tpm2-tss: backport fixes for openssl 3.0

Backport 3 patches from master branch for openssl 3.0:
https://github.com/tpm2-software/tpm2-tss/commit/73d25d6834ad362f9a9a907cb78452deaa336ec0
https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5
https://github.com/tpm2-software/tpm2-tss/commit/e5bb5fb9f070c619415160f8889c372b769431b8

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>

4 files changed, 1307 insertions, 1 deletions

diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch
new file mode 100644
index 0000000..e1ce4c5
--- /dev/null
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0001-Drop-support-for-OpenSSL-1.1.0.patch
@@ -0,0 +1,252 @@
+From a53f01711b840ba6ab2f127ea4f0512e60a56728 Mon Sep 17 00:00:00 2001
+From: Petr Gotthard <petr.gotthard@centrum.cz>
+Date: Sun, 18 Jul 2021 20:21:01 +0200
+Subject: [PATCH] Drop support for OpenSSL < 1.1.0
+
+Delete code written to support OpenSSL < 1.1.0
+
+Delete functions that have no effect in OpenSSL >= 1.1.0
+ - ENGINE_load_builtin_engines()
+ - OpenSSL_add_all_algorithms()
+ - ERR_load_crypto_strings()
+ - EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE)
+
+Switch AppVeyor to use pre-built OpenSSL 1.1.0
+
+Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
+
+Upstream-Status: Backport
+[https://github.com/tpm2-software/tpm2-tss/commit/73d25d6834ad362f9a9a907cb78452deaa336ec0]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/tss2-esys/esys_crypto_ossl.c | 19 ----------------
+ src/tss2-fapi/fapi_crypto.c      | 37 --------------------------------
+ test/helper/tpm_getek.c          | 11 ----------
+ test/helper/tpm_getek_ecc.c      |  9 --------
+ 4 files changed, 76 deletions(-)
+
+diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
+index 2746856..12dc6d9 100644
+--- a/src/tss2-esys/esys_crypto_ossl.c
++++ b/src/tss2-esys/esys_crypto_ossl.c
+@@ -525,11 +525,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
+         nonce->size = num_bytes;
+     }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+     RAND_set_rand_method(RAND_OpenSSL());
+-#else
+-    RAND_set_rand_method(RAND_SSLeay());
+-#endif
+     if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
+         RAND_set_rand_method(rand_save);
+         return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -563,11 +559,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+                            size_t * out_size, const char *label)
+ {
+     const RAND_METHOD *rand_save = RAND_get_rand_method();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+     RAND_set_rand_method(RAND_OpenSSL());
+-#else
+-    RAND_set_rand_method(RAND_SSLeay());
+-#endif
+ 
+     TSS2_RC r = TSS2_RC_SUCCESS;
+     const EVP_MD * hashAlg = NULL;
+@@ -630,14 +622,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Could not create evp key.", cleanup);
+     }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-    if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
+-                           pub_tpm_key->publicArea.unique.rsa.size,
+-                           rsa_key->n)) {
+-        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Could not create rsa n.", cleanup);
+-    }
+-#else
+     BIGNUM *n = NULL;
+     if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
+                         pub_tpm_key->publicArea.unique.rsa.size,
+@@ -650,7 +634,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Could not set rsa n.", cleanup);
+     }
+-#endif
+ 
+     if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -1129,7 +1112,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
+  */
+ TSS2_RC
+ iesys_cryptossl_init() {
+-    ENGINE_load_builtin_engines();
+-    OpenSSL_add_all_algorithms();
+     return TSS2_RC_SUCCESS;
+ }
+diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
+index ea68197..5e8fbc8 100644
+--- a/src/tss2-fapi/fapi_crypto.c
++++ b/src/tss2-fapi/fapi_crypto.c
+@@ -333,12 +333,7 @@ ifapi_tpm_ecc_sig_to_der(
+                     tpmSignature->signature.ecdsa.signatureR.size, NULL);
+     goto_if_null(bnr, "Out of memory", TSS2_FAPI_RC_MEMORY, cleanup);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
+-    ecdsaSignature->s = bns;
+-    ecdsaSignature->r = bnr;
+-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+     ECDSA_SIG_set0(ecdsaSignature, bnr, bns);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+ 
+     osslRC = i2d_ECDSA_SIG(ecdsaSignature, NULL);
+     if (osslRC == -1) {
+@@ -424,20 +419,9 @@ ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
+                    "Could not set exponent.", error_cleanup);
+     }
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
+-    rsa->e = e;
+-    rsa->n = n;
+-    rsa->d = d;
+-    rsa->p = p;
+-    rsa->q = q;
+-    rsa->dmp1 = dmp1;
+-    rsa->dmq1 = dmq1;
+-    rsa->iqmp = iqmp;
+-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+     RSA_set0_key(rsa, n, e, d);
+     RSA_set0_factors(rsa, p, q);
+     RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+ 
+     /* Assign the parameters to the key */
+     if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
