5 files changed, 7 insertions, 1498 deletions
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
deleted file mode 100644
index 9d3f073..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-remove-local-binary-checkes.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 9e3ef6f253f9427596baf3e7d748a79854cadfa9 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 14 Oct 2020 08:55:33 -0700
-Subject: [PATCH] remove local binary checkes
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Upsteam-Status: Inappropriate
-These are only needed to run on the tartget so we add an RDPENDS.
-Not needed for building.
---
- configure.ac | 48 ------------------------------------------------
- 1 file changed, 48 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index 50e7d4b..2b9abcf 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -219,54 +219,6 @@ AX_PROG_JAVAC()
- AX_PROG_JAVA()
- m4_popdef([AC_MSG_ERROR])
- 
-AC_CHECK_PROG([tpm2_createprimary], [tpm2_createprimary], [yes], [no])
-  AS_IF([test "x$tpm2_createprimary" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_createprimary, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_create], [tpm2_create], [yes], [no])
-  AS_IF([test "x$tpm2_create" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_create, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_evictcontrol], [tpm2_evictcontrol], [yes], [no])
-  AS_IF([test "x$tpm2_evictcontrol" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_evictcontrol, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_readpublic], [tpm2_readpublic], [yes], [no])
-  AS_IF([test "x$tpm2_readpublic" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_readpublic, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_load], [tpm2_load], [yes], [no])
-  AS_IF([test "x$tpm2_load" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_load, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_loadexternal], [tpm2_loadexternal], [yes], [no])
-  AS_IF([test "x$tpm2_loadexternal" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_loadexternal, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_unseal], [tpm2_unseal], [yes], [no])
-  AS_IF([test "x$tpm2_unseal" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_unseal, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_encryptdecrypt], [tpm2_encryptdecrypt], [yes], [no])
-  AS_IF([test "x$tpm2_encryptdecrypt" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_encryptdecrypt, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_sign], [tpm2_sign], [yes], [no])
-  AS_IF([test "x$tpm2_sign" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_sign, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_getcap], [tpm2_getcap], [yes], [no])
-  AS_IF([test "x$tpm2_getcap" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_getcap, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_import], [tpm2_import], [yes], [no])
-  AS_IF([test "x$tpm2_import" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_import, but executable not found.])])
-
-AC_CHECK_PROG([tpm2_changeauth], [tpm2_changeauth], [yes], [no])
-  AS_IF([test "x$tpm2_changeauth" != "xyes"],
-    [AC_MSG_ERROR([tpm2_ptool requires tpm2_changeauth, but executable not found.])])
-
- AC_DEFUN([integration_test_checks], [
- 
-   PKG_CHECK_MODULES([OPENSC_PKCS11],[opensc-pkcs11],,
-- 
-2.17.1
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
deleted file mode 100644
index ac2f92c..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0001-ssl-compile-against-OSSL-3.0.patch
+++ /dev/null
@@ -1,1305 +0,0 @@
-From f7a2e90e80fd8b4c43042f8099e821b4118234d1 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Fri, 3 Sep 2021 11:24:40 -0500
-Subject: [PATCH 1/2] ssl: compile against OSSL 3.0
-Compile against OpenSSL. This moves functions non-deprecated things if
-possible and ignores deprecation warnings when not. Padding manipulation
-routines seem to have been marked deprecated in OSSL 3.0, so we need to
-figure out a porting strategy here.
-Fixes: #686
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
- src/lib/backend_esysdb.c                |   5 +-
- src/lib/backend_fapi.c                  |   5 +-
- src/lib/encrypt.c                       |   2 +-
- src/lib/mech.c                          |  72 +---
- src/lib/object.c                        |   3 +-
- src/lib/sign.c                          |   2 +-
- src/lib/ssl_util.c                      | 531 ++++++++++++++++--------
- src/lib/ssl_util.h                      |  31 +-
- src/lib/tpm.c                           |   6 +-
- src/lib/utils.c                         |  35 +-
- src/lib/utils.h                         |  13 -
- test/integration/pkcs-sign-verify.int.c |  94 ++---
- 12 files changed, 441 insertions(+), 358 deletions(-)
-Index: git/src/lib/backend_esysdb.c
-===================================================================
--- git.orig/src/lib/backend_esysdb.c
-+++ git/src/lib/backend_esysdb.c
-@@ -3,6 +3,7 @@
- #include "config.h"
- #include "backend_esysdb.h"
- #include "db.h"
-+#include "ssl_util.h"
- #include "tpm.h"
- 
- CK_RV backend_esysdb_init(void) {
-@@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi
-     }
- 
-     twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt;
-    twist sealobjauth = utils_hash_pass(tpin, sealsalt);
-+    twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
-     if (!sealobjauth) {
-         rv = CKR_HOST_MEMORY;
-         goto error;
-@@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to
-      */
-     twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt;
- 
-    twist oldauth = utils_hash_pass(toldpin, oldsalt);
-+    twist oldauth = ssl_util_hash_pass(toldpin, oldsalt);
-     if (!oldauth) {
-         goto out;
-     }
-Index: git/src/lib/backend_fapi.c
-===================================================================
--- git.orig/src/lib/backend_fapi.c
-+++ git/src/lib/backend_fapi.c
-@@ -11,6 +11,7 @@
- #include "backend_fapi.h"
- #include "emitter.h"
- #include "parser.h"
-+#include "ssl_util.h"
- #include "utils.h"
- 
- #ifdef HAVE_FAPI
-@@ -793,7 +794,7 @@ CK_RV backend_fapi_token_unseal_wrapping
-     }
- 
-     twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt;
