Blame SOURCES/0012-Implement-EVP_PKEY-export-import-for-OpenSSL-3.0.patch

a56c8e
From f328c68cba9d5511b7d2d2615b3a28987edbdfac Mon Sep 17 00:00:00 2001
a56c8e
From: Petr Gotthard <petr.gotthard@centrum.cz>
a56c8e
Date: Sun, 18 Jul 2021 21:30:59 +0200
a56c8e
Subject: Implement EVP_PKEY export/import for OpenSSL 3.0
a56c8e
MIME-Version: 1.0
a56c8e
Content-Type: text/plain; charset=UTF-8
a56c8e
Content-Transfer-Encoding: 8bit
a56c8e
a56c8e
The `RSA_KEY` and `EC_KEY` are not publicly available in OpenSSL 3.0 and
a56c8e
the generic `EVP_PKEY` must be used instead.
a56c8e
Since export/import of raw keys still requires access to the internal structures
a56c8e
the OpenSSL 3.0 introduced a completely new approach to access key internals.
a56c8e
a56c8e
This PR:
a56c8e
 - preserves the current export/import impementation for OpenSSL 1.1.x
a56c8e
 - implements key export/import for OpenSSL 3.0.0
a56c8e
a56c8e
Signed-off-by: Petr Gotthard <petr.gotthard@centrum.cz>
a56c8e
---
a56c8e
 src/tss2-esys/esys_crypto_ossl.c | 154 ++++++++++++-----
a56c8e
 src/tss2-fapi/fapi_crypto.c      | 275 +++++++++++++++++++++----------
a56c8e
 test/helper/tpm_getek.c          |  53 +++---
a56c8e
 test/helper/tpm_getek_ecc.c      |  61 +++++--
a56c8e
 4 files changed, 386 insertions(+), 157 deletions(-)
a56c8e
a56c8e
diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
a56c8e
index a6259346..392f97ae 100644
a56c8e
--- a/src/tss2-esys/esys_crypto_ossl.c
a56c8e
+++ b/src/tss2-esys/esys_crypto_ossl.c
a56c8e
@@ -8,9 +8,17 @@
a56c8e
 #include <config.h>
a56c8e
 #endif
a56c8e
 
a56c8e
+#include <openssl/rand.h>
a56c8e
 #include <openssl/evp.h>
a56c8e
-#include <openssl/aes.h>
a56c8e
 #include <openssl/rsa.h>
a56c8e
+#include <openssl/ec.h>
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+#include <openssl/aes.h>
a56c8e
+#else
a56c8e
+#include <openssl/core_names.h>
a56c8e
+#include <openssl/params.h>
a56c8e
+#include <openssl/param_build.h>
a56c8e
+#endif
a56c8e
 #include <openssl/engine.h>
a56c8e
 #include <stdio.h>
a56c8e
 
a56c8e
@@ -324,9 +332,14 @@ iesys_cryptossl_hmac_start(IESYS_CRYPTO_CONTEXT_BLOB ** context,
a56c8e
                    "Error EVP_MD_CTX_create", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
a56c8e
     if (!(hkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, size))) {
a56c8e
+#else
a56c8e
+    /* this is preferred, but available since OpenSSL 1.1.1 only */
a56c8e
+    if (!(hkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, key, size))) {
a56c8e
+#endif
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
-                   "EVP_PKEY_new_mac_key", cleanup);
a56c8e
+                   "Failed to create HMAC key", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
     if(1 != EVP_DigestSignInit(mycontext->hmac.ossl_context, NULL,
a56c8e
@@ -517,7 +530,10 @@ iesys_cryptossl_hmac_abort(IESYS_CRYPTO_CONTEXT_BLOB ** context)
a56c8e
 TSS2_RC
a56c8e
 iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
a56c8e
 {
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
     const RAND_METHOD *rand_save = RAND_get_rand_method();
a56c8e
+    RAND_set_rand_method(RAND_OpenSSL());
a56c8e
+#endif
a56c8e
 
a56c8e
     if (num_bytes == 0) {
a56c8e
         nonce->size = sizeof(TPMU_HA);
a56c8e
@@ -525,13 +541,16 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
a56c8e
         nonce->size = num_bytes;
a56c8e
     }
a56c8e
 
a56c8e
-    RAND_set_rand_method(RAND_OpenSSL());
a56c8e
     if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
         RAND_set_rand_method(rand_save);
a56c8e
+#endif
a56c8e
         return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
                      "Failure in random number generator.");
a56c8e
     }
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
     RAND_set_rand_method(rand_save);
a56c8e
+#endif
a56c8e
     return TSS2_RC_SUCCESS;
a56c8e
 }
a56c8e
 
a56c8e
@@ -558,30 +577,33 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
a56c8e
                            BYTE * out_buffer,
a56c8e
                            size_t * out_size, const char *label)
a56c8e
 {
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+    RSA *rsa_key = NULL;
a56c8e
     const RAND_METHOD *rand_save = RAND_get_rand_method();
a56c8e
+
a56c8e
     RAND_set_rand_method(RAND_OpenSSL());
a56c8e
+#else
a56c8e
+    OSSL_PARAM *params = NULL;
a56c8e
+    OSSL_PARAM_BLD *build = NULL;
a56c8e
+#endif
a56c8e
 