+@@ -541,8 +525,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
+                    error_cleanup);
+     }
+-    /* Needed for older OSSL versions. */
+-    EC_KEY_set_asn1_flag(ecKey, OPENSSL_EC_NAMED_CURVE);
+     OSSL_FREE(y, BN);
+     OSSL_FREE(x, BN);
+     return TSS2_RC_SUCCESS;
+@@ -654,24 +636,14 @@ ifapi_ecc_der_sig_to_tpm(
+ 
+     /* Initialize the ECDSA signature components */
+     ECDSA_SIG *ecdsaSignature = NULL;
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
+-    BIGNUM *bnr;
+-    BIGNUM *bns;
+-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+     const BIGNUM *bnr;
+     const BIGNUM *bns;
+-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+ 
+     d2i_ECDSA_SIG(&ecdsaSignature, &signature, signatureSize);
+     return_if_null(ecdsaSignature, "Invalid DER signature",
+                    TSS2_FAPI_RC_GENERAL_FAILURE);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
+-    bns = ecdsaSignature->s;
+-    bnr = ecdsaSignature->r;
+-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+     ECDSA_SIG_get0(ecdsaSignature, &bnr, &bns);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+ 
+     /* Writing them to the TPM format signature */
+     tpmSignature->signature.ecdsa.hash = hashAlgorithm;
+@@ -933,12 +905,7 @@ get_rsa_tpm2b_public_from_evp(
+     const BIGNUM *e = NULL, *n = NULL;
+     int rsaKeySize = RSA_size(rsaKey);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
+-    e = rsaKey->e;
+-    n = rsaKey->n;
+-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+     RSA_get0_key(rsaKey, &n, &e, NULL);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+     tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
+     if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
+                              rsaKeySize)) {
+@@ -1650,8 +1617,6 @@ get_crl_from_cert(X509 *cert, X509_CRL **crl)
+         goto_error(r, TSS2_FAPI_RC_NO_CERT, "Get crl.", cleanup);
+     }
+ 
+-    OpenSSL_add_all_algorithms();
+-
+     unsigned const char* tmp_ptr1 = crl_buffer;
+     unsigned const char** tmp_ptr2 = &tmp_ptr1;
+ 
+@@ -1935,7 +1900,6 @@ ifapi_verify_ek_cert(
+                       r, TSS2_FAPI_RC_BAD_VALUE, cleanup);
+     } else {
+         /* Get uri for ek intermediate certificate. */
+-        OpenSSL_add_all_algorithms();
+         info = X509_get_ext_d2i(ek_cert, NID_info_access, NULL, NULL);
+ 
+         for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
+@@ -1955,7 +1919,6 @@ ifapi_verify_ek_cert(
+         goto_if_null2(cert_buffer, "No certificate downloaded", r,
+                       TSS2_FAPI_RC_NO_CERT, cleanup);
+ 
+-        OpenSSL_add_all_algorithms();
+         intermed_cert = get_cert_from_buffer(cert_buffer, cert_buffer_size);
+ 
+         SAFE_FREE(cert_buffer);
+diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
+index 02d88b0..3cd7b9f 100644
+--- a/test/helper/tpm_getek.c
++++ b/test/helper/tpm_getek.c
+@@ -134,20 +134,9 @@ main (int argc, char *argv[])
+         exp = out_public.publicArea.parameters.rsaDetail.exponent;
+     BN_set_word(e, exp);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
+-    rsa->e = e;
+-    rsa->n = n;
+-    rsa->d = d;
+-    rsa->p = p;
+-    rsa->q = q;
+-    rsa->dmp1 = dmp1;
+-    rsa->dmq1 = dmq1;
+-    rsa->iqmp = iqmp;
+-#else /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+     RSA_set0_key(rsa, n, e, d);
+     RSA_set0_factors(rsa, p, q);
+     RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
+-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */
+ 
+     EVP_PKEY_assign_RSA(evp, rsa);
+ 
+diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
+index e7f3dec..e389f18 100644
+--- a/test/helper/tpm_getek_ecc.c
++++ b/test/helper/tpm_getek_ecc.c
+@@ -128,14 +128,6 @@ main (int argc, char *argv[])
+     /* Convert the key from out_public to PEM */
+ 
+     EVP_PKEY *evp = EVP_PKEY_new();
+-
+-    OpenSSL_add_all_algorithms();
+-
+-    OpenSSL_add_all_algorithms();
+-
+-    ERR_load_crypto_strings();
+-
+-
+     EC_KEY *ecc_key = EC_KEY_new();
+     BIGNUM *x = NULL, *y = NULL;
+     BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
+@@ -147,7 +139,6 @@ main (int argc, char *argv[])
+     if (!EC_KEY_set_group(ecc_key, ecgroup))
+         exit(1);
+ 
+-    EC_KEY_set_asn1_flag(ecc_key, OPENSSL_EC_NAMED_CURVE);
+     EC_GROUP_free(ecgroup);
+ 
+     /* Set the ECC parameters in the OpenSSL key */
+-- 
+2.17.1
+
diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
new file mode 100644
index 0000000..1013b4c
--- /dev/null
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch
@@ -0,0 +1,1001 @@
+From 2452e8863562a4e5c4f172cf40cb7e713e2b7a6c Mon Sep 17 00:00:00 2001
+From: Petr Gotthard <petr.gotthard@centrum.cz>
+Date: Sun, 18 Jul 2021 21:30:59 +0200
+Subject: [PATCH] Implement EVP_PKEY export/import for OpenSSL 3.0
+
+The `RSA_KEY` and `EC_KEY` are not publicly available in OpenSSL 3.0 and
+the generic `EVP_PKEY` must be used instead.
+Since export/import of raw keys still requires access to the internal structures
+the OpenSSL 3.0 introduced a completely new approach to access key internals.