-    twist sealobjauth = utils_hash_pass(tpin, sealsalt);
-+    twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt);
-     if (!sealobjauth) {
-         rv = CKR_HOST_MEMORY;
-         goto error;
-@@ -889,7 +890,7 @@ CK_RV backend_fapi_token_changeauth(toke
-     }
-     rv = CKR_GENERAL_ERROR;
- 
-    oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
-+    oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt);
-     if (!oldauth) {
-         goto out;
-     }
-Index: git/src/lib/encrypt.c
-===================================================================
--- git.orig/src/lib/encrypt.c
-+++ git/src/lib/encrypt.c
-@@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat
- CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) {
- 
-     EVP_PKEY *pkey = NULL;
-    CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+    CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
-     if (rv != CKR_OK) {
-         return rv;
-     }
-Index: git/src/lib/mech.c
-===================================================================
--- git.orig/src/lib/mech.c
-+++ git/src/lib/mech.c
-@@ -693,7 +693,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C
-     }
- 
-     int nid = 0;
-    CK_RV rv = ec_params_to_nid(a, &nid);
-+    CK_RV rv = ssl_util_params_to_nid(a, &nid);
-     if (rv != CKR_OK) {
-         return rv;
-     }
-@@ -857,11 +857,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl
-     }
- 
-     /* Apply the PKCS1.5 padding */
-    int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len,
-            inbuf, inlen);
-    if (!rc) {
-+    CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen,
-+            outbuf, padded_len);
-+    if (rv != CKR_OK) {
-         LOGE("Applying RSA padding failed");
-        return CKR_GENERAL_ERROR;
-+        return rv;
-     }
- 
-     *outlen = padded_len;
-@@ -893,22 +893,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md
-     size_t key_bytes = *keybits / 8;
- 
-     unsigned char buf[4096];
-    int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf),
-                                       inbuf, inlen,
-                                       key_bytes);
-    if (rc < 0) {
-+    CK_ULONG buflen = sizeof(buf);
-+    CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes,
-+            buf, &buflen);
-+    if (rv != CKR_OK) {
-         LOGE("Could not recover CKM_RSA_PKCS Padding");
-        return CKR_GENERAL_ERROR;
-+        return rv;
-     }
- 
-    /* cannot be < 0 because of check above */
-    if (!outbuf || (unsigned)rc > *outlen) {
-        *outlen = rc;
-+    if (!outbuf || buflen > *outlen) {
-+        *outlen = buflen;
-         return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK;
-     }
- 
-    *outlen = rc;
-    memcpy(outbuf, buf, rc);
-+    *outlen = buflen;
-+    memcpy(outbuf, buf, buflen);
- 
-     return CKR_OK;
- }
-@@ -944,50 +943,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl,
-         return CKR_GENERAL_ERROR;
-     }
- 
-    CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-    if (!exp_attr) {
-        LOGE("Signing key has no CKA_PUBLIC_EXPONENT");
-        return CKR_GENERAL_ERROR;
-    }
-
-     if (modulus_attr->ulValueLen > *outlen) {
-         LOGE("Output buffer is too small, got: %lu, required at least %lu",
-                 *outlen, modulus_attr->ulValueLen);
-         return CKR_GENERAL_ERROR;
-     }
- 
-    BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL);
-    if (!e) {
-        LOGE("Could not convert exponent to bignum");
-        return CKR_GENERAL_ERROR;
-    }
-
-    BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL);
-    if (!n) {
-        LOGE("Could not convert modulus to bignum");
-        BN_free(e);
-        return CKR_GENERAL_ERROR;
-    }
-
-    RSA *rsa = RSA_new();
-    if (!rsa) {
-        LOGE("oom");
-        return CKR_HOST_MEMORY;
-    }
-
-    int rc = RSA_set0_key(rsa, n, e, NULL);
-    if (!rc) {
-        LOGE("Could not set modulus and exponent to OSSL RSA key");
-        BN_free(n);
-        BN_free(e);
-        RSA_free(rsa);
-        return CKR_GENERAL_ERROR;
-+    EVP_PKEY *pkey = NULL;
-+    rv = ssl_util_attrs_to_evp(attrs, &pkey);
-+    if (rv != CKR_OK) {
-+        return rv;
-     }
- 
-    rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
-            inbuf, md, -1);
-    RSA_free(rsa);
-    if (!rc) {
-+    rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf);
-+    EVP_PKEY_free(pkey);
-+    if (rv != CKR_OK) {
-         LOGE("Applying RSA padding failed");
-         return CKR_GENERAL_ERROR;
-     }
-Index: git/src/lib/object.c
-===================================================================
--- git.orig/src/lib/object.c
-+++ git/src/lib/object.c
-@@ -15,6 +15,7 @@
- #include "object.h"
- #include "pkcs11.h"
- #include "session_ctx.h"
-+#include "ssl_util.h"
- #include "token.h"
- #include "utils.h"
- 
-@@ -121,7 +122,7 @@ CK_RV tobject_get_min_buf_size(tobject *
-         }
- 
-         int nid = 0;
-        CK_RV rv = ec_params_to_nid(a, &nid);
-+        CK_RV rv = ssl_util_params_to_nid(a, &nid);
-         if (rv != CKR_OK) {
-             return rv;
-         }
-Index: git/src/lib/sign.c
-===================================================================
--- git.orig/src/lib/sign.c
-+++ git/src/lib/sign.c
-@@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet
-     }
- 
-     EVP_PKEY *pkey = NULL;
-    rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+    rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
-     if (rv != CKR_OK) {
-         return NULL;
-     }
-Index: git/src/lib/ssl_util.c
-===================================================================
--- git.orig/src/lib/ssl_util.c
-+++ git/src/lib/ssl_util.c
-@@ -10,6 +10,7 @@
- #include <openssl/rsa.h>
- #include <openssl/sha.h>
- 
-+#include "attrs.h"
- #include "log.h"
- #include "pkcs11.h"
- #include "ssl_util.h"
-@@ -19,194 +20,228 @@
- #include <openssl/evperr.h>
- #endif
- 
-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#include <openssl/core_names.h>
-+#endif
- 
- /*
- * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to
- * create an API compatible version of it.
