++
++    unsigned char *buf = calloc(1, sig_len);
++    if (!buf) {
++        LOGE("oom");
++        ECDSA_SIG_free(ossl_sig);
++        return CKR_HOST_MEMORY;
++    }
++
++    unsigned char *p = buf;
++    int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p);
++    if (sig_len2 < 0) {
++        SSL_UTIL_LOGE("ECDSA_do_verify failed");
++        ECDSA_SIG_free(ossl_sig);
++        free(buf);
++        return CKR_GENERAL_ERROR;
++    }
++
++    assert(sig_len == sig_len2);
++
++    ECDSA_SIG_free(ossl_sig);
++
++    *outbuf = buf;
++    *outlen = sig_len;
+ 
+     return CKR_OK;
+ }
+ 
+ static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
++        const EVP_MD *md,
+         CK_BYTE_PTR digest, CK_ULONG digest_len,
+         CK_BYTE_PTR signature, CK_ULONG signature_len) {
+ 
+-    EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
+-    if (!eckey) {
+-        LOGE("Expected EC Key");
+-        return CKR_GENERAL_ERROR;
+-    }
+-
+     /*
+      * OpenSSL expects ASN1 framed signatures, PKCS11 does flat
+      * R + S signatures, so convert it to ASN1 framing.
+@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY *
+      *   https://github.com/tpm2-software/tpm2-pkcs11/issues/277
+      * For details.
+      */
+-    ECDSA_SIG *ossl_sig = NULL;
+-    CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
++    unsigned char *buf = NULL;
++    size_t buflen = 0;
++    CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen);
+     if (rv != CKR_OK) {
+         return rv;
+     }
+ 
+-    int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
+-    if (rc < 0) {
+-        ECDSA_SIG_free(ossl_sig);
+-        SSL_UTIL_LOGE("ECDSA_do_verify failed");
+-        return CKR_GENERAL_ERROR;
++    EVP_PKEY_CTX *pkey_ctx = NULL;
++    rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md,
++            EVP_PKEY_verify_init, &pkey_ctx);
++    if (rv != CKR_OK) {
++        free(buf);
++        return rv;
+     }
+-    ECDSA_SIG_free(ossl_sig);
+ 
+-    return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
++    rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len);
++
++    EVP_PKEY_CTX_free(pkey_ctx);
++    free(buf);
++
++    return rv;
++}
++
++static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
++        int padding, const EVP_MD *md,
++        CK_BYTE_PTR digest, CK_ULONG digest_len,
++        CK_BYTE_PTR signature, CK_ULONG signature_len) {
++
++    CK_RV rv = CKR_GENERAL_ERROR;
++
++    EVP_PKEY_CTX *pkey_ctx = NULL;
++    rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
++            EVP_PKEY_verify_init, &pkey_ctx);
++    if (rv != CKR_OK) {
++        return rv;
++    }
++
++    rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len);
++
++    EVP_PKEY_CTX_free(pkey_ctx);
++    return rv;
+ }
+ 
+ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
+@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey
+                 digest, digest_len,
+                 signature, signature_len);
+     case EVP_PKEY_EC:
+-        return do_sig_verify_ec(pkey, digest, digest_len,
++        return do_sig_verify_ec(pkey, md, digest, digest_len,
+                 signature, signature_len);
+     default:
+         LOGE("Unknown PKEY type, got: %d", type);
+@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY *
+     EVP_PKEY_CTX_free(pkey_ctx);
+     return rv;
+ }
++
++twist ssl_util_hash_pass(const twist pin, const twist salt) {
++
++
++    twist out = NULL;
++    unsigned char md[SHA256_DIGEST_LENGTH];
++
++    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
++    if (!ctx) {
++        SSL_UTIL_LOGE("EVP_MD_CTX_new");
++        return NULL;
++    }
++
++    int rc = EVP_DigestInit(ctx, EVP_sha256());
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_DigestInit");
++        goto error;
++    }
++
++    rc = EVP_DigestUpdate(ctx, pin, twist_len(pin));
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_DigestUpdate");
++        goto error;
++    }
++
++    rc = EVP_DigestUpdate(ctx, salt, twist_len(salt));
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_DigestUpdate");
++        goto error;
++    }
++
++    unsigned int len = sizeof(md);
++    rc = EVP_DigestFinal(ctx, md, &len);
++    if (rc != 1) {
++        SSL_UTIL_LOGE("EVP_DigestFinal");
++        goto error;
++    }
++
++    /* truncate the password to 32 characters */
++    out = twist_hex_new((char *)md, sizeof(md)/2);
++
++error:
++    EVP_MD_CTX_free(ctx);
++
++    return out;
++}
++
++CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
++
++    const unsigned char *p = ecparams->pValue;