+
+This PR:
+ - preserves the current export/import impementation for OpenSSL 1.1.x
+ - implements key export/import for OpenSSL 3.0.0
+
+Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
+
+Upstream-Status: Backport
+[https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/tss2-esys/esys_crypto_ossl.c | 154 ++++++++++++-----
+ src/tss2-fapi/fapi_crypto.c      | 275 +++++++++++++++++++++----------
+ test/helper/tpm_getek.c          |  53 +++---
+ test/helper/tpm_getek_ecc.c      |  61 +++++--
+ 4 files changed, 386 insertions(+), 157 deletions(-)
+
+diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
+index 12dc6d9..a0e200f 100644
+--- a/src/tss2-esys/esys_crypto_ossl.c
++++ b/src/tss2-esys/esys_crypto_ossl.c
+@@ -8,9 +8,17 @@
+ #include <config.h>
+ #endif
+ 
++#include <openssl/rand.h>
+ #include <openssl/evp.h>
+-#include <openssl/aes.h>
+ #include <openssl/rsa.h>
++#include <openssl/ec.h>
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#include <openssl/aes.h>
++#else
++#include <openssl/core_names.h>
++#include <openssl/params.h>
++#include <openssl/param_build.h>
++#endif
+ #include <openssl/engine.h>
+ #include <stdio.h>
+ 
+@@ -324,9 +332,14 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
+                    "Error EVP_MD_CTX_create", cleanup);
+     }
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10101000L
+     if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) {
++#else
++    /* this is preferred, but available since OpenSSL 1.1.1 only */
++    if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) {
++#endif
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "EVP_PKEY_new_mac_key", cleanup);
++                   "Failed to create HMAC key", cleanup);
+     }
+ 
+     if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL,
+@@ -517,7 +530,10 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
+ TSS2_RC
+ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+     const RAND_METHOD *rand_save = RAND_get_rand_method();
++    RAND_set_rand_method(RAND_OpenSSL());
++#endif
+ 
+     if (num_bytes == 0) {
+         nonce->size = sizeof(TPMU_HA);
+@@ -525,13 +541,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
+         nonce->size = num_bytes;
+     }
+ 
+-    RAND_set_rand_method(RAND_OpenSSL());
+     if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+         RAND_set_rand_method(rand_save);
++#endif
+         return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
+                      "Failure in random number generator.");
+     }
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+     RAND_set_rand_method(rand_save);
++#endif
+     return TSS2_RC_SUCCESS;
+ }
+ 
+@@ -558,30 +577,33 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+                            BYTE * out_buffer,
+                            size_t * out_size, const char *label)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++    RSA *rsa_key = NULL;
+     const RAND_METHOD *rand_save = RAND_get_rand_method();
++
+     RAND_set_rand_method(RAND_OpenSSL());
++#else
++    OSSL_PARAM *params = NULL;
++    OSSL_PARAM_BLD *build = NULL;
++#endif
+ 
+     TSS2_RC r = TSS2_RC_SUCCESS;
+     const EVP_MD * hashAlg = NULL;
+-    RSA * rsa_key = NULL;
+     EVP_PKEY *evp_rsa_key = NULL;
+-    EVP_PKEY_CTX *ctx = NULL;
+-    BIGNUM* bne = NULL;
++    EVP_PKEY_CTX *genctx = NULL, *ctx = NULL;
++    BIGNUM *bne = NULL, *n = NULL;
+     int padding;
+     char *label_copy = NULL;
+ 
+     if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
+         LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
+                   pub_tpm_key->publicArea.nameAlg);
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+         RAND_set_rand_method(rand_save);
++#endif
+         return TSS2_ESYS_RC_NOT_IMPLEMENTED;
+     }
+ 
+-    if (!(bne = BN_new())) {
+-        goto_error(r, TSS2_ESYS_RC_MEMORY,
+-                   "Could not allocate Big Number", cleanup);
+-    }
+-
+     switch (pub_tpm_key->publicArea.parameters.rsaDetail.scheme.scheme) {
+     case TPM2_ALG_NULL:
+         padding = RSA_NO_PADDING;
+@@ -601,44 +623,64 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+         exp = 65537;
+     else
+         exp = pub_tpm_key->publicArea.parameters.rsaDetail.exponent;
+-    if (1 != BN_set_word(bne, exp)) {
++
++    if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
++                        pub_tpm_key->publicArea.unique.rsa.size,
++                        NULL))) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Could not set exponent.", cleanup);
++                   "Could not create rsa n.", cleanup);
+     }
+ 
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+     if (!(rsa_key = RSA_new())) {
+         goto_error(r, TSS2_ESYS_RC_MEMORY,
+                    "Could not allocate RSA key", cleanup);
+     }
+ 
+-    if (1 != RSA_generate_key_ex(rsa_key,
+-                                 pub_tpm_key->publicArea.parameters.rsaDetail.keyBits,
+-                                 bne, NULL)) {
+-        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not generate RSA key",
+-                   cleanup);
++    if (!(bne = BN_new())) {
++        goto_error(r, TSS2_ESYS_RC_MEMORY,
++                   "Could not allocate Big Number", cleanup);
+     }
+-
+-    if (!(evp_rsa_key = EVP_PKEY_new())) {
++    if (1 != BN_set_word(bne, exp)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Could not create evp key.", cleanup);
++                   "Could not set exponent.", cleanup);
+     }
+-    BIGNUM *n = NULL;
+-    if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
+-                        pub_tpm_key->publicArea.unique.rsa.size,
+-                        NULL))) {
++
++    if (1 != RSA_set0_key(rsa_key, n, bne, NULL)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Could not create rsa n.", cleanup);
++                   "Could not set rsa n.", cleanup);
+     }
++    /* ownership got transferred */
++    n = NULL;
++    bne = NULL;
+ 
+-    if (1 != RSA_set0_key(rsa_key, n, NULL, NULL)) {
++    if (!(evp_rsa_key = EVP_PKEY_new())) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Could not set rsa n.", cleanup);
++                   "Could not create evp key.", cleanup);
+     }
+ 
+-    if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