a56c8e
     TSS2_RC r = TSS2_RC_SUCCESS;
a56c8e
     const EVP_MD * hashAlg = NULL;
a56c8e
-    RSA * rsa_key = NULL;
a56c8e
     EVP_PKEY *evp_rsa_key = NULL;
a56c8e
-    EVP_PKEY_CTX *ctx = NULL;
a56c8e
-    BIGNUM* bne = NULL;
a56c8e
+    EVP_PKEY_CTX *genctx = NULL, *ctx = NULL;
a56c8e
+    BIGNUM *bne = NULL, *n = NULL;
a56c8e
     int padding;
a56c8e
     char *label_copy = NULL;
a56c8e
 
a56c8e
     if (!(hashAlg = get_ossl_hash_md(pub_tpm_key->publicArea.nameAlg))) {
a56c8e
         LOG_ERROR("Unsupported hash algorithm (%"PRIu16")",
a56c8e
                   pub_tpm_key->publicArea.nameAlg);
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
         RAND_set_rand_method(rand_save);
a56c8e
+#endif
a56c8e
         return TSS2_ESYS_RC_NOT_IMPLEMENTED;
a56c8e
     }
a56c8e
 
a56c8e
-    if (!(bne = BN_new())) {
a56c8e
-        goto_error(r, TSS2_ESYS_RC_MEMORY,
a56c8e
-                   "Could not allocate Big Number", cleanup);
a56c8e
-    }
a56c8e
-
a56c8e
     switch (pub_tpm_key->publicArea.parameters.rsaDetail.scheme.scheme) {
a56c8e
     case TPM2_ALG_NULL:
a56c8e
         padding = RSA_NO_PADDING;
a56c8e
@@ -601,44 +623,64 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
a56c8e
         exp = 65537;
a56c8e
     else
a56c8e
         exp = pub_tpm_key->publicArea.parameters.rsaDetail.exponent;
a56c8e
-    if (1 != BN_set_word(bne, exp)) {
a56c8e
+
a56c8e
+    if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
a56c8e
+                        pub_tpm_key->publicArea.unique.rsa.size,
a56c8e
+                        NULL))) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
-                   "Could not set exponent.", cleanup);
a56c8e
+                   "Could not create rsa n.", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
     if (!(rsa_key = RSA_new())) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_MEMORY,
a56c8e
                    "Could not allocate RSA key", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
-    if (1 != RSA_generate_key_ex(rsa_key,
a56c8e
-                                 pub_tpm_key->publicArea.parameters.rsaDetail.keyBits,
a56c8e
-                                 bne, NULL)) {
a56c8e
-        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not generate RSA key",
a56c8e
-                   cleanup);
a56c8e
+    if (!(bne = BN_new())) {
a56c8e
+        goto_error(r, TSS2_ESYS_RC_MEMORY,
a56c8e
+                   "Could not allocate Big Number", cleanup);
a56c8e
     }
a56c8e
-
a56c8e
-    if (!(evp_rsa_key = EVP_PKEY_new())) {
a56c8e
+    if (1 != BN_set_word(bne, exp)) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
-                   "Could not create evp key.", cleanup);
a56c8e
+                   "Could not set exponent.", cleanup);
a56c8e
     }
a56c8e
-    BIGNUM *n = NULL;
a56c8e
-    if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
a56c8e
-                        pub_tpm_key->publicArea.unique.rsa.size,
a56c8e
-                        NULL))) {
a56c8e
+
a56c8e
+    if (1 != RSA_set0_key(rsa_key, n, bne, NULL)) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
-                   "Could not create rsa n.", cleanup);
a56c8e
+                   "Could not set rsa n.", cleanup);
a56c8e
     }
a56c8e
+    /* ownership got transferred */
a56c8e
+    n = NULL;
a56c8e
+    bne = NULL;
a56c8e
 
a56c8e
-    if (1 != RSA_set0_key(rsa_key, n, NULL, NULL)) {
a56c8e
+    if (!(evp_rsa_key = EVP_PKEY_new())) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
-                   "Could not set rsa n.", cleanup);
a56c8e
+                   "Could not create evp key.", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
-    if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
a56c8e
+    if (1 != EVP_PKEY_assign_RSA(evp_rsa_key, rsa_key)) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
                    "Could not set rsa key.", cleanup);
a56c8e
     }
a56c8e
+    /* ownership got transferred */
a56c8e
+    rsa_key = NULL;
a56c8e
+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
a56c8e
+    if ((build = OSSL_PARAM_BLD_new()) == NULL
a56c8e
+            || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n)
a56c8e
+            || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp)
a56c8e
+            || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
a56c8e
+        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa parameters.",
a56c8e
+                   cleanup);
a56c8e
+    }
a56c8e
+
a56c8e
+    if ((genctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
a56c8e
+            || EVP_PKEY_fromdata_init(genctx) <= 0
a56c8e
+            || EVP_PKEY_fromdata(genctx, &evp_rsa_key, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
a56c8e
+        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not create rsa key.",
a56c8e
+                   cleanup);
a56c8e
+    }
a56c8e
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
a56c8e
 