++
++    ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
++    if (!a) {
++        LOGE("Unknown CKA_EC_PARAMS value");
++        return CKR_ATTRIBUTE_VALUE_INVALID;
++    }
++
++    *nid = OBJ_obj2nid(a);
++    ASN1_OBJECT_free(a);
++
++    return CKR_OK;
++}
+Index: git/src/lib/ssl_util.h
+===================================================================
+--- git.orig/src/lib/ssl_util.h
++++ git/src/lib/ssl_util.h
+@@ -11,8 +11,8 @@
+ 
+ #include "pkcs11.h"
+ 
++#include "attrs.h"
+ #include "log.h"
+-#include "object.h"
+ #include "twist.h"
+ 
+ #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+@@ -22,6 +22,10 @@
+ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
+ #endif
+ 
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
++#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
++#endif
++
+ /* OpenSSL Backwards Compat APIs */
+ #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+ #include <string.h>
+@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const
+ 
+ #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
+ 
+-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj);
++CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
+ 
+ CK_RV ssl_util_encrypt(EVP_PKEY *pkey,
+         int padding, twist label, const EVP_MD *md,
+@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
+         fn_EVP_PKEY_init init_fn,
+         EVP_PKEY_CTX **outpkey_ctx);
+ 
++CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
++        const CK_BYTE_PTR inbuf, const EVP_MD *md,
++        CK_BYTE_PTR outbuf);
++
++CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
++        CK_BYTE_PTR outbuf, CK_ULONG outbuflen);
++
++CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
++        CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen);
++
++twist ssl_util_hash_pass(const twist pin, const twist salt);
++
++/**
++ * Given an attribute of CKA_EC_PARAMS returns the nid value.
++ * @param ecparams
++ *  The DER X9.62 parameters value
++ * @param nid
++ *  The nid to set
++ * @return
++ *  CKR_OK on success.
++ */
++CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
++
+ #endif /* SRC_LIB_SSL_UTIL_H_ */
+Index: git/src/lib/tpm.c
+===================================================================
+--- git.orig/src/lib/tpm.c
++++ git/src/lib/tpm.c
+@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT
+     tpm_key_data *keydat = (tpm_key_data *)udata;
+ 
+     int nid = 0;
+-    CK_RV rv = ec_params_to_nid(attr, &nid);
++    CK_RV rv = ssl_util_params_to_nid(attr, &nid);
+     if (rv != CKR_OK) {
+         return rv;
+     }
+@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_
+         goto out;
+     }
+ 
+-    int rc = EC_POINT_set_affine_coordinates_GFp(group,
++    int rc = EC_POINT_set_affine_coordinates(group,
+             pub_key_point_tmp,
+             bn_x,
+             bn_y,
+@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct
+         goto out;
+     }
+ 
+-    rv = ssl_util_tobject_to_evp(&pkey, tobj);
++    rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
+     if (rv != CKR_OK) {
+         goto out;
+     }
+Index: git/src/lib/utils.c
+===================================================================
+--- git.orig/src/lib/utils.c
++++ git/src/lib/utils.c
+@@ -7,6 +7,7 @@
+ #include <openssl/sha.h>
+ 
+ #include "log.h"
++#include "ssl_util.h"
+ #include "token.h"
+ #include "utils.h"
+ 
+@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist
+         pin_to_use = newpin;
+     }
+ 
+-    *newauthhex = utils_hash_pass(pin_to_use, salt_to_use);
++    *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use);
+     if (!*newauthhex) {
+         goto out;
+     }
+@@ -330,22 +331,6 @@ out:
+ 
+ }
+ 
+-twist utils_hash_pass(const twist pin, const twist salt) {
+-
+-
+-    unsigned char md[SHA256_DIGEST_LENGTH];
+-
+-    SHA256_CTX sha256;
+-    SHA256_Init(&sha256);
+-
+-    SHA256_Update(&sha256, pin, twist_len(pin));
+-    SHA256_Update(&sha256, salt, twist_len(salt));
+-    SHA256_Final(md, &sha256);
+-
+-    /* truncate the password to 32 characters */
+-    return twist_hex_new((char *)md, sizeof(md)/2);
+-}
+-
+ size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) {
+ 
+     switch(mttype) {
+@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp
+ 
+     return CKR_OK;
+ }
+-
+-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
+-
+-    const unsigned char *p = ecparams->pValue;
+-
+-    ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
+-    if (!a) {
+-        LOGE("Unknown CKA_EC_PARAMS value");