-+ * TODO Port these routines
-+ * Deprecated function block to port
-+ *
-+ * There are no padding routine replacements in OSSL 3.0.
-+ *   - per Matt Caswell (maintainer) on mailing list.
-+ * Signature verification can likely be done with EVP Verify interface.
-  */
-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
-                          point_conversion_form_t form,
-                          unsigned char **pbuf, BN_CTX *ctx) {
-
-    /* Get the required buffer length */
-    size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL);
-    if (!len) {
-        return 0;
-    }
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-+#endif
- 
-    /* allocate it */
-    unsigned char *buf = OPENSSL_malloc(len);
-    if (!buf) {
-        return 0;
-    }
-+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
-+        const CK_BYTE_PTR inbuf, const EVP_MD *md,
-+        CK_BYTE_PTR outbuf) {
- 
-    /* convert it */
-    len = EC_POINT_point2oct(group, point, form, buf, len, ctx);
-    if (!len) {
-        OPENSSL_free(buf);
-        return 0;
-+    RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey);
-+    if (!rsa) {
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    *pbuf = buf;
-    return len;
-}
-+    int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf,
-+        inbuf, md, -1);
- 
-size_t OBJ_length(const ASN1_OBJECT *obj) {
-+    return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR;
-+}
- 
-    if (!obj) {
-        return 0;
-    }
-+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
-+        CK_BYTE_PTR outbuf, CK_ULONG outbuflen) {
- 
-    return obj->length;
-+    return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen,
-+            inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR;
- }
- 
-const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) {
-+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
-+        CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) {
- 
-    if (!obj) {
-        return NULL;
-+    int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen,
-+               inbuf, inlen, rsa_len);
-+    if (rc < 0) {
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    return obj->data;
-+    /* cannot be negative due to check above */
-+    *outbuflen = rc;
-+    return CKR_OK;
- }
- 
-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) {
-    return ASN1_STRING_data((ASN1_STRING *)x);
-}
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
-+#pragma GCC diagnostic pop
-+#endif
- 
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300)
- 
-    if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
-        return 0;
-    }
-+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
-+
-+    OSSL_PARAM params[] = {
-+        OSSL_PARAM_BN("n", n_attr->pValue, n_attr->ulValueLen),
-+        OSSL_PARAM_BN("e", e_attr->pValue, e_attr->ulValueLen),
-+        OSSL_PARAM_END
-+    };
- 
-    if (n != NULL) {
-        BN_free(r->n);
-        r->n = n;
-+    /* convert params to EVP key */
-+    EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
-+    if (!evp_ctx) {
-+        SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    if (e != NULL) {
-        BN_free(r->e);
-        r->e = e;
-+    int rc = EVP_PKEY_fromdata_init(evp_ctx);
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_PKEY_fromdata_init");
-+        EVP_PKEY_CTX_free(evp_ctx);
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    if (d != NULL) {
-        BN_free(r->d);
-        r->d = d;
-+    rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_PKEY_fromdata");
-+        EVP_PKEY_CTX_free(evp_ctx);
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    return 1;
-+    EVP_PKEY_CTX_free(evp_ctx);
-+
-+    return CKR_OK;
- }
- 
-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
-+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
-+
-+    /*
-+     * The simplest way I have found to deal with this is to convert the ASN1 object in
-+     * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and
-+     * then take the int nid and convert it to a friendly name like prime256v1.
-+     * EVP_PKEY_fromdata can handle group by name.
-+     *
-+     * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value".
-+     */
-+    int curve_id = 0;
-+    CK_RV rv = ssl_util_params_to_nid(ecparams, &curve_id);
-+    if (rv != CKR_OK) {
-+        LOGE("Could not get nid from params");
-+        return rv;
-+    }
- 
-    if (!r || !s) {
-        return 0;
-+    /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */
-+    const unsigned char *x = ecpoint->pValue;
-+    ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
-+    if (!os) {
-+        SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s");
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    BN_free(sig->r);
-    BN_free(sig->s);
-+    OSSL_PARAM params[] = {
-+        OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char *)OBJ_nid2sn(curve_id), 0),
-+        OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length),
-+        OSSL_PARAM_END
-+    };
- 
-    sig->r = r;
-    sig->s = s;
-+    /* convert params to EVP key */
-+    EVP_PKEY_CTX *evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
-+    if (!evp_ctx) {
-+        SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id");
-+        OPENSSL_free(os);
-+        return CKR_GENERAL_ERROR;
-+    }
- 
-    return 1;
-}
-+    int rc = EVP_PKEY_fromdata_init(evp_ctx);
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s");
-+        EVP_PKEY_CTX_free(evp_ctx);
-+        OPENSSL_free(os);
-+        return CKR_GENERAL_ERROR;
-+    }
- 