a56c8e
     if (!(ctx = EVP_PKEY_CTX_new(evp_rsa_key, NULL))) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
@@ -692,11 +734,18 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
a56c8e
     r = TSS2_RC_SUCCESS;
a56c8e
 
a56c8e
  cleanup:
a56c8e
+    OSSL_FREE(genctx, EVP_PKEY_CTX);
a56c8e
     OSSL_FREE(ctx, EVP_PKEY_CTX);
a56c8e
     OSSL_FREE(evp_rsa_key, EVP_PKEY);
a56c8e
-    OSSL_FREE(rsa_key, RSA);
a56c8e
     OSSL_FREE(bne, BN);
a56c8e
+    OSSL_FREE(n, BN);
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+    OSSL_FREE(rsa_key, RSA);
a56c8e
     RAND_set_rand_method(rand_save);
a56c8e
+#else
a56c8e
+    OSSL_FREE(params, OSSL_PARAM);
a56c8e
+    OSSL_FREE(build, OSSL_PARAM_BLD);
a56c8e
+#endif
a56c8e
     return r;
a56c8e
 }
a56c8e
 
a56c8e
@@ -784,8 +833,14 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
a56c8e
 {
a56c8e
     TSS2_RC r = TSS2_RC_SUCCESS;
a56c8e
     EC_GROUP *group = NULL;               /* Group defines the used curve */
a56c8e
-    EC_KEY *eph_ec_key = NULL;            /* Ephemeral ec key of application */
a56c8e
+    EVP_PKEY_CTX *ctx = NULL;
a56c8e
+    EVP_PKEY *eph_pkey = NULL;
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
     const EC_POINT *eph_pub_key = NULL;   /* Public part of ephemeral key */
a56c8e
+    const BIGNUM *eph_priv_key = NULL;
a56c8e
+#else
a56c8e
+    BIGNUM *eph_priv_key = NULL;
a56c8e
+#endif
a56c8e
     EC_POINT *tpm_pub_key = NULL;         /* Public part of TPM key */
a56c8e
     EC_POINT *mul_eph_tpm = NULL;
a56c8e
     BIGNUM *bn_x = NULL;
a56c8e
@@ -827,23 +882,25 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
a56c8e
     }
a56c8e
 
a56c8e
     /* Create ephemeral key */
a56c8e
-    if (!(eph_ec_key = EC_KEY_new())) {
a56c8e
+    if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL)) == NULL
a56c8e
+            || EVP_PKEY_keygen_init(ctx) <= 0) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
-                   "Create ec key", cleanup);
a56c8e
+                   "Initialize ec key generation", cleanup);
a56c8e
     }
a56c8e
-    if (1 !=   EC_KEY_set_group(eph_ec_key , group)) {
a56c8e
 
a56c8e
-        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Set group", cleanup);
a56c8e
-    }
a56c8e
-
a56c8e
-    if (1 != EC_KEY_generate_key(eph_ec_key)) {
a56c8e
+    if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curveId) <= 0
a56c8e
+            || EVP_PKEY_keygen(ctx, &eph_pkey) <= 0) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Generate ec key", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+    EC_KEY *eph_ec_key = EVP_PKEY_get0_EC_KEY(eph_pkey);
a56c8e
+
a56c8e
     if (!(eph_pub_key =  EC_KEY_get0_public_key(eph_ec_key))) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Get public key", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
+    eph_priv_key = EC_KEY_get0_private_key(eph_ec_key);
a56c8e
     if (1 != EC_POINT_is_on_curve(group, eph_pub_key, NULL)) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
                    "Ephemeral public key is on curve",cleanup);
a56c8e
@@ -861,8 +918,16 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
a56c8e
     if (1 != EC_POINT_get_affine_coordinates_tss(group, eph_pub_key, bn_x,
a56c8e
                                                  bn_y, NULL)) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
-                   "Get affine x coordinate", cleanup);
a56c8e
+                   "Get affine coordinates", cleanup);
a56c8e
+    }
a56c8e
+#else
a56c8e
+    if (!EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_PRIV_KEY, &eph_priv_key)
a56c8e
+            || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_X, &bn_x)
a56c8e
+            || !EVP_PKEY_get_bn_param(eph_pkey, OSSL_PKEY_PARAM_EC_PUB_Y, &bn_y)) {
a56c8e
+        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
+                   "Get ephemeral key", cleanup);
a56c8e
     }
a56c8e
+#endif
a56c8e
 
a56c8e
     if (1 != iesys_bn2binpad(bn_x, &Q->x.buffer[0], key_size)) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
@@ -881,13 +946,11 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
a56c8e
     r = tpm_pub_to_ossl_pub(group, key, &tpm_pub_key);
a56c8e
     goto_if_error(r, "Convert TPM pub point to ossl pub point", cleanup);
a56c8e
 