+-        return CKR_ATTRIBUTE_VALUE_INVALID;
+-    }
+-
+-    *nid = OBJ_obj2nid(a);
+-    ASN1_OBJECT_free(a);
+-
+-    return CKR_OK;
+-}
+ 
+ CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen,
+         CK_BYTE_PTR out, CK_ULONG_PTR outlen) {
+Index: git/src/lib/utils.h
+===================================================================
+--- git.orig/src/lib/utils.h
++++ git/src/lib/utils.h
+@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U
+     memcpy(dst, src, src_len);
+ }
+ 
+-twist utils_hash_pass(const twist pin, const twist salt);
+-
+ twist aes256_gcm_decrypt(const twist key, const twist objauth);
+ 
+ twist aes256_gcm_encrypt(twist keybin, twist plaintextbin);
+@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra
+ CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth);
+ 
+ /**
+- * Given an attribute of CKA_EC_PARAMS returns the nid value.
+- * @param ecparams
+- *  The DER X9.62 parameters value
+- * @param nid
+- *  The nid to set
+- * @return
+- *  CKR_OK on success.
+- */
+-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
+-
+-/**
+  * Removes a PKCS7 padding on a 16 byte block.
+  * @param in
+  *  The PKCS5 padded input.
+Index: git/test/integration/pkcs-sign-verify.int.c
+===================================================================
+--- git.orig/test/integration/pkcs-sign-verify.int.c
++++ git/test/integration/pkcs-sign-verify.int.c
+@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_
+     assert_int_equal(rv, CKR_OK);
+ }
+ 
+-static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
+-
+-    CK_ULONG i;
+-    for (i=0; i < attr_len; i++) {
+-        CK_ATTRIBUTE_PTR a = &attrs[i];
+-        if (a->type == type) {
+-            return a;
+-        }
+-    }
+-
+-    return NULL;
+-}
+-
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
+-#endif
+-
+-RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
+-
+-    RSA *ssl_rsa_key = NULL;
+-    BIGNUM *e = NULL, *n = NULL;
+-
+-    /* get the exponent */
+-    CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len);
+-    assert_non_null(a);
+-
+-    e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL);
+-    assert_non_null(e);
+-
+-    /* get the modulus */
+-    a = get_attr(CKA_MODULUS, attrs, attr_len);
+-    assert_non_null(a);
+-
+-    n = BN_bin2bn(a->pValue, a->ulValueLen,
+-                  NULL);
+-    assert_non_null(n);
+-
+-    ssl_rsa_key = RSA_new();
+-    assert_non_null(ssl_rsa_key);
+-
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+-    ssl_rsa_key->e = e;
+-    ssl_rsa_key->n = n;
+-#else
+-    int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL);
+-    assert_int_equal(rc, 1);
+-#endif
+-
+-    return ssl_rsa_key;
+-}
+-
+-static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
+-
+-    EVP_PKEY *pkey = EVP_PKEY_new();
+-    assert_non_null(pkey);
+-
+-    int rc = EVP_PKEY_set1_RSA(pkey, pub);
+-    assert_int_equal(rc, 1);
++static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
+ 
+     EVP_MD_CTX *ctx = EVP_MD_CTX_create();
+     const EVP_MD* md = EVP_get_digestbyname("SHA256");
+     assert_non_null(md);
+ 
+-    rc = EVP_DigestInit_ex(ctx, md, NULL);
++    int rc = EVP_DigestInit_ex(ctx, md, NULL);
+     assert_int_equal(rc, 1);
+ 
+     rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR
+     rc = EVP_DigestVerifyFinal(ctx, sig, sig_len);
+     assert_int_equal(rc, 1);
+ 
+-    EVP_PKEY_free(pkey);
+     EVP_MD_CTX_destroy(ctx);
+ }
+ 
+@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void
+     assert_int_equal(siglen, 256);
+ 
+     /* build an OSSL RSA key from parts */
+-    CK_BYTE _tmp_bufs[2][1024];
++    CK_BYTE _tmp_bufs[3][1024];
+     CK_ATTRIBUTE attrs[] = {
+-        { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
+-        { .type = CKA_MODULUS,         .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] },
++        { .type = CKA_KEY_TYPE,        .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
++        { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] },
++        { .type = CKA_MODULUS,         .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] },
+     };
+ 
+     rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs));
+     assert_int_equal(rv, CKR_OK);
+ 
+-    RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs));
+-    assert_non_null(r);
++    CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD;
++    rv = attr_CK_KEY_TYPE(&attrs[0], &key_type);
++    assert_int_equal(rv, CKR_OK);
++
++    EVP_PKEY *pkey = NULL;
++    attr_list *l = attr_list_new();