++    if (1 != EVP_PKEY_assign_RSA(evp_rsa_key, rsa_key)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Could not set rsa key.", cleanup);
+     }
++    /* ownership got transferred */
++    rsa_key = NULL;
++#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++    if ((build = OSSL_PARAM_BLD_new()) == NULL
++            || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n)
++            || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp)
++            || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
++        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa parameters.",
++                   cleanup);
++    }
++
++    if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
++            || EVP_PKEY_fromdata_init(genctx) <= 0
++            || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
++        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.",
++                   cleanup);
++    }
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+ 
+     if (!(ctx = EVP_PKEY_CTX_new(evp_rsa_key, NULL))) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -692,11 +734,18 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+     r = TSS2_RC_SUCCESS;
+ 
+  cleanup:
++    OSSL_FREE(genctx, EVP_PKEY_CTX);
+     OSSL_FREE(ctx, EVP_PKEY_CTX);
+     OSSL_FREE(evp_rsa_key, EVP_PKEY);
+-    OSSL_FREE(rsa_key, RSA);
+     OSSL_FREE(bne, BN);
++    OSSL_FREE(n, BN);
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++    OSSL_FREE(rsa_key, RSA);
+     RAND_set_rand_method(rand_save);
++#else
++    OSSL_FREE(params, OSSL_PARAM);
++    OSSL_FREE(build, OSSL_PARAM_BLD);
++#endif
+     return r;
+ }
+ 
+@@ -784,8 +833,14 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
+ {
+     TSS2_RC r = TSS2_RC_SUCCESS;
+     EC_GROUP *group = NULL;               /* Group defines the used curve */
+-    EC_KEY *eph_ec_key = NULL;            /* Ephemeral ec key of application */
++    EVP_PKEY_CTX *ctx = NULL;
++    EVP_PKEY *eph_pkey = NULL;
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+     const EC_POINT *eph_pub_key = NULL;   /* Public part of ephemeral key */
++    const BIGNUM *eph_priv_key = NULL;
++#else
++    BIGNUM *eph_priv_key = NULL;
++#endif
+     EC_POINT *tpm_pub_key = NULL;         /* Public part of TPM key */
+     EC_POINT *mul_eph_tpm = NULL;
+     BIGNUM *bn_x = NULL;
+@@ -827,23 +882,25 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
+     }
+ 
+     /* Create ephemeral key */
+-    if (!(eph_ec_key = EC_KEY_new())) {
++    if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL
++            || EVP_PKEY_keygen_init(ctx) <= 0) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Create ec key", cleanup);
++                   "Initialize ec key generation", cleanup);
+     }
+-    if (1 !=   EC_KEY_set_group(eph_ec_key , group)) {
+ 
+-        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set group", cleanup);
+-    }
+-
+-    if (1 != EC_KEY_generate_key(eph_ec_key)) {
++    if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curveId) <= 0
++            || EVP_PKEY_keygen(ctx, &eph_pkey) <= 0) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Generate ec key", cleanup);
+     }
+ 
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++    EC_KEY *eph_ec_key = EVP_PKEY_get0_EC_KEY(eph_pkey);
++
+     if (!(eph_pub_key =  EC_KEY_get0_public_key(eph_ec_key))) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Get public key", cleanup);
+     }
+ 
++    eph_priv_key = EC_KEY_get0_private_key(eph_ec_key);
+     if (1 != EC_POINT_is_on_curve(group, eph_pub_key, NULL)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Ephemeral public key is on curve",cleanup);
+@@ -861,8 +918,16 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
+     if (1 != EC_POINT_get_affine_coordinates_tss(group, eph_pub_key, bn_x,
+                                                  bn_y, NULL)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Get affine x coordinate", cleanup);
++                   "Get affine coordinates", cleanup);
++    }
++#else
++    if (!EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_PRIV_KEY, &eph_priv_key)
++            || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bn_x)
++            || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y)) {
++        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
++                   "Get ephemeral key", cleanup);
+     }
++#endif
+ 
+     if (1 != iesys_bn2binpad(bn_x, &Q->x.buffer[0], key_size)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -881,13 +946,11 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
+     r = tpm_pub_to_ossl_pub(group, key, &tpm_pub_key);
+     goto_if_error(r, "Convert TPM pub point to ossl pub point", cleanup);
+ 
+-    /* Multiply the ephemeral private key with TPM public key */
+-    const BIGNUM * eph_priv_key = EC_KEY_get0_private_key(eph_ec_key);
+-
+     if (!(mul_eph_tpm = EC_POINT_new(group))) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Create point.", cleanup);
+     }
+ 
++    /* Multiply the ephemeral private key with TPM public key */
+     if (1 != EC_POINT_mul(group, mul_eph_tpm, NULL,
+                           tpm_pub_key, eph_priv_key, NULL)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -918,8 +981,13 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
+     OSSL_FREE(mul_eph_tpm, EC_POINT);
+     OSSL_FREE(tpm_pub_key, EC_POINT);
+     OSSL_FREE(group,EC_GROUP);
+-    OSSL_FREE(eph_ec_key, EC_KEY);
++    OSSL_FREE(ctx, EVP_PKEY_CTX);
++    OSSL_FREE(eph_pkey, EVP_PKEY);
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+     /* Note: free of eph_pub_key already done by free of eph_ec_key */
++#else
++    OSSL_FREE(eph_priv_key, BN);
++#endif
+     OSSL_FREE(bn_x, BN);
+     OSSL_FREE(bn_y, BN);
+     return r;
+diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
+index 5e8fbc8..9cee10f 100644
+--- a/src/tss2-fapi/fapi_crypto.c
++++ b/src/tss2-fapi/fapi_crypto.c
+@@ -11,10 +11,15 @@
+ #include <string.h>
+ 
+ #include <openssl/evp.h>
+-#include <openssl/aes.h>
+ #include <openssl/rsa.h>
+-#include <openssl/engine.h>
+ #include <openssl/pem.h>
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++#include <openssl/aes.h>
++#else
++#include <openssl/core_names.h>
++#include <openssl/params.h>
++#include <openssl/param_build.h>
++#endif
+ #include <openssl/x509v3.h>
+ #include <curl/curl.h>