a56c8e
-    /* Multiply the ephemeral private key with TPM public key */
a56c8e
-    const BIGNUM * eph_priv_key = EC_KEY_get0_private_key(eph_ec_key);
a56c8e
-
a56c8e
     if (!(mul_eph_tpm = EC_POINT_new(group))) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Create point.", cleanup);
a56c8e
     }
a56c8e
 
a56c8e
+    /* Multiply the ephemeral private key with TPM public key */
a56c8e
     if (1 != EC_POINT_mul(group, mul_eph_tpm, NULL,
a56c8e
                           tpm_pub_key, eph_priv_key, NULL)) {
a56c8e
         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
@@ -918,8 +981,13 @@ iesys_cryptossl_get_ecdh_point(TPM2B_PUBLIC *key,
a56c8e
     OSSL_FREE(mul_eph_tpm, EC_POINT);
a56c8e
     OSSL_FREE(tpm_pub_key, EC_POINT);
a56c8e
     OSSL_FREE(group,EC_GROUP);
a56c8e
-    OSSL_FREE(eph_ec_key, EC_KEY);
a56c8e
+    OSSL_FREE(ctx, EVP_PKEY_CTX);
a56c8e
+    OSSL_FREE(eph_pkey, EVP_PKEY);
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
     /* Note: free of eph_pub_key already done by free of eph_ec_key */
a56c8e
+#else
a56c8e
+    OSSL_FREE(eph_priv_key, BN);
a56c8e
+#endif
a56c8e
     OSSL_FREE(bn_x, BN);
a56c8e
     OSSL_FREE(bn_y, BN);
a56c8e
     return r;
a56c8e
diff --git a/src/tss2-fapi/fapi_crypto.c b/src/tss2-fapi/fapi_crypto.c
a56c8e
index c97b0a1d..c50b5f0a 100644
a56c8e
--- a/src/tss2-fapi/fapi_crypto.c
a56c8e
+++ b/src/tss2-fapi/fapi_crypto.c
a56c8e
@@ -11,10 +11,15 @@
a56c8e
 #include <string.h>
a56c8e
 
a56c8e
 #include <openssl/evp.h>
a56c8e
-#include <openssl/aes.h>
a56c8e
 #include <openssl/rsa.h>
a56c8e
-#include <openssl/engine.h>
a56c8e
 #include <openssl/pem.h>
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+#include <openssl/aes.h>
a56c8e
+#else
a56c8e
+#include <openssl/core_names.h>
a56c8e
+#include <openssl/params.h>
a56c8e
+#include <openssl/param_build.h>
a56c8e
+#endif
a56c8e
 #include <openssl/x509v3.h>
a56c8e
 #include <curl/curl.h>
a56c8e
 #include <openssl/err.h>
a56c8e
@@ -380,66 +385,89 @@ cleanup:
a56c8e
  * @retval TSS2_FAPI_RC_MEMORY if not enough memory can be allocated.
a56c8e
  */
a56c8e
 static TSS2_RC
a56c8e
-ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
a56c8e
+ossl_rsa_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey)
a56c8e
 {
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+    RSA *rsa = NULL;
a56c8e
+#else
a56c8e
+    OSSL_PARAM_BLD *build = NULL;
a56c8e
+    OSSL_PARAM *params = NULL;
a56c8e
+    EVP_PKEY_CTX *ctx = NULL;
a56c8e
+#endif
a56c8e
+
a56c8e
     /* Check for NULL parameters */
a56c8e
     return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
a56c8e
     return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
a56c8e
 
a56c8e
+    TSS2_RC r = TSS2_RC_SUCCESS;
a56c8e
     /* Initialize the RSA parameters */
a56c8e
-    TSS2_RC r;
a56c8e
-    RSA *rsa = RSA_new();
a56c8e
-    BIGNUM *e = BN_new();
a56c8e
-    BIGNUM *d = BN_new();
a56c8e
-    BIGNUM *p = BN_new();
a56c8e
-    BIGNUM *q = BN_new();
a56c8e
-    BIGNUM *dmp1 = BN_new();
a56c8e
-    BIGNUM *dmq1 = BN_new();
a56c8e
-    BIGNUM *iqmp = BN_new();
a56c8e
+    BIGNUM *e = NULL;
a56c8e
     BIGNUM *n = BN_bin2bn(tpmPublicKey->publicArea.unique.rsa.buffer,
a56c8e
                           tpmPublicKey->publicArea.unique.rsa.size, NULL);
a56c8e
-
a56c8e
-    if (!n || !e || !d || !p || !q || !dmp1 || !dmq1 || !iqmp || !rsa) {
a56c8e
+    if (!n) {
a56c8e
         goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
a56c8e
     }
a56c8e
 