++
++    bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type);
++    assert_true(res);
+ 
+-    verify(r, msg, sizeof(msg) - 1, sig, siglen);
+-    RSA_free(r);
++    res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen);
++    assert_true(res);
++
++    res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen);
++    assert_true(res);
++
++    rv = ssl_util_attrs_to_evp(l, &pkey);
++    assert_int_equal(rv, CKR_OK);
++    attr_list_free(l);
++
++    verify(pkey, msg, sizeof(msg) - 1, sig, siglen);
++    EVP_PKEY_free(pkey);
+ }
+ 
+ static void test_sign_verify_context_specific_good(void **state) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
new file mode 100644
index 0000000..ef0a6dc
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
@@ -0,0 +1,93 @@
+From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 3 Sep 2021 11:30:50 -0500
+Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater
+
+THIS DROPS SUPPORT FOR OSSL 1.0.2.
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ configure.ac       |  2 +-
+ src/lib/ssl_util.h | 43 +++++--------------------------------------
+ 2 files changed, 6 insertions(+), 39 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index a7aeaf5..94fb5d4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0],
+ # require sqlite3 and libcrypto
+ PKG_CHECK_MODULES([SQLITE3],     [sqlite3])
+ PKG_CHECK_MODULES([YAML],        [yaml-0.1])
+-PKG_CHECK_MODULES([CRYPTO],      [libcrypto >= 1.0.2g])
++PKG_CHECK_MODULES([CRYPTO],      [libcrypto >= 1.1.0])
+ 
+ # check for pthread
+ AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])])
+diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h
+index 9909fd6..2591728 100644
+--- a/src/lib/ssl_util.h
++++ b/src/lib/ssl_util.h
+@@ -15,51 +15,18 @@
+ #include "log.h"
+ #include "twist.h"
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
+-/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */
+-#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
+ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
+-#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
++#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111)
++#include <openssl/evperr.h>
+ #endif
+ 
+-/* OpenSSL Backwards Compat APIs */
+-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
+-#include <string.h>
+-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
+-                          point_conversion_form_t form,
+-                          unsigned char **pbuf, BN_CTX *ctx);
+-
+-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
+-
+-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+-
+-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+-
+-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
+-
+-static inline void *OPENSSL_memdup(const void *dup, size_t l) {
+-
+-    void *p = OPENSSL_malloc(l);
+-    if (!p) {
+-        return NULL;
+-    }
+-
+-    memcpy(p, dup, l);
+-    return p;
+-}
+-
+-#endif
+-
+-#ifndef RSA_PSS_SALTLEN_DIGEST
+-#define RSA_PSS_SALTLEN_DIGEST -1
++#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
++#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
+ #endif
+ 
+-/* Utility APIs */
+-
+ #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
+ 
+ CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
+-- 
+2.25.1
+
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
deleted file mode 100644
index 5c91a5e..0000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
+++ /dev/null
@@ -1,295 +0,0 @@
-From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 13:32:05 -0500
-Subject: [PATCH 1/4] test: fix build for gcc11
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes 0 size regions by ignoring them. The test code intentionally does
-bad things.
-
-test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’:
-test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in a region of size 0 [-Werror=stringop-overflow=]
-  327 |         actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
-      |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-
-Upstream-Status: Pending
-Fix out for merge to offical repo
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- test/unit/test_twist.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
-index ec66f69f..58d4530a 100644
---- a/test/unit/test_twist.c
-+++ b/test/unit/test_twist.c
-@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) {
- void test_twistbin_new_overflow_1(void **state) {
-     (void) state;
- 
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- 	twist actual = twistbin_new((void *) 0xDEADBEEF, ~0);