+ #include <openssl/err.h>
+@@ -380,66 +385,89 @@ cleanup:
+  * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
+  */
+ static TSS2_RC
+-ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
++ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++    RSA *rsa = NULL;
++#else
++    OSSL_PARAM_BLD *build = NULL;
++    OSSL_PARAM *params = NULL;
++    EVP_PKEY_CTX *ctx = NULL;
++#endif
++
+     /* Check for NULL parameters */
+     return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
+     return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
+ 
++    TSS2_RC r = TSS2_RC_SUCCESS;
+     /* Initialize the RSA parameters */
+-    TSS2_RC r;
+-    RSA *rsa = RSA_new();
+-    BIGNUM *e = BN_new();
+-    BIGNUM *d = BN_new();
+-    BIGNUM *p = BN_new();
+-    BIGNUM *q = BN_new();
+-    BIGNUM *dmp1 = BN_new();
+-    BIGNUM *dmq1 = BN_new();
+-    BIGNUM *iqmp = BN_new();
++    BIGNUM *e = NULL;
+     BIGNUM *n = BN_bin2bn(tpmPublicKey->publicArea.unique.rsa.buffer,
+                           tpmPublicKey->publicArea.unique.rsa.size, NULL);
+-
+-    if (!n || !e || !d || !p || !q || !dmp1 || !dmq1 || !iqmp || !rsa) {
++    if (!n) {
+         goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
+     }
+ 
+-    BN_set_word(d, 0);
+-    BN_set_word(p, 0);
+-    BN_set_word(q, 0);
+-    BN_set_word(dmp1, 0);
+-    BN_set_word(dmq1, 0);
+-    BN_set_word(iqmp, 0);
+     uint32_t exp;
+     if (tpmPublicKey->publicArea.parameters.rsaDetail.exponent == 0)
+         exp = 65537;
+     else
+         exp = tpmPublicKey->publicArea.parameters.rsaDetail.exponent;
++
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++    if ((rsa = RSA_new()) == NULL) {
++        goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
++    }
++
++    if ((e = BN_new()) == NULL) {
++        goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
++    }
+     if (1 != BN_set_word(e, exp)) {
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+                    "Could not set exponent.", error_cleanup);
+     }
+ 
+-    RSA_set0_key(rsa, n, e, d);
+-    RSA_set0_factors(rsa, p, q);
+-    RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
++    if (!RSA_set0_key(rsa, n, e, NULL)) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
++                   "Could not set public key.", error_cleanup);
++    }
++    n = NULL; /* ownership transferred */
++    e = NULL;
++
++    *evpPublicKey = EVP_PKEY_new();
++    goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup);
+ 
+     /* Assign the parameters to the key */
+-    if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
++    if (!EVP_PKEY_assign_RSA(*evpPublicKey, rsa)) {
++        EVP_PKEY_free(*evpPublicKey);
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign rsa key",
+                    error_cleanup);
+     }
+-    return TSS2_RC_SUCCESS;
+-
++    rsa = NULL; /* ownership transferred */
+ error_cleanup:
+     OSSL_FREE(rsa, RSA);
++#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
++    if ((build = OSSL_PARAM_BLD_new()) == NULL
++            || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n)
++            || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp)
++            || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key parameters",
++                   error_cleanup);
++    }
++
++    if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
++            || EVP_PKEY_fromdata_init(ctx) <= 0
++            || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key",
++                   error_cleanup);
++    }
++error_cleanup:
++    OSSL_FREE(ctx, EVP_PKEY_CTX);
++    OSSL_FREE(params, OSSL_PARAM);
++    OSSL_FREE(build, OSSL_PARAM_BLD);
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+     OSSL_FREE(e, BN);
+     OSSL_FREE(n, BN);
+-    OSSL_FREE(d, BN);
+-    OSSL_FREE(p, BN);
+-    OSSL_FREE(q, BN);
+-    OSSL_FREE(dmp1, BN);
+-    OSSL_FREE(dmq1, BN);
+-    OSSL_FREE(iqmp, BN);
+     return r;
+ }
+ 
+@@ -459,18 +487,26 @@ error_cleanup:
+  *         the function.
+  */
+ static TSS2_RC
+-ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
++ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey)
+ {
+     /* Check for NULL parameters */
+     return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
+     return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
+ 
+-    TSS2_RC r;
++    TSS2_RC r = TSS2_RC_SUCCESS;
+     EC_GROUP *ecgroup = NULL;
+     int curveId;
+     BIGNUM *x = NULL, *y = NULL;
+-    EC_KEY *ecKey = EC_KEY_new();
+-    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
++    EC_POINT *ecPoint = NULL;
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++    EC_KEY *ecKey = NULL;
++#else
++    OSSL_PARAM_BLD *build = NULL;
++    OSSL_PARAM *params = NULL;
++    EVP_PKEY_CTX *ctx = NULL;
++    unsigned char *puboct = NULL;
++    size_t bsize;
++#endif
+ 
+     /* Find the curve of the ECC key */
+     switch (tpmPublicKey->publicArea.parameters.eccDetail.curveID) {
+@@ -499,12 +535,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
+     goto_if_null(ecgroup, "new EC group.", TSS2_FAPI_RC_GENERAL_FAILURE,
+                   error_cleanup);
+ 
+-    if (!EC_KEY_set_group(ecKey, ecgroup)) {
+-        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group",
+-                   error_cleanup);
+-    }
+-    EC_GROUP_free(ecgroup);
+-
+     /* Set the ECC parameters in the OpenSSL key */
+     x = BN_bin2bn(tpmPublicKey->publicArea.unique.ecc.x.buffer,
+                   tpmPublicKey->publicArea.unique.ecc.x.size, NULL);
+@@ -516,23 +546,67 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
+         goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
+     }
+ 
+-    if (!EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)) {
++    if ((ecPoint = EC_POINT_new(ecgroup)) == NULL
++            || !EC_POINT_set_affine_coordinates_tss(ecgroup, ecPoint, x, y, NULL)) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_POINT_set_affine_coordinates",
++                   error_cleanup);
++    }
++
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++    ecKey = EC_KEY_new();
++    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
++
++    if (!EC_KEY_set_group(ecKey, ecgroup)) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group",
++                   error_cleanup);
++    }
++
++    if (!EC_KEY_set_public_key(ecKey, ecPoint)) {