a56c8e
-    BN_set_word(d, 0);
a56c8e
-    BN_set_word(p, 0);
a56c8e
-    BN_set_word(q, 0);
a56c8e
-    BN_set_word(dmp1, 0);
a56c8e
-    BN_set_word(dmq1, 0);
a56c8e
-    BN_set_word(iqmp, 0);
a56c8e
     uint32_t exp;
a56c8e
     if (tpmPublicKey->publicArea.parameters.rsaDetail.exponent == 0)
a56c8e
         exp = 65537;
a56c8e
     else
a56c8e
         exp = tpmPublicKey->publicArea.parameters.rsaDetail.exponent;
a56c8e
+
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+    if ((rsa = RSA_new()) == NULL) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
a56c8e
+    }
a56c8e
+
a56c8e
+    if ((e = BN_new()) == NULL) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
a56c8e
+    }
a56c8e
     if (1 != BN_set_word(e, exp)) {
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
                    "Could not set exponent.", error_cleanup);
a56c8e
     }
a56c8e
 
a56c8e
-    RSA_set0_key(rsa, n, e, d);
a56c8e
-    RSA_set0_factors(rsa, p, q);
a56c8e
-    RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
a56c8e
+    if (!RSA_set0_key(rsa, n, e, NULL)) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
+                   "Could not set public key.", error_cleanup);
a56c8e
+    }
a56c8e
+    n = NULL; /* ownership transferred */
a56c8e
+    e = NULL;
a56c8e
+
a56c8e
+    *evpPublicKey = EVP_PKEY_new();
a56c8e
+    goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup);
a56c8e
 
a56c8e
     /* Assign the parameters to the key */
a56c8e
-    if (!EVP_PKEY_assign_RSA(evpPublicKey, rsa)) {
a56c8e
+    if (!EVP_PKEY_assign_RSA(*evpPublicKey, rsa)) {
a56c8e
+        EVP_PKEY_free(*evpPublicKey);
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign rsa key",
a56c8e
                    error_cleanup);
a56c8e
     }
a56c8e
-    return TSS2_RC_SUCCESS;
a56c8e
-
a56c8e
+    rsa = NULL; /* ownership transferred */
a56c8e
 error_cleanup:
a56c8e
     OSSL_FREE(rsa, RSA);
a56c8e
+#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
a56c8e
+    if ((build = OSSL_PARAM_BLD_new()) == NULL
a56c8e
+            || !OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n)
a56c8e
+            || !OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp)
a56c8e
+            || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key parameters",
a56c8e
+                   error_cleanup);
a56c8e
+    }
a56c8e
+
a56c8e
+    if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL
a56c8e
+            || EVP_PKEY_fromdata_init(ctx) <= 0
a56c8e
+            || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create rsa key",
a56c8e
+                   error_cleanup);
a56c8e
+    }
a56c8e
+error_cleanup:
a56c8e
+    OSSL_FREE(ctx, EVP_PKEY_CTX);
a56c8e
+    OSSL_FREE(params, OSSL_PARAM);
a56c8e
+    OSSL_FREE(build, OSSL_PARAM_BLD);
a56c8e
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
a56c8e
     OSSL_FREE(e, BN);
a56c8e
     OSSL_FREE(n, BN);
a56c8e
-    OSSL_FREE(d, BN);
a56c8e
-    OSSL_FREE(p, BN);
a56c8e
-    OSSL_FREE(q, BN);
a56c8e
-    OSSL_FREE(dmp1, BN);
a56c8e
-    OSSL_FREE(dmq1, BN);
a56c8e
-    OSSL_FREE(iqmp, BN);
a56c8e
     return r;
a56c8e
 }
a56c8e
 
a56c8e
@@ -459,18 +487,26 @@ error_cleanup:
a56c8e
  *         the function.
a56c8e
  */
a56c8e
 static TSS2_RC
a56c8e
-ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
a56c8e
+ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY **evpPublicKey)
a56c8e
 {
a56c8e
     /* Check for NULL parameters */
a56c8e
     return_if_null(tpmPublicKey, "tpmPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
a56c8e
     return_if_null(evpPublicKey, "evpPublicKey is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
a56c8e
 
a56c8e
-    TSS2_RC r;
a56c8e
+    TSS2_RC r = TSS2_RC_SUCCESS;
a56c8e
     EC_GROUP *ecgroup = NULL;
a56c8e
     int curveId;
a56c8e
     BIGNUM *x = NULL, *y = NULL;
a56c8e
-    EC_KEY *ecKey = EC_KEY_new();
a56c8e
-    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
a56c8e
+    EC_POINT *ecPoint = NULL;
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+    EC_KEY *ecKey = NULL;
a56c8e
+#else
a56c8e
+    OSSL_PARAM_BLD *build = NULL;
a56c8e
+    OSSL_PARAM *params = NULL;
a56c8e
+    EVP_PKEY_CTX *ctx = NULL;
a56c8e
+    unsigned char *puboct = NULL;
a56c8e
+    size_t bsize;
a56c8e
+#endif
a56c8e
 
a56c8e
     /* Find the curve of the ECC key */
a56c8e
     switch (tpmPublicKey->publicArea.parameters.eccDetail.curveID) {
a56c8e
@@ -499,12 +535,6 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
a56c8e
     goto_if_null(ecgroup, "new EC group.", TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
                   error_cleanup);
a56c8e
 