- 	assert_null(actual);
-+#pragma GCC diagnostic pop
- }
- 
- void test_twistbin_new_overflow_2(void **state) {
-     (void) state;
- 
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- 	twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *));
- 	assert_null(actual);
-+#pragma GCC diagnostic pop
- }
- 
- void test_twistbin_new_overflow_3(void **state) {
-@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) {
- 	twist actual = twistbin_aappend(expected, NULL, 42);
- 	assert_ptr_equal((void * )actual, (void * )expected);
- 
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wpragmas"
-+#pragma GCC diagnostic ignored "-Wstringop-overflow"
- 	actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
- 	assert_ptr_equal((void * )actual, (void * )expected);
-+#pragma GCC diagnostic pop
- 
- 	twist_free(actual);
- }
-
-From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 11:52:23 -0500
-Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy
-
-cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
-| make: *** Waiting for unfinished jobs....
-| In file included from src/lib/mutex.h:10,
-| from src/lib/session_ctx.h:6,
-| from src/lib/digest.h:13,
-| from src/lib/tpm.c:28:
-| In function 'str_padded_copy',
-| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
-| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread]
-| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
-| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-| src/lib/utils.h: In function 'tpm_get_token_info':
-| src/lib/tpm.c:739:19: note: source object declared here
-| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
-| | ^~~~~~~~~~~~~~
-| cc1: all warnings being treated as errors
-| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
-| WARNING: exit code 1 from a shell command.
-
-Fixes #676
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.c | 8 ++++----
- src/lib/general.h | 2 +-
- src/lib/slot.c    | 4 ++--
- src/lib/token.c   | 4 ++--
- src/lib/tpm.c     | 7 +++----
- src/lib/utils.h   | 6 ++++--
- 6 files changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/src/lib/general.c b/src/lib/general.c
-index 9b7327c1..eaddaf82 100644
---- a/src/lib/general.c
-+++ b/src/lib/general.c
-@@ -19,8 +19,8 @@
-   #define VERSION "UNKNOWN"
- #endif
- 
--#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
--#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io"
-+static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki";
-+static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io";
- 
- #define CRYPTOKI_VERSION { \
-            .major = CRYPTOKI_VERSION_MAJOR, \
-@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) {
- 
-     static CK_INFO *_info = NULL;
-     if (!_info) {
--        str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID));
--        str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription));
-+        str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER);
-+        str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION);
- 
-         parse_lib_version(&_info_.libraryVersion.major,
-                 &_info_.libraryVersion.minor);
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 14a18e46..356c142d 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -10,7 +10,7 @@
- #define TPM2_TOKEN_LABEL                "TPM2 PKCS#11 Token"
- #define TPM2_TOKEN_MANUFACTURER         "Intel"
- #define TPM2_TOKEN_MODEL                "TPM2 PKCS#11"
--#define TPM2_TOKEN_SERIAL_NUMBER        "0000000000000000"
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
- #define TPM2_TOKEN_HW_VERSION           { 0, 0 }
- #define TPM2_TOKEN_FW_VERSION           { 0, 0 }
- 
-diff --git a/src/lib/slot.c b/src/lib/slot.c
-index 548d22b5..6db5bb93 100644
---- a/src/lib/slot.c
-+++ b/src/lib/slot.c
-@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
-         return CKR_GENERAL_ERROR;
-     }
- 
--    str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
--    str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
-+    str_padded_copy(info->manufacturerID, token_info.manufacturerID);
-+    str_padded_copy(info->slotDescription, token_info.label);
- 
-     info->hardwareVersion = token_info.hardwareVersion;
-     info->firmwareVersion = token_info.firmwareVersion;
-diff --git a/src/lib/token.c b/src/lib/token.c
-index 6d7ebd27..c7211296 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) {
-     }
- 
-     // Identification
--    str_padded_copy(info->label, t->label, sizeof(info->label));
--    str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber));