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+-                   "EC_KEY_set_public_key_affine_coordinates", error_cleanup);
++                   "EC_KEY_set_public_key", error_cleanup);
+     }
+ 
+-    if (!EVP_PKEY_assign_EC_KEY(evpPublicKey, ecKey)) {
++    *evpPublicKey = EVP_PKEY_new();
++    goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup);
++
++    if (!EVP_PKEY_assign_EC_KEY(*evpPublicKey, ecKey)) {
++        EVP_PKEY_free(*evpPublicKey);
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
+                    error_cleanup);
+     }
+-    OSSL_FREE(y, BN);
+-    OSSL_FREE(x, BN);
+-    return TSS2_RC_SUCCESS;
++    ecKey = NULL; /* ownership transferred */
++error_cleanup:
++    OSSL_FREE(ecKey, EC_KEY);
++#else
++    if ((build = OSSL_PARAM_BLD_new()) == NULL
++            || !OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME,
++                                                (char *)OBJ_nid2sn(curveId), 0)
++            || (bsize = EC_POINT_point2buf(ecgroup, ecPoint,
++                                           POINT_CONVERSION_COMPRESSED,
++                                           &puboct, NULL)) == 0
++            || !OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY,
++                                                 puboct, bsize)
++            || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key parameters",
++                   error_cleanup);
++    }
+ 
++    if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL
++            || EVP_PKEY_fromdata_init(ctx) <= 0
++            || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key",
++                   error_cleanup);
++    }
+ error_cleanup:
++    EVP_PKEY_CTX_free(ctx);
++    OSSL_PARAM_free(params);
++    OSSL_PARAM_BLD_free(build);
++    OPENSSL_free(puboct);
++#endif
++    OSSL_FREE(ecPoint, EC_POINT);
++    OSSL_FREE(ecgroup, EC_GROUP);
+     OSSL_FREE(y, BN);
+     OSSL_FREE(x, BN);
+-    OSSL_FREE(ecKey, EC_KEY);
+     return r;
+ }
+ 
+@@ -567,18 +641,15 @@ ifapi_pub_pem_key_from_tpm(
+     BIO *bio = NULL;
+     TSS2_RC r = TPM2_RC_SUCCESS;
+ 
+-    evpPublicKey = EVP_PKEY_new();
+-    goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
+-
+     /* Memory IO will be used for OSSL key conversion */
+     bio = BIO_new(BIO_s_mem());
+-    goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
++    goto_if_null2(bio, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
+ 
+     if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) {
+-        r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey);
+-    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC)
+-        r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey);
+-    else {
++        r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey);
++    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) {
++        r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey);
++    } else {
+         goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup);
+     }
+     goto_if_error(r, "Get ossl public key.", cleanup);
+@@ -708,7 +779,6 @@ ifapi_der_sig_to_tpm(
+                     signatureSize);
+         } else {
+             return_error(TSS2_FAPI_RC_BAD_VALUE, "Invalid RSA scheme.");
+-
+         }
+     } else if (tpmPublic->type == TPM2_ALG_ECC) {
+         return ifapi_ecc_der_sig_to_tpm(signature, signatureSize,
+@@ -856,12 +926,16 @@ ecdsa_verify_signature(
+     return_if_null(digest, "digest is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
+ 
+     TSS2_RC r = TSS2_RC_SUCCESS;
+-    EC_KEY *eccKey = NULL;
++    EVP_PKEY_CTX *ctx = NULL;
+ 
+-    eccKey = EVP_PKEY_get1_EC_KEY(publicKey);
++    if ((ctx = EVP_PKEY_CTX_new(publicKey, NULL)) == NULL
++            || !EVP_PKEY_verify_init(ctx)) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
++                   "Cannot initialize signature verification.", error_cleanup);
++    }
+ 
+     /* Try to verify the signature using ECDSA, note that param 0 is unused */
+-    int rc = ECDSA_verify(0, digest, digestSize, signature, signatureSize, eccKey);
++    int rc = EVP_PKEY_verify(ctx, signature, signatureSize, digest, digestSize);
+     if (rc == 0) {
+         goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
+                    "ECDSA signature verification failed.", error_cleanup);
+@@ -871,7 +945,7 @@ ecdsa_verify_signature(
+     }
+ 
+ error_cleanup:
+-    OSSL_FREE(eccKey, EC_KEY);
++    OSSL_FREE(ctx, EVP_PKEY_CTX);
+     return r;
+ }
+ 
+@@ -900,23 +974,43 @@ get_rsa_tpm2b_public_from_evp(
+ 
+     /* Extract the public information */
+     TSS2_RC r = TSS2_RC_SUCCESS;
++    int keyBits, keySize;
++
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
++    const BIGNUM *e = NULL, *n = NULL;
+     RSA *rsaKey = EVP_PKEY_get1_RSA(publicKey);
+     return_if_null(rsaKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
+-    const BIGNUM *e = NULL, *n = NULL;
+-    int rsaKeySize = RSA_size(rsaKey);
+ 
++    keySize = RSA_size(rsaKey);
++    keyBits = keySize * 8;
+     RSA_get0_key(rsaKey, &n, &e, NULL);
+-    tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
++#else
++    BIGNUM *e = NULL, *n = NULL;
++
++    keyBits = EVP_PKEY_get_bits(publicKey);
++    keySize = (keyBits + 7) / 8;
++    if (!EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_N, &n)
++            || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_E, &e)) {
++        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
++                   "Retrieve pubkey", cleanup);
++    }
++#endif
++    tpmPublic->publicArea.unique.rsa.size = keySize;
+     if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
+-                             rsaKeySize)) {
++                             keySize)) {
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+                    "Write big num byte buffer", cleanup);
+     }
+-    tpmPublic->publicArea.parameters.rsaDetail.keyBits = rsaKeySize * 8;
++    tpmPublic->publicArea.parameters.rsaDetail.keyBits = keyBits;
+     tpmPublic->publicArea.parameters.rsaDetail.exponent = BN_get_word(e);
+ 
+ cleanup:
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+     OSSL_FREE(rsaKey, RSA);
++#else
++    BN_free(e);
++    BN_free(n);
++#endif
+     return r;
+ }
+ 
+@@ -947,27 +1041,22 @@ get_ecc_tpm2b_public_from_evp(
+ 