-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) {
-    if (pkey->type != EVP_PKEY_EC) {
-        return NULL;
-+    rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params);
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_PKEY_fromdata");
-+        EVP_PKEY_CTX_free(evp_ctx);
-+        OPENSSL_free(os);
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    return pkey->pkey.ec;
-+    EVP_PKEY_CTX_free(evp_ctx);
-+    OPENSSL_free(os);
-+
-+    return CKR_OK;
- }
-#endif
- 
-static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) {
-+#else
- 
-    RSA *rsa = NULL;
-    BIGNUM *e = NULL, *n = NULL;
-+static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) {
- 
-    CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-    if (!exp) {
-        LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
-+    BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL);
-+    if (!e) {
-+        LOGE("Could not convert exponent to bignum");
-         return CKR_GENERAL_ERROR;
-     }
- 
-    CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
-    if (!mod) {
-        LOGE("RSA Object must have attribute CKA_MODULUS");
-+    BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL);
-+    if (!n) {
-+        LOGE("Could not convert modulus to bignum");
-+        BN_free(e);
-         return CKR_GENERAL_ERROR;
-     }
- 
-    rsa = RSA_new();
-+    RSA *rsa = RSA_new();
-     if (!rsa) {
-        SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure");
-        goto error;
-+        LOGE("oom");
-+        return CKR_HOST_MEMORY;
-     }
- 
-    e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL);
-    if (!e) {
-        SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format");
-        goto error;
-+    int rc = RSA_set0_key(rsa, n, e, NULL);
-+    if (!rc) {
-+        LOGE("Could not set modulus and exponent to OSSL RSA key");
-+        BN_free(n);
-+        BN_free(e);
-+        RSA_free(rsa);
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL);
-    if (!n) {
-        SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format");
-        goto error;
-+    /* assigned to RSA key */
-+    n = e = NULL;
-+
-+    EVP_PKEY *pkey = EVP_PKEY_new();
-+    if (!pkey) {
-+        SSL_UTIL_LOGE("EVP_PKEY_new");
-+        RSA_free(rsa);
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    if (!RSA_set0_key(rsa, n, e, NULL)) {
-        SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components");
-+    rc = EVP_PKEY_assign_RSA(pkey, rsa);
-+    if (rc != 1) {
-         RSA_free(rsa);
-        BN_free(e);
-        BN_free(n);
-        goto error;
-+        EVP_PKEY_free(pkey);
-+        return CKR_GENERAL_ERROR;
-     }
- 
-    *outkey = rsa;
-+    *out_pkey = pkey;
- 
-     return CKR_OK;
-
-error:
-    RSA_free(rsa);
-    if (e) {
-        BN_free(e);
-    }
-    if (n) {
-        BN_free(n);
-    }
-
-    return CKR_GENERAL_ERROR;
- }
- 
-static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) {
-+static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) {
- 
-    EC_KEY *key = EC_KEY_new();
-    if (!key) {
-+    EC_KEY *ecc = EC_KEY_new();
-+    if (!ecc) {
-         LOGE("oom");
-         return CKR_HOST_MEMORY;
-     }
- 
-    CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
-    if (!ecparams) {
-        LOGE("ECC Key must have attribute CKA_EC_PARAMS");
-        return CKR_GENERAL_ERROR;
-    }
-
-    CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
-    if (!ecpoint) {
-        LOGE("ECC Key must have attribute CKA_EC_POINT");
-        return CKR_GENERAL_ERROR;
-    }
-
-     /* set params */
-     const unsigned char *x = ecparams->pValue;
-    EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen);
-+    EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen);
-     if (!k) {
-         SSL_UTIL_LOGE("Could not update key with EC Parameters");
-        EC_KEY_free(key);
-+        EC_KEY_free(ecc);
-         return CKR_GENERAL_ERROR;
-     }
- 
-@@ -215,22 +250,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY *
-     ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen);
-     if (os) {
-         x = os->data;
-        k = o2i_ECPublicKey(&key, &x, os->length);
-+        k = o2i_ECPublicKey(&ecc, &x, os->length);
-         ASN1_STRING_free(os);
-         if (!k) {
-             SSL_UTIL_LOGE("Could not update key with EC Points");
-            EC_KEY_free(key);
-+            EC_KEY_free(ecc);
-             return CKR_GENERAL_ERROR;
-         }
-     }
- 
-    *outkey = key;
-+    EVP_PKEY *pkey = EVP_PKEY_new();
-+    if (!pkey) {
-+        SSL_UTIL_LOGE("EVP_PKEY_new");
-+        EC_KEY_free(ecc);
-+        return CKR_GENERAL_ERROR;
-+    }
-+
-+    int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc);
-+    if (!rc) {
-+        SSL_UTIL_LOGE("Could not set pkey with ec key");
-+        EC_KEY_free(ecc);
-+        EVP_PKEY_free(pkey);
-+        return CKR_GENERAL_ERROR;
-+    }
-+
-+    *out_pkey = pkey;
-     return CKR_OK;
- }
-+#endif
- 
-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) {
-+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) {
- 
-    CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE);
-+    CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE);
-     if (!a) {
-         LOGE("Expected object to have attribute CKA_KEY_TYPE");
-         return CKR_KEY_TYPE_INCONSISTENT;
-@@ -253,44 +304,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY *
-            return CKR_OK;
-     }
- 
-    EVP_PKEY *pkey = EVP_PKEY_new();
-    if (!pkey) {
-        LOGE("oom");
-        return CKR_HOST_MEMORY;
-    }
-+    EVP_PKEY *pkey = NULL;
- 