a56c8e
-    if (!EC_KEY_set_group(ecKey, ecgroup)) {
a56c8e
-        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group",
a56c8e
-                   error_cleanup);
a56c8e
-    }
a56c8e
-    EC_GROUP_free(ecgroup);
a56c8e
-
a56c8e
     /* Set the ECC parameters in the OpenSSL key */
a56c8e
     x = BN_bin2bn(tpmPublicKey->publicArea.unique.ecc.x.buffer,
a56c8e
                   tpmPublicKey->publicArea.unique.ecc.x.size, NULL);
a56c8e
@@ -516,23 +546,67 @@ ossl_ecc_pub_from_tpm(const TPM2B_PUBLIC *tpmPublicKey, EVP_PKEY *evpPublicKey)
a56c8e
         goto_error(r, TSS2_FAPI_RC_MEMORY, "Out of memory", error_cleanup);
a56c8e
     }
a56c8e
 
a56c8e
-    if (!EC_KEY_set_public_key_affine_coordinates(ecKey, x, y)) {
a56c8e
+    if ((ecPoint = EC_POINT_new(ecgroup)) == NULL
a56c8e
+            || !EC_POINT_set_affine_coordinates_tss(ecgroup, ecPoint, x, y, NULL)) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_POINT_set_affine_coordinates",
a56c8e
+                   error_cleanup);
a56c8e
+    }
a56c8e
+
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+    ecKey = EC_KEY_new();
a56c8e
+    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
a56c8e
+
a56c8e
+    if (!EC_KEY_set_group(ecKey, ecgroup)) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "EC_KEY_set_group",
a56c8e
+                   error_cleanup);
a56c8e
+    }
a56c8e
+
a56c8e
+    if (!EC_KEY_set_public_key(ecKey, ecPoint)) {
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
-                   "EC_KEY_set_public_key_affine_coordinates", error_cleanup);
a56c8e
+                   "EC_KEY_set_public_key", error_cleanup);
a56c8e
     }
a56c8e
 
a56c8e
-    if (!EVP_PKEY_assign_EC_KEY(evpPublicKey, ecKey)) {
a56c8e
+    *evpPublicKey = EVP_PKEY_new();
a56c8e
+    goto_if_null2(*evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, error_cleanup);
a56c8e
+
a56c8e
+    if (!EVP_PKEY_assign_EC_KEY(*evpPublicKey, ecKey)) {
a56c8e
+        EVP_PKEY_free(*evpPublicKey);
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Assign ecc key",
a56c8e
                    error_cleanup);
a56c8e
     }
a56c8e
-    OSSL_FREE(y, BN);
a56c8e
-    OSSL_FREE(x, BN);
a56c8e
-    return TSS2_RC_SUCCESS;
a56c8e
+    ecKey = NULL; /* ownership transferred */
a56c8e
+error_cleanup:
a56c8e
+    OSSL_FREE(ecKey, EC_KEY);
a56c8e
+#else
a56c8e
+    if ((build = OSSL_PARAM_BLD_new()) == NULL
a56c8e
+            || !OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME,
a56c8e
+                                                (char *)OBJ_nid2sn(curveId), 0)
a56c8e
+            || (bsize = EC_POINT_point2buf(ecgroup, ecPoint,
a56c8e
+                                           POINT_CONVERSION_COMPRESSED,
a56c8e
+                                           &puboct, NULL)) == 0
a56c8e
+            || !OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY,
a56c8e
+                                                 puboct, bsize)
a56c8e
+            || (params = OSSL_PARAM_BLD_to_param(build)) == NULL) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key parameters",
a56c8e
+                   error_cleanup);
a56c8e
+    }
a56c8e
 
a56c8e
+    if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL
a56c8e
+            || EVP_PKEY_fromdata_init(ctx) <= 0
a56c8e
+            || EVP_PKEY_fromdata(ctx, evpPublicKey, EVP_PKEY_PUBLIC_KEY, params) <= 0) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create ecc key",
a56c8e
+                   error_cleanup);
a56c8e
+    }
a56c8e
 error_cleanup:
a56c8e
+    EVP_PKEY_CTX_free(ctx);
a56c8e
+    OSSL_PARAM_free(params);
a56c8e
+    OSSL_PARAM_BLD_free(build);
a56c8e
+    OPENSSL_free(puboct);
a56c8e
+#endif
a56c8e
+    OSSL_FREE(ecPoint, EC_POINT);
a56c8e
+    OSSL_FREE(ecgroup, EC_GROUP);
a56c8e
     OSSL_FREE(y, BN);
a56c8e
     OSSL_FREE(x, BN);
a56c8e
-    OSSL_FREE(ecKey, EC_KEY);
a56c8e
     return r;
a56c8e
 }
a56c8e
 