+     /* Initialize variables that will contain the relevant information */
+     TSS2_RC r = TSS2_RC_SUCCESS;
+-    EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey);
+-    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
+-    const EC_GROUP *ecGroup;
+-    const EC_POINT *publicPoint;
+     int curveId;
+     size_t ecKeySize;
+     BIGNUM *bnX = NULL;
+     BIGNUM *bnY = NULL;
+     TPMI_ECC_CURVE tpmCurveId;
+-
+-    if (!ecKey) {
+-        return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "No ECC key!");
+-    }
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++    const EC_GROUP *ecGroup;
++    const EC_POINT *publicPoint;
++    EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey);
++    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
+ 
+     /* Retrieve the relevant information and write it to tpmPublic */
+     ecGroup = EC_KEY_get0_group(ecKey);
+     publicPoint = EC_KEY_get0_public_key(ecKey);
+     curveId = EC_GROUP_get_curve_name(ecGroup);
+-    ecKeySize = EC_GROUP_get_degree(ecGroup) / 8;
+-    tpmPublic->publicArea.unique.ecc.x.size = ecKeySize;
+-    tpmPublic->publicArea.unique.ecc.y.size = ecKeySize;
++    ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8;
+ 
+     if (!(bnX = BN_new())) {
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create bignum", cleanup);
+@@ -982,6 +1071,23 @@ get_ecc_tpm2b_public_from_evp(
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+                    "Get affine coordinates", cleanup);
+     }
++#else
++    char curveName[80];
++
++    if (!EVP_PKEY_get_utf8_string_param(publicKey, OSSL_PKEY_PARAM_GROUP_NAME,
++                                        curveName, sizeof(curveName), NULL)
++            || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_X, &bnX)
++            || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_Y, &bnY)) {
++         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
++                    "Get public key", cleanup);
++     }
++    curveId = OBJ_txt2nid(curveName);
++    EC_GROUP *ecGroup = EC_GROUP_new_by_curve_name(curveId);
++    ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8;
++    EC_GROUP_free(ecGroup);
++#endif
++    tpmPublic->publicArea.unique.ecc.x.size = ecKeySize;
++    tpmPublic->publicArea.unique.ecc.y.size = ecKeySize;
+     if (1 != ifapi_bn2binpad(bnX, &tpmPublic->publicArea.unique.ecc.x.buffer[0],
+                              ecKeySize)) {
+         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
+@@ -1015,7 +1121,9 @@ get_ecc_tpm2b_public_from_evp(
+     tpmPublic->publicArea.parameters.eccDetail.curveID = tpmCurveId;
+ 
+ cleanup:
++#if OPENSSL_VERSION_NUMBER < 0x30000000
+     OSSL_FREE(ecKey, EC_KEY);
++#endif
+     OSSL_FREE(bnX, BN);
+     OSSL_FREE(bnY, BN);
+     return r;
+@@ -2075,14 +2183,11 @@ ifapi_get_tpm_key_fingerprint(
+                    "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
+                    hashAlg);
+ 
+-    evpPublicKey = EVP_PKEY_new();
+-    goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
+-
+     if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) {
+-        r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey);
+-    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC)
+-        r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey);
+-    else {
++        r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey);
++    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) {
++        r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey);
++    } else {
+         goto_error(r,TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup);
+     }
+     goto_if_error(r, "Get ossl public key.", cleanup);
+diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
+index 3cd7b9f..bbe8770 100644
+--- a/test/helper/tpm_getek.c
++++ b/test/helper/tpm_getek.c
+@@ -7,8 +7,14 @@
+ #include <stdio.h>
+ #include <inttypes.h>
+ #include <openssl/evp.h>
+-#include <openssl/rsa.h>
+ #include <openssl/pem.h>
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++#include <openssl/rsa.h>
++#else
++#include <openssl/core_names.h>
++#include <openssl/params.h>
++#include <openssl/param_build.h>
++#endif
+ 
+ #include "tss2_sys.h"
+ #include "tss2_mu.h"
+@@ -109,36 +115,37 @@ main (int argc, char *argv[])
+ 
+     /* Convert the key from out_public to PEM */
+ 
+-    EVP_PKEY *evp = EVP_PKEY_new();
++    EVP_PKEY *evp = NULL;
+     BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
+-    RSA *rsa = RSA_new();
+-    BIGNUM *e = BN_new();
+-    BIGNUM *d = BN_new();
+-    BIGNUM *p = BN_new();
+-    BIGNUM *q = BN_new();
+-    BIGNUM *dmp1 = BN_new();
+-    BIGNUM *dmq1 = BN_new();
+-    BIGNUM *iqmp = BN_new();
+     BIGNUM *n = BN_bin2bn(out_public.publicArea.unique.rsa.buffer,
+                           out_public.publicArea.unique.rsa.size, NULL);
+-    BN_set_word(d, 0);
+-    BN_set_word(p, 0);
+-    BN_set_word(q, 0);
+-    BN_set_word(dmp1, 0);
+-    BN_set_word(dmq1, 0);
+-    BN_set_word(iqmp, 0);
+     uint32_t exp;
+     if (out_public.publicArea.parameters.rsaDetail.exponent == 0)
+         exp = 65537;
+     else
+         exp = out_public.publicArea.parameters.rsaDetail.exponent;
++
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++    BIGNUM *e = BN_new();
+     BN_set_word(e, exp);
+ 
+-    RSA_set0_key(rsa, n, e, d);
+-    RSA_set0_factors(rsa, p, q);
+-    RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
++    RSA *rsa = RSA_new();
++    RSA_set0_key(rsa, n, e, NULL);
++    n = NULL;
++    e = NULL;
+ 
++    evp = EVP_PKEY_new();
+     EVP_PKEY_assign_RSA(evp, rsa);
++#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */
++    OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new();
++    OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n);
++    OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp);
++    OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build);
++
++    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
++    EVP_PKEY_fromdata_init(ctx);
++    EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params);
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */
+ 
+     if (!PEM_write_bio_PUBKEY(bio, evp)) {
+         LOG_ERROR("PEM_write failed");
+@@ -146,6 +153,14 @@ main (int argc, char *argv[])
+     }
+ 
+     EVP_PKEY_free(evp);
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++    /* ownership was taken by the EVP_PKEY */