-     if (key_type == CKK_EC) {
-        EC_KEY *e = NULL;
-        rv = convert_pubkey_ECC(&e, obj->attrs);
-        if (rv != CKR_OK) {
-            return rv;
-+
-+        CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS);
-+        if (!ecparams) {
-+            LOGE("ECC Key must have attribute CKA_EC_PARAMS");
-+            return CKR_GENERAL_ERROR;
-         }
-        int rc = EVP_PKEY_assign_EC_KEY(pkey, e);
-        if (!rc) {
-            SSL_UTIL_LOGE("Could not set pkey with ec key");
-            EC_KEY_free(e);
-            EVP_PKEY_free(pkey);
-+
-+        CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT);
-+        if (!ecpoint) {
-+            LOGE("ECC Key must have attribute CKA_EC_POINT");
-             return CKR_GENERAL_ERROR;
-         }
-    } else if (key_type == CKK_RSA) {
-        RSA *r = NULL;
-        rv = convert_pubkey_RSA(&r, obj->attrs);
-+
-+        rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey);
-         if (rv != CKR_OK) {
-             return rv;
-         }
-        int rc = EVP_PKEY_assign_RSA(pkey, r);
-        if (!rc) {
-            SSL_UTIL_LOGE("Could not set pkey with rsa key");
-            RSA_free(r);
-            EVP_PKEY_free(pkey);
-+
-+    } else if (key_type == CKK_RSA) {
-+
-+        CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT);
-+        if (!exp) {
-+            LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT");
-             return CKR_GENERAL_ERROR;
-         }
-+
-+        CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS);
-+        if (!mod) {
-+            LOGE("RSA Object must have attribute CKA_MODULUS");
-+            return CKR_GENERAL_ERROR;
-+        }
-+
-+        rv = get_RSA_evp_pubkey(exp, mod, &pkey);
-+        if (rv != CKR_OK) {
-+            return rv;
-+        }
-+
-     } else {
-         LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type);
-        EVP_PKEY_free(pkey);
-         return CKR_KEY_TYPE_INCONSISTENT;
-     }
- 
-+    assert(pkey);
-     *outpkey = pkey;
- 
-     return CKR_OK;
-@@ -406,10 +465,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
-         }
-     }
- 
-    rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
-    if (!rc) {
-        SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
-        goto error;
-+    if (md) {
-+        rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md);
-+        if (!rc) {
-+            SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed");
-+            goto error;
-+        }
-     }
- 
-     *outpkey_ctx = pkey_ctx;
-@@ -421,21 +482,12 @@ error:
-     return CKR_GENERAL_ERROR;
- }
- 
-static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
-        int padding, const EVP_MD *md,
-        CK_BYTE_PTR digest, CK_ULONG digest_len,
-        CK_BYTE_PTR signature, CK_ULONG signature_len) {
-+static CK_RV sig_verify(EVP_PKEY_CTX *ctx,
-+        const unsigned char *sig, size_t siglen,
-+        const unsigned char *tbs, size_t tbslen) {
- 
-     CK_RV rv = CKR_GENERAL_ERROR;
-
-    EVP_PKEY_CTX *pkey_ctx = NULL;
-    rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
-            EVP_PKEY_verify_init, &pkey_ctx);
-    if (rv != CKR_OK) {
-        return rv;
-    }
-
-    int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len);
-+    int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen);
-     if (rc < 0) {
-         SSL_UTIL_LOGE("EVP_PKEY_verify failed");
-     } else if (rc == 1) {
-@@ -444,11 +496,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY
-         rv = CKR_SIGNATURE_INVALID;
-     }
- 
-    EVP_PKEY_CTX_free(pkey_ctx);
-     return rv;
- }
- 
-static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) {
-+static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen,
-+        unsigned char  **outbuf, size_t *outlen) {
- 
-     if (siglen & 1) {
-         LOGE("Expected ECDSA signature length to be even, got : %lu",
-@@ -487,21 +539,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT
-         return CKR_GENERAL_ERROR;
-     }
- 
-    *outsig = ossl_sig;
-+    int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL);
-+    if (sig_len <= 0) {
-+        if (rc < 0) {
-+            SSL_UTIL_LOGE("ECDSA_do_verify failed");
-+        } else {
-+            LOGE("Expected length to be greater than 0");
-+        }
-+        ECDSA_SIG_free(ossl_sig);
-+        return CKR_GENERAL_ERROR;
-+    }
-+
-+    unsigned char *buf = calloc(1, sig_len);
-+    if (!buf) {
-+        LOGE("oom");
-+        ECDSA_SIG_free(ossl_sig);
-+        return CKR_HOST_MEMORY;
-+    }
-+
-+    unsigned char *p = buf;
-+    int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p);
-+    if (sig_len2 < 0) {
-+        SSL_UTIL_LOGE("ECDSA_do_verify failed");
-+        ECDSA_SIG_free(ossl_sig);
-+        free(buf);
-+        return CKR_GENERAL_ERROR;
-+    }
-+
-+    assert(sig_len == sig_len2);
-+
-+    ECDSA_SIG_free(ossl_sig);
-+
-+    *outbuf = buf;
-+    *outlen = sig_len;
- 
-     return CKR_OK;
- }
- 
- static CK_RV do_sig_verify_ec(EVP_PKEY *pkey,
-+        const EVP_MD *md,
-         CK_BYTE_PTR digest, CK_ULONG digest_len,
-         CK_BYTE_PTR signature, CK_ULONG signature_len) {
- 
-    EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey);
-    if (!eckey) {
-        LOGE("Expected EC Key");
-        return CKR_GENERAL_ERROR;
-    }
-
-     /*
-      * OpenSSL expects ASN1 framed signatures, PKCS11 does flat
-      * R + S signatures, so convert it to ASN1 framing.
-@@ -509,21 +588,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY *
-      *   https://github.com/tpm2-software/tpm2-pkcs11/issues/277
-      * For details.