-+    str_padded_copy(info->label, t->label);
-+    str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER);
- 
- 
-     // Memory: TODO not sure what memory values should go here, the platform?
-diff --git a/src/lib/tpm.c b/src/lib/tpm.c
-index 1639df48..7f9f052a 100644
---- a/src/lib/tpm.c
-+++ b/src/lib/tpm.c
-@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
-     unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
-     UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
-     memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
--    str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
-+    str_padded_copy(info->manufacturerID, manufacturerID);
- 
-     // Map human readable Manufacturer String, if available,
-     // otherwise 4 byte ID was already padded and will be used.
-     for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){
-         if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) {
-             str_padded_copy(info->manufacturerID,
--                            (unsigned char *)TPM2_MANUFACTURER_MAP[i][1],
--                            sizeof(info->manufacturerID));
-+                            (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]);
-         }
-     }
- 
-@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
-     vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value);
-     vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value);
-     vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value);
--    str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model));
-+    str_padded_copy(info->model, (unsigned char*) &vendor);
- 
-     return CKR_OK;
- }
-diff --git a/src/lib/utils.h b/src/lib/utils.h
-index 81c61fae..cf357464 100644
---- a/src/lib/utils.h
-+++ b/src/lib/utils.h
-@@ -39,9 +39,11 @@
- 
- int str_to_ul(const char *val, size_t *res);
- 
--static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) {
-+#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src)))
-+static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
-     memset(dst, ' ', dst_len);
--    memcpy(dst, src, strnlen((char *)(src), dst_len));
-+    memcpy(dst, src, src_len);
-+    LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
- }
- 
- twist utils_hash_pass(const twist pin, const twist salt);
-
-From afeae8a3846e06152fafb180077fbad4381a124d Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:09:27 -0500
-Subject: [PATCH 3/4] general: drop unused macros
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index 356c142d..b3089554 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,17 +7,7 @@
- 
- #include "pkcs11.h"
- 
--#define TPM2_TOKEN_LABEL                "TPM2 PKCS#11 Token"
--#define TPM2_TOKEN_MANUFACTURER         "Intel"
--#define TPM2_TOKEN_MODEL                "TPM2 PKCS#11"
- static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--#define TPM2_TOKEN_HW_VERSION           { 0, 0 }
--#define TPM2_TOKEN_FW_VERSION           { 0, 0 }
--
--#define TPM2_SLOT_DESCRIPTION           "Intel TPM2.0 Cryptoki"
--#define TPM2_SLOT_MANUFACTURER          TPM2_TOKEN_MANUFACTURER
--#define TPM2_SLOT_HW_VERSION            TPM2_TOKEN_HW_VERSION
--#define TPM2_SLOT_FW_VERSION            TPM2_TOKEN_FW_VERSION
- 
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
-
-From 8b43a99c5ff604d890bdc23fd2fa5f98aa087d83 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Wed, 5 May 2021 14:11:04 -0500
-Subject: [PATCH 4/4] token: move TPM2_TOKEN_SERIAL_NUMBER local to use
-
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
----
- src/lib/general.h | 2 --
- src/lib/token.c   | 2 ++
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/general.h b/src/lib/general.h
-index b3089554..9afd61ec 100644
---- a/src/lib/general.h
-+++ b/src/lib/general.h
-@@ -7,8 +7,6 @@
- 
- #include "pkcs11.h"
- 
--static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
--
- CK_RV general_init(void *init_args);
- CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
- CK_RV general_get_info(CK_INFO *info);
-diff --git a/src/lib/token.c b/src/lib/token.c
-index c7211296..63a9a71b 100644
---- a/src/lib/token.c
-+++ b/src/lib/token.c
-@@ -20,6 +20,8 @@
- #include "token.h"
- #include "utils.h"
- 
-+static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
-+
- void pobject_config_free(pobject_config *c) {
- 
-     if (c->is_transient) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
similarity index 89%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
index fdeda26..3a0917a 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
@@ -6,13 +6,14 @@
 
 DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
 
-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master \
+SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \
            file://bootstrap_fixup.patch \
            file://0001-remove-local-binary-checkes.patch \
-           file://677.patch \
+           file://0001-ssl-compile-against-OSSL-3.0.patch \
+           file://0002-ossl-require-version-1.1.0-or-greater.patch \
            "
 
-SRCREV = "c2d53cc1af6b9df13c832715442853b21048c273"
+SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
index 47113d2..2bf1eed 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tcti-uefi/tpm2-tcti-uefi_0.9.9.bb
@@ -4,7 +4,7 @@
 LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
 DEPENDS = "libtss2-dev libtss2-mu-dev gnu-efi-native gnu-efi pkgconfig autoconf-archive-native"
 
-SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git \
+SRC_URI = "git://github.com/tpm2-software/tpm2-tcti-uefi.git;branch=master;protocol=https \
            file://configure_oe_fixup.patch \
            file://0001-configure.ac-stop-inserting-host-directories-into-co.patch \
            file://fix_header_file.patch \
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
similarity index 80%
rename from meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
rename to meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index dbd324a..6e95a0e 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -8,6 +8,6 @@
 
 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1"
+SRC_URI[sha256sum] = "c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630"
 
 inherit autotools pkgconfig bash-completion
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
index dfebc07..d324e33 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-totp/tpm2-totp_0.3.0.bb
@@ -10,7 +10,7 @@
 PE = "1"
 
 SRCREV = "96a1448753a48974149003bc90ea3990ae8e8d0b"
-SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git"
+SRC_URI = "git://github.com/tpm2-software/tpm2-totp.git;branch=master;protocol=https"
 
 inherit autotools-brokensep pkgconfig
 
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
index 3069b1f..4d1f425 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss-engine/tpm2-tss-engine_1.1.0.bb
@@ -9,7 +9,7 @@
 DEPENDS = "autoconf-archive-native bash-completion libtss2 libgcrypt openssl"
 
 SRCREV = "6f387a4efe2049f1b4833e8f621c77231bc1eef4"
-SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x"
+SRC_URI = "git://github.com/tpm2-software/tpm2-tss-engine.git;branch=v1.1.x;protocol=https"
 
 inherit autotools-brokensep pkgconfig systemd
 
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
index 6470879..1a36a5b 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_3.0.3.bb
@@ -15,7 +15,7 @@
 
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[oxygen] = ",--disable-doxygen-doc, "
-PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,json-c "
+PACKAGECONFIG[fapi] = "--enable-fapi,--disable-fapi,curl json-c "
 
 EXTRA_OECONF += "--enable-static --with-udevrulesdir=${nonarch_base_libdir}/udev/rules.d/"
 EXTRA_OECONF:remove = " --disable-static"
@@ -73,6 +73,11 @@
     ${libdir}/libtss2*so"
 FILES:libtss2-staticdev = "${libdir}/libtss*a"
 
-FILES:${PN} = "${libdir}/udev ${nonarch_base_libdir}/udev"
+FILES:${PN} = "\
+    ${libdir}/udev \
+    ${nonarch_base_libdir}/udev \
+    ${sysconfdir}/tmpfiles.d \
+    ${sysconfdir}/tpm2-tss \
+    ${sysconfdir}/sysusers.d"
 
 RDEPENDS:libtss2 = "libgcrypt"