++#else
++    EVP_PKEY_CTX_free(ctx);
++    OSSL_PARAM_free(params);
++    OSSL_PARAM_BLD_free(build);
++#endif
++    BN_free(n);
+     BIO_free(bio);
+ 
+     return 0;
+diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
+index e389f18..29e6f1f 100644
+--- a/test/helper/tpm_getek_ecc.c
++++ b/test/helper/tpm_getek_ecc.c
+@@ -7,9 +7,15 @@
+ #include <stdio.h>
+ #include <inttypes.h>
+ #include <openssl/evp.h>
+-#include <openssl/rsa.h>
+ #include <openssl/pem.h>
+ #include <openssl/err.h>
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++#include <openssl/ec.h>
++#else
++#include <openssl/core_names.h>
++#include <openssl/params.h>
++#include <openssl/param_build.h>
++#endif
+ #include <string.h>
+ 
+ #include "tss2_sys.h"
+@@ -127,8 +133,7 @@ main (int argc, char *argv[])
+ 
+     /* Convert the key from out_public to PEM */
+ 
+-    EVP_PKEY *evp = EVP_PKEY_new();
+-    EC_KEY *ecc_key = EC_KEY_new();
++    EVP_PKEY *evp = NULL;
+     BIGNUM *x = NULL, *y = NULL;
+     BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
+     int nid;
+@@ -136,11 +141,6 @@ main (int argc, char *argv[])
+     nid = EC_curve_nist2nid("P-256");
+     EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(nid);
+ 
+-    if (!EC_KEY_set_group(ecc_key, ecgroup))
+-        exit(1);
+-
+-    EC_GROUP_free(ecgroup);
+-
+     /* Set the ECC parameters in the OpenSSL key */
+     x = BN_bin2bn(out_public.publicArea.unique.ecc.x.buffer,
+                   out_public.publicArea.unique.ecc.x.size, NULL);
+@@ -152,15 +152,46 @@ main (int argc, char *argv[])
+         exit(1);
+     }
+ 
+-    if (!EC_KEY_set_public_key_affine_coordinates(ecc_key, x, y)) {
++    EC_POINT *point = EC_POINT_new(ecgroup);
++#if OPENSSL_VERSION_NUMBER < 0x10101000L
++    EC_POINT_set_affine_coordinates_GFp(ecgroup, point, x, y, NULL);
++#else
++    EC_POINT_set_affine_coordinates(ecgroup, point, x, y, NULL);
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++    EC_KEY *ecc_key = EC_KEY_new();
++    if (!EC_KEY_set_group(ecc_key, ecgroup))
++        exit(1);
++
++    if (!EC_KEY_set_public_key(ecc_key, point)) {
+         exit(1);
+     }
+ 
++    evp = EVP_PKEY_new();
+     if (!EVP_PKEY_assign_EC_KEY(evp, ecc_key)) {
+         handleErrors();
+         LOG_ERROR("PEM_write failed");
+         exit(1);
+     }
++#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */
++    unsigned char *puboct = NULL;
++    size_t bsize;
++
++    bsize = EC_POINT_point2buf(ecgroup, point, POINT_CONVERSION_UNCOMPRESSED,
++                               &puboct, NULL);
++
++    OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new();
++    OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME,
++                                    (char *)OBJ_nid2sn(nid), 0);
++    OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY,
++                                     puboct, bsize);
++    OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build);
++
++    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
++    EVP_PKEY_fromdata_init(ctx);
++    EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params);
++#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */
+ 
+     if (!PEM_write_bio_PUBKEY(bio, evp)) {
+         handleErrors();
+@@ -168,9 +199,19 @@ main (int argc, char *argv[])
+         exit(1);
+     }
+ 
++    EVP_PKEY_free(evp);
++#if OPENSSL_VERSION_NUMBER < 0x30000000
++    /* ownership was taken by the EVP_PKEY */
++#else
++    EVP_PKEY_CTX_free(ctx);
++    OSSL_PARAM_free(params);
++    OSSL_PARAM_BLD_free(build);
++    OPENSSL_free(puboct);
++#endif
++    EC_POINT_free(point);
++    EC_GROUP_free(ecgroup);
+     BN_free(y);
+     BN_free(x);
+-    EVP_PKEY_free(evp);
+     BIO_free(bio);
+ 
+     return 0;
+-- 
+2.17.1
+
diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch
new file mode 100644
index 0000000..79c912c
--- /dev/null
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss/0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch
@@ -0,0 +1,49 @@
+From cde750dd594a6f5d7c463030ecbb9947fad2a12d Mon Sep 17 00:00:00 2001
+From: Petr Gotthard <petr.gotthard@centrum.cz>
+Date: Mon, 2 Aug 2021 15:50:26 +0200
+Subject: [PATCH] Remove deprecated OpenSSL_add_all_algorithms
+
+From OpenSSL 1.1.0 it is deprecated. No explicit initialisation or
+de-initialisation is required.
+
+Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
+
+Upstream-Status: Backport
+[https://github.com/tpm2-software/tpm2-tss/commit/e5bb5fb9f070c619415160f8889c372b769431b8]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/tss2-esys/esys_crypto_ossl.c    | 2 +-
+ src/tss2-fapi/ifapi_get_intl_cert.c | 3 ---
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
+index a0e200f..e599ac7 100644
+--- a/src/tss2-esys/esys_crypto_ossl.c
++++ b/src/tss2-esys/esys_crypto_ossl.c
+@@ -1174,7 +1174,7 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
+  *
+  * Initialize OpenSSL internal tables.
+  *
+- * @retval TSS2_RC_SUCCESS always returned because OpenSSL_add_all_algorithms
++ * @retval TSS2_RC_SUCCESS always returned
+  * does not deliver
+  * a return code.
+  */
+diff --git a/src/tss2-fapi/ifapi_get_intl_cert.c b/src/tss2-fapi/ifapi_get_intl_cert.c
+index 613f408..deda7fb 100644
+--- a/src/tss2-fapi/ifapi_get_intl_cert.c
++++ b/src/tss2-fapi/ifapi_get_intl_cert.c
+@@ -369,9 +369,6 @@ out_free_json:
+     json_object_put(jso);
+ 
+ out:
+-    /* In some case this call was necessary after curl usage */
+-    OpenSSL_add_all_algorithms();
+-
+     free(hash);
+     if (rc == 0) {
+         return TSS2_RC_SUCCESS;
+-- 
+2.17.1
+
diff --git a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb
index 96339a5..4e3346b 100644
--- a/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb
+++ b/meta-tpm2/recipes-tpm/tpm2-tss/tpm2-tss_2.4.6.bb
@@ -6,7 +6,11 @@ SECTION = "tpm"
 
 DEPENDS = "autoconf-archive-native libgcrypt openssl"
 
-SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
+           file://0001-Drop-support-for-OpenSSL-1.1.0.patch \
+           file://0002-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch \
+           file://0003-Remove-deprecated-OpenSSL_add_all_algorithms.patch \
+          "
 SRC_URI[md5sum] = "515cf2c53799e7d498481eb2569dcb03"
 SRC_URI[sha256sum] = "20e6da532a7ef90c8e50cca51f276053ec505eee0167c18e2b07c1e747118b58"