-      */
-    ECDSA_SIG *ossl_sig = NULL;
-    CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig);
-+    unsigned char *buf = NULL;
-+    size_t buflen = 0;
-+    CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen);
-     if (rv != CKR_OK) {
-         return rv;
-     }
- 
-    int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey);
-    if (rc < 0) {
-        ECDSA_SIG_free(ossl_sig);
-        SSL_UTIL_LOGE("ECDSA_do_verify failed");
-        return CKR_GENERAL_ERROR;
-+    EVP_PKEY_CTX *pkey_ctx = NULL;
-+    rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md,
-+            EVP_PKEY_verify_init, &pkey_ctx);
-+    if (rv != CKR_OK) {
-+        free(buf);
-+        return rv;
-     }
-    ECDSA_SIG_free(ossl_sig);
- 
-    return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
-+    rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len);
-+
-+    EVP_PKEY_CTX_free(pkey_ctx);
-+    free(buf);
-+
-+    return rv;
-+}
-+
-+static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey,
-+        int padding, const EVP_MD *md,
-+        CK_BYTE_PTR digest, CK_ULONG digest_len,
-+        CK_BYTE_PTR signature, CK_ULONG signature_len) {
-+
-+    CK_RV rv = CKR_GENERAL_ERROR;
-+
-+    EVP_PKEY_CTX *pkey_ctx = NULL;
-+    rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md,
-+            EVP_PKEY_verify_init, &pkey_ctx);
-+    if (rv != CKR_OK) {
-+        return rv;
-+    }
-+
-+    rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len);
-+
-+    EVP_PKEY_CTX_free(pkey_ctx);
-+    return rv;
- }
- 
- CK_RV ssl_util_sig_verify(EVP_PKEY *pkey,
-@@ -538,7 +643,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey
-                 digest, digest_len,
-                 signature, signature_len);
-     case EVP_PKEY_EC:
-        return do_sig_verify_ec(pkey, digest, digest_len,
-+        return do_sig_verify_ec(pkey, md, digest, digest_len,
-                 signature, signature_len);
-     default:
-         LOGE("Unknown PKEY type, got: %d", type);
-@@ -577,3 +682,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY *
-     EVP_PKEY_CTX_free(pkey_ctx);
-     return rv;
- }
-+
-+twist ssl_util_hash_pass(const twist pin, const twist salt) {
-+
-+
-+    twist out = NULL;
-+    unsigned char md[SHA256_DIGEST_LENGTH];
-+
-+    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-+    if (!ctx) {
-+        SSL_UTIL_LOGE("EVP_MD_CTX_new");
-+        return NULL;
-+    }
-+
-+    int rc = EVP_DigestInit(ctx, EVP_sha256());
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_DigestInit");
-+        goto error;
-+    }
-+
-+    rc = EVP_DigestUpdate(ctx, pin, twist_len(pin));
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_DigestUpdate");
-+        goto error;
-+    }
-+
-+    rc = EVP_DigestUpdate(ctx, salt, twist_len(salt));
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_DigestUpdate");
-+        goto error;
-+    }
-+
-+    unsigned int len = sizeof(md);
-+    rc = EVP_DigestFinal(ctx, md, &len);
-+    if (rc != 1) {
-+        SSL_UTIL_LOGE("EVP_DigestFinal");
-+        goto error;
-+    }
-+
-+    /* truncate the password to 32 characters */
-+    out = twist_hex_new((char *)md, sizeof(md)/2);
-+
-+error:
-+    EVP_MD_CTX_free(ctx);
-+
-+    return out;
-+}
-+
-+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
-+
-+    const unsigned char *p = ecparams->pValue;
-+
-+    ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
-+    if (!a) {
-+        LOGE("Unknown CKA_EC_PARAMS value");
-+        return CKR_ATTRIBUTE_VALUE_INVALID;
-+    }
-+
-+    *nid = OBJ_obj2nid(a);
-+    ASN1_OBJECT_free(a);
-+
-+    return CKR_OK;
-+}
-Index: git/src/lib/ssl_util.h
-===================================================================
--- git.orig/src/lib/ssl_util.h
-+++ git/src/lib/ssl_util.h
-@@ -11,8 +11,8 @@
- 
- #include "pkcs11.h"
- 
-+#include "attrs.h"
- #include "log.h"
-#include "object.h"
- #include "twist.h"
- 
- #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
-@@ -22,6 +22,10 @@
- #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
- #endif
- 
-+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
-+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
-+#endif
-+
- /* OpenSSL Backwards Compat APIs */
- #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
- #include <string.h>
-@@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const
- 
- #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
- 
-CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj);
-+CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
- 
- CK_RV ssl_util_encrypt(EVP_PKEY *pkey,
-         int padding, twist label, const EVP_MD *md,
-@@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK
-         fn_EVP_PKEY_init init_fn,
-         EVP_PKEY_CTX **outpkey_ctx);
- 
-+CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey,
-+        const CK_BYTE_PTR inbuf, const EVP_MD *md,
-+        CK_BYTE_PTR outbuf);
-+
-+CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen,
-+        CK_BYTE_PTR outbuf, CK_ULONG outbuflen);
-+
-+CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len,
-+        CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen);
-+
-+twist ssl_util_hash_pass(const twist pin, const twist salt);
-+
-+/**
-+ * Given an attribute of CKA_EC_PARAMS returns the nid value.
-+ * @param ecparams
-+ *  The DER X9.62 parameters value
-+ * @param nid
-+ *  The nid to set
-+ * @return
-+ *  CKR_OK on success.