a56c8e
@@ -567,18 +641,15 @@ ifapi_pub_pem_key_from_tpm(
a56c8e
     BIO *bio = NULL;
a56c8e
     TSS2_RC r = TPM2_RC_SUCCESS;
a56c8e
 
a56c8e
-    evpPublicKey = EVP_PKEY_new();
a56c8e
-    goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
a56c8e
-
a56c8e
     /* Memory IO will be used for OSSL key conversion */
a56c8e
     bio = BIO_new(BIO_s_mem());
a56c8e
-    goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
a56c8e
+    goto_if_null2(bio, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
a56c8e
 
a56c8e
     if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) {
a56c8e
-        r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey);
a56c8e
-    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC)
a56c8e
-        r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey);
a56c8e
-    else {
a56c8e
+        r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey);
a56c8e
+    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) {
a56c8e
+        r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey);
a56c8e
+    } else {
a56c8e
         goto_error(r, TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup);
a56c8e
     }
a56c8e
     goto_if_error(r, "Get ossl public key.", cleanup);
a56c8e
@@ -708,7 +779,6 @@ ifapi_der_sig_to_tpm(
a56c8e
                     signatureSize);
a56c8e
         } else {
a56c8e
             return_error(TSS2_FAPI_RC_BAD_VALUE, "Invalid RSA scheme.");
a56c8e
-
a56c8e
         }
a56c8e
     } else if (tpmPublic->type == TPM2_ALG_ECC) {
a56c8e
         return ifapi_ecc_der_sig_to_tpm(signature, signatureSize,
a56c8e
@@ -856,12 +926,16 @@ ecdsa_verify_signature(
a56c8e
     return_if_null(digest, "digest is NULL", TSS2_FAPI_RC_BAD_REFERENCE);
a56c8e
 
a56c8e
     TSS2_RC r = TSS2_RC_SUCCESS;
a56c8e
-    EC_KEY *eccKey = NULL;
a56c8e
+    EVP_PKEY_CTX *ctx = NULL;
a56c8e
 
a56c8e
-    eccKey = EVP_PKEY_get1_EC_KEY(publicKey);
a56c8e
+    if ((ctx = EVP_PKEY_CTX_new(publicKey, NULL)) == NULL
a56c8e
+            || !EVP_PKEY_verify_init(ctx)) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
+                   "Cannot initialize signature verification.", error_cleanup);
a56c8e
+    }
a56c8e
 
a56c8e
     /* Try to verify the signature using ECDSA, note that param 0 is unused */
a56c8e
-    int rc = ECDSA_verify(0, digest, digestSize, signature, signatureSize, eccKey);
a56c8e
+    int rc = EVP_PKEY_verify(ctx, signature, signatureSize, digest, digestSize);
a56c8e
     if (rc == 0) {
a56c8e
         goto_error(r, TSS2_FAPI_RC_SIGNATURE_VERIFICATION_FAILED,
a56c8e
                    "ECDSA signature verification failed.", error_cleanup);
a56c8e
@@ -871,7 +945,7 @@ ecdsa_verify_signature(
a56c8e
     }
a56c8e
 
a56c8e
 error_cleanup:
a56c8e
-    OSSL_FREE(eccKey, EC_KEY);
a56c8e
+    OSSL_FREE(ctx, EVP_PKEY_CTX);
a56c8e
     return r;
a56c8e
 }
a56c8e
 
a56c8e
@@ -900,23 +974,43 @@ get_rsa_tpm2b_public_from_evp(
a56c8e
 
a56c8e
     /* Extract the public information */
a56c8e
     TSS2_RC r = TSS2_RC_SUCCESS;
a56c8e
+    int keyBits, keySize;
a56c8e
+
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
+    const BIGNUM *e = NULL, *n = NULL;
a56c8e
     RSA *rsaKey = EVP_PKEY_get1_RSA(publicKey);
a56c8e
     return_if_null(rsaKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
a56c8e
-    const BIGNUM *e = NULL, *n = NULL;
a56c8e
-    int rsaKeySize = RSA_size(rsaKey);
a56c8e
 
a56c8e
+    keySize = RSA_size(rsaKey);
a56c8e
+    keyBits = keySize * 8;
a56c8e
     RSA_get0_key(rsaKey, &n, &e, NULL);
a56c8e
-    tpmPublic->publicArea.unique.rsa.size = rsaKeySize;
a56c8e
+#else
a56c8e
+    BIGNUM *e = NULL, *n = NULL;
a56c8e
+
a56c8e
+    keyBits = EVP_PKEY_get_bits(publicKey);
a56c8e
+    keySize = (keyBits + 7) / 8;
a56c8e
+    if (!EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_N, &n)
a56c8e
+            || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_RSA_E, &e)) {
a56c8e
+        goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
+                   "Retrieve pubkey", cleanup);
a56c8e
+    }
a56c8e
+#endif
a56c8e
+    tpmPublic->publicArea.unique.rsa.size = keySize;
a56c8e
     if (1 != ifapi_bn2binpad(n, &tpmPublic->publicArea.unique.rsa.buffer[0],
a56c8e
-                             rsaKeySize)) {
a56c8e
+                             keySize)) {
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
                    "Write big num byte buffer", cleanup);
a56c8e
     }
a56c8e
-    tpmPublic->publicArea.parameters.rsaDetail.keyBits = rsaKeySize * 8;
a56c8e
+    tpmPublic->publicArea.parameters.rsaDetail.keyBits = keyBits;
a56c8e
     tpmPublic->publicArea.parameters.rsaDetail.exponent = BN_get_word(e);
a56c8e
 