-+ */
-+CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
-+
- #endif /* SRC_LIB_SSL_UTIL_H_ */
-Index: git/src/lib/tpm.c
-===================================================================
--- git.orig/src/lib/tpm.c
-+++ git/src/lib/tpm.c
-@@ -3099,7 +3099,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT
-     tpm_key_data *keydat = (tpm_key_data *)udata;
- 
-     int nid = 0;
-    CK_RV rv = ec_params_to_nid(attr, &nid);
-+    CK_RV rv = ssl_util_params_to_nid(attr, &nid);
-     if (rv != CKR_OK) {
-         return rv;
-     }
-@@ -3451,7 +3451,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_
-         goto out;
-     }
- 
-    int rc = EC_POINT_set_affine_coordinates_GFp(group,
-+    int rc = EC_POINT_set_affine_coordinates(group,
-             pub_key_point_tmp,
-             bn_x,
-             bn_y,
-@@ -4579,7 +4579,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct
-         goto out;
-     }
- 
-    rv = ssl_util_tobject_to_evp(&pkey, tobj);
-+    rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey);
-     if (rv != CKR_OK) {
-         goto out;
-     }
-Index: git/src/lib/utils.c
-===================================================================
--- git.orig/src/lib/utils.c
-+++ git/src/lib/utils.c
-@@ -7,6 +7,7 @@
- #include <openssl/sha.h>
- 
- #include "log.h"
-+#include "ssl_util.h"
- #include "token.h"
- #include "utils.h"
- 
-@@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist
-         pin_to_use = newpin;
-     }
- 
-    *newauthhex = utils_hash_pass(pin_to_use, salt_to_use);
-+    *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use);
-     if (!*newauthhex) {
-         goto out;
-     }
-@@ -330,22 +331,6 @@ out:
- 
- }
- 
-twist utils_hash_pass(const twist pin, const twist salt) {
-
-
-    unsigned char md[SHA256_DIGEST_LENGTH];
-
-    SHA256_CTX sha256;
-    SHA256_Init(&sha256);
-
-    SHA256_Update(&sha256, pin, twist_len(pin));
-    SHA256_Update(&sha256, salt, twist_len(salt));
-    SHA256_Final(md, &sha256);
-
-    /* truncate the password to 32 characters */
-    return twist_hex_new((char *)md, sizeof(md)/2);
-}
-
- size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) {
- 
-     switch(mttype) {
-@@ -448,22 +433,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp
- 
-     return CKR_OK;
- }
-
-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) {
-
-    const unsigned char *p = ecparams->pValue;
-
-    ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen);
-    if (!a) {
-        LOGE("Unknown CKA_EC_PARAMS value");
-        return CKR_ATTRIBUTE_VALUE_INVALID;
-    }
-
-    *nid = OBJ_obj2nid(a);
-    ASN1_OBJECT_free(a);
-
-    return CKR_OK;
-}
- 
- CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen,
-         CK_BYTE_PTR out, CK_ULONG_PTR outlen) {
-Index: git/src/lib/utils.h
-===================================================================
--- git.orig/src/lib/utils.h
-+++ git/src/lib/utils.h
-@@ -45,8 +45,6 @@ static inline void _str_padded_copy(CK_U
-     memcpy(dst, src, src_len);
- }
- 
-twist utils_hash_pass(const twist pin, const twist salt);
-
- twist aes256_gcm_decrypt(const twist key, const twist objauth);
- 
- twist aes256_gcm_encrypt(twist keybin, twist plaintextbin);
-@@ -77,17 +75,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra
- CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth);
- 
- /**
- * Given an attribute of CKA_EC_PARAMS returns the nid value.
- * @param ecparams
- *  The DER X9.62 parameters value
- * @param nid
- *  The nid to set
- * @return
- *  CKR_OK on success.
- */
-CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid);
-
-/**
-  * Removes a PKCS7 padding on a 16 byte block.
-  * @param in
-  *  The PKCS5 padded input.
-Index: git/test/integration/pkcs-sign-verify.int.c
-===================================================================
--- git.orig/test/integration/pkcs-sign-verify.int.c
-+++ git/test/integration/pkcs-sign-verify.int.c
-@@ -1061,70 +1061,13 @@ static void test_double_sign_final_call_
-     assert_int_equal(rv, CKR_OK);
- }
- 
-static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
-
-    CK_ULONG i;
-    for (i=0; i < attr_len; i++) {
-        CK_ATTRIBUTE_PTR a = &attrs[i];
-        if (a->type == type) {
-            return a;
-        }
-    }
-
-    return NULL;
-}
-
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
-#endif
-
-RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) {
-
-    RSA *ssl_rsa_key = NULL;
-    BIGNUM *e = NULL, *n = NULL;
-
-    /* get the exponent */
-    CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len);
-    assert_non_null(a);
-
-    e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL);
-    assert_non_null(e);
-
-    /* get the modulus */
-    a = get_attr(CKA_MODULUS, attrs, attr_len);
-    assert_non_null(a);
-
-    n = BN_bin2bn(a->pValue, a->ulValueLen,
-                  NULL);
-    assert_non_null(n);
-
-    ssl_rsa_key = RSA_new();
-    assert_non_null(ssl_rsa_key);
-
-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
-    ssl_rsa_key->e = e;
-    ssl_rsa_key->n = n;
-#else
-    int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL);
-    assert_int_equal(rc, 1);
-#endif
-
-    return ssl_rsa_key;
-}
-
-static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
-
-    EVP_PKEY *pkey = EVP_PKEY_new();
-    assert_non_null(pkey);
-
-    int rc = EVP_PKEY_set1_RSA(pkey, pub);
-    assert_int_equal(rc, 1);
-+static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) {
- 
-     EVP_MD_CTX *ctx = EVP_MD_CTX_create();
-     const EVP_MD* md = EVP_get_digestbyname("SHA256");
-     assert_non_null(md);
- 
-    rc = EVP_DigestInit_ex(ctx, md, NULL);
-+    int rc = EVP_DigestInit_ex(ctx, md, NULL);
-     assert_int_equal(rc, 1);
- 
-     rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
-@@ -1136,7 +1079,6 @@ static void verify(RSA *pub, CK_BYTE_PTR
-     rc = EVP_DigestVerifyFinal(ctx, sig, sig_len);
-     assert_int_equal(rc, 1);
- 
-    EVP_PKEY_free(pkey);
-     EVP_MD_CTX_destroy(ctx);
- }
- 
-@@ -1170,20 +1112,38 @@ static void test_sign_verify_public(void
-     assert_int_equal(siglen, 256);
- 
-     /* build an OSSL RSA key from parts */
-    CK_BYTE _tmp_bufs[2][1024];
-+    CK_BYTE _tmp_bufs[3][1024];
-     CK_ATTRIBUTE attrs[] = {
-        { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
-        { .type = CKA_MODULUS,         .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] },
-+        { .type = CKA_KEY_TYPE,        .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] },
-+        { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] },
-+        { .type = CKA_MODULUS,         .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] },
-     };
- 
-     rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs));
-     assert_int_equal(rv, CKR_OK);
- 
-    RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs));
-    assert_non_null(r);
-+    CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD;
-+    rv = attr_CK_KEY_TYPE(&attrs[0], &key_type);
-+    assert_int_equal(rv, CKR_OK);
-+
-+    EVP_PKEY *pkey = NULL;
-+    attr_list *l = attr_list_new();
-+
-+    bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type);
-+    assert_true(res);
- 
-    verify(r, msg, sizeof(msg) - 1, sig, siglen);
-    RSA_free(r);
-+    res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen);
-+    assert_true(res);
-+
-+    res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen);
-+    assert_true(res);
-+
-+    rv = ssl_util_attrs_to_evp(l, &pkey);
-+    assert_int_equal(rv, CKR_OK);
-+    attr_list_free(l);
-+
-+    verify(pkey, msg, sizeof(msg) - 1, sig, siglen);
-+    EVP_PKEY_free(pkey);
- }
- 
- static void test_sign_verify_context_specific_good(void **state) {
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
deleted file mode 100644
index ef0a6dc..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/0002-ossl-require-version-1.1.0-or-greater.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From d33e5ef0b11125fe4683d7bfa17023e24997f587 Mon Sep 17 00:00:00 2001
-From: William Roberts <william.c.roberts@intel.com>
-Date: Fri, 3 Sep 2021 11:30:50 -0500
-Subject: [PATCH 2/2] ossl: require version 1.1.0 or greater
-THIS DROPS SUPPORT FOR OSSL 1.0.2.
-Signed-off-by: William Roberts <william.c.roberts@intel.com>
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
- configure.ac       |  2 +-
- src/lib/ssl_util.h | 43 +++++--------------------------------------
- 2 files changed, 6 insertions(+), 39 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index a7aeaf5..94fb5d4 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -55,7 +55,7 @@ PKG_CHECK_EXISTS([tss2-esys >= 3.0],
- # require sqlite3 and libcrypto
- PKG_CHECK_MODULES([SQLITE3],     [sqlite3])
- PKG_CHECK_MODULES([YAML],        [yaml-0.1])
-PKG_CHECK_MODULES([CRYPTO],      [libcrypto >= 1.0.2g])
-+PKG_CHECK_MODULES([CRYPTO],      [libcrypto >= 1.1.0])
- 
- # check for pthread
- AX_PTHREAD([],[AC_MSG_ERROR([Cannot find pthread])])
-diff --git a/src/lib/ssl_util.h b/src/lib/ssl_util.h
-index 9909fd6..2591728 100644
--- a/src/lib/ssl_util.h
-+++ b/src/lib/ssl_util.h
-@@ -15,51 +15,18 @@
- #include "log.h"
- #include "twist.h"
- 
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */
-#define LIB_TPM2_OPENSSL_OPENSSL_PRE11
-/* LibreSSL does not appear to have evperr.h, so their is no need to define this otherwise */
-#elif (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
-+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) /* OpenSSL 1.1.1 */
- #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f
- #endif
- 
-#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
-#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
-+#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST111)
-+#include <openssl/evperr.h>
- #endif
- 
-/* OpenSSL Backwards Compat APIs */
-#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11)
-#include <string.h>
-size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
-                          point_conversion_form_t form,
-                          unsigned char **pbuf, BN_CTX *ctx);
-
-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
-
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-
-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-
-EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
-
-static inline void *OPENSSL_memdup(const void *dup, size_t l) {
-
-    void *p = OPENSSL_malloc(l);
-    if (!p) {
-        return NULL;
-    }
-
-    memcpy(p, dup, l);
-    return p;
-}
-
-#endif
-
-#ifndef RSA_PSS_SALTLEN_DIGEST
-#define RSA_PSS_SALTLEN_DIGEST -1
-+#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */
-+#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f
- #endif
- 
-/* Utility APIs */
-
- #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL));
- 
- CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey);
-- 
-2.25.1
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch b/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
deleted file mode 100644
index d38e237..0000000
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/bootstrap_fixup.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Upstream-Status: OE specific
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: git/bootstrap
-===================================================================
--- git.orig/bootstrap
-+++ git/bootstrap
-@@ -27,4 +27,3 @@ echo "Generating file lists: ${VARS_FILE
- ) > ${VARS_FILE}
- 
- mkdir -p m4
-${AUTORECONF} --install --sym $@
diff --git a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
index 177c3c3..a9174e6 100644
--- a/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.7.0.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.8.0.bb
@@ -6,21 +6,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"
 DEPENDS = "autoconf-archive pkgconfig sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master;protocol=https \
+SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
-           file://bootstrap_fixup.patch \
-           file://0001-remove-local-binary-checkes.patch \
-           file://0001-ssl-compile-against-OSSL-3.0.patch \
-           file://0002-ossl-require-version-1.1.0-or-greater.patch \
-           "
-SRCREV = "11fd2532ce10e97834a57dfb25bff6c613a5a851"
+SRC_URI[sha256sum] = "79f28899047defd6b4b72b7268dd56abf27774954022315f818c239af33e05bd"
-S = "${WORKDIR}/git"
 inherit autotools-brokensep pkgconfig python3native
-do_configure:prepend () {
+EXTRA_OECONF += "--disable-ptool-checks"
-    ${S}/bootstrap
+do_configure:prepend() {
+    # do not extract the version number from git
+    sed -i -e 's/m4_esyscmd_s(\[git describe --tags --always --dirty\])/${PV}/' ${S}/configure.ac
 }
 do_compile:append() {