a56c8e
 cleanup:
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
a56c8e
     OSSL_FREE(rsaKey, RSA);
a56c8e
+#else
a56c8e
+    BN_free(e);
a56c8e
+    BN_free(n);
a56c8e
+#endif
a56c8e
     return r;
a56c8e
 }
a56c8e
 
a56c8e
@@ -947,27 +1041,22 @@ get_ecc_tpm2b_public_from_evp(
a56c8e
 
a56c8e
     /* Initialize variables that will contain the relevant information */
a56c8e
     TSS2_RC r = TSS2_RC_SUCCESS;
a56c8e
-    EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey);
a56c8e
-    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
a56c8e
-    const EC_GROUP *ecGroup;
a56c8e
-    const EC_POINT *publicPoint;
a56c8e
     int curveId;
a56c8e
     size_t ecKeySize;
a56c8e
     BIGNUM *bnX = NULL;
a56c8e
     BIGNUM *bnY = NULL;
a56c8e
     TPMI_ECC_CURVE tpmCurveId;
a56c8e
-
a56c8e
-    if (!ecKey) {
a56c8e
-        return_error(TSS2_FAPI_RC_GENERAL_FAILURE, "No ECC key!");
a56c8e
-    }
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+    const EC_GROUP *ecGroup;
a56c8e
+    const EC_POINT *publicPoint;
a56c8e
+    EC_KEY *ecKey = EVP_PKEY_get1_EC_KEY(publicKey);
a56c8e
+    return_if_null(ecKey, "Out of memory.", TSS2_FAPI_RC_MEMORY);
a56c8e
 
a56c8e
     /* Retrieve the relevant information and write it to tpmPublic */
a56c8e
     ecGroup = EC_KEY_get0_group(ecKey);
a56c8e
     publicPoint = EC_KEY_get0_public_key(ecKey);
a56c8e
     curveId = EC_GROUP_get_curve_name(ecGroup);
a56c8e
-    ecKeySize = EC_GROUP_get_degree(ecGroup) / 8;
a56c8e
-    tpmPublic->publicArea.unique.ecc.x.size = ecKeySize;
a56c8e
-    tpmPublic->publicArea.unique.ecc.y.size = ecKeySize;
a56c8e
+    ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8;
a56c8e
 
a56c8e
     if (!(bnX = BN_new())) {
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE, "Create bignum", cleanup);
a56c8e
@@ -982,6 +1071,23 @@ get_ecc_tpm2b_public_from_evp(
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
                    "Get affine coordinates", cleanup);
a56c8e
     }
a56c8e
+#else
a56c8e
+    char curveName[80];
a56c8e
+
a56c8e
+    if (!EVP_PKEY_get_utf8_string_param(publicKey, OSSL_PKEY_PARAM_GROUP_NAME,
a56c8e
+                                        curveName, sizeof(curveName), NULL)
a56c8e
+            || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_X, &bnX)
a56c8e
+            || !EVP_PKEY_get_bn_param(publicKey, OSSL_PKEY_PARAM_EC_PUB_Y, &bnY)) {
a56c8e
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
a56c8e
+                    "Get public key", cleanup);
a56c8e
+     }
a56c8e
+    curveId = OBJ_txt2nid(curveName);
a56c8e
+    EC_GROUP *ecGroup = EC_GROUP_new_by_curve_name(curveId);
a56c8e
+    ecKeySize = (EC_GROUP_get_degree(ecGroup) + 7) / 8;
a56c8e
+    EC_GROUP_free(ecGroup);
a56c8e
+#endif
a56c8e
+    tpmPublic->publicArea.unique.ecc.x.size = ecKeySize;
a56c8e
+    tpmPublic->publicArea.unique.ecc.y.size = ecKeySize;
a56c8e
     if (1 != ifapi_bn2binpad(bnX, &tpmPublic->publicArea.unique.ecc.x.buffer[0],
a56c8e
                              ecKeySize)) {
a56c8e
         goto_error(r, TSS2_FAPI_RC_GENERAL_FAILURE,
a56c8e
@@ -1015,7 +1121,9 @@ get_ecc_tpm2b_public_from_evp(
a56c8e
     tpmPublic->publicArea.parameters.eccDetail.curveID = tpmCurveId;
a56c8e
 
a56c8e
 cleanup:
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
     OSSL_FREE(ecKey, EC_KEY);
a56c8e
+#endif
a56c8e
     OSSL_FREE(bnX, BN);
a56c8e
     OSSL_FREE(bnY, BN);
a56c8e
     return r;
a56c8e
@@ -2077,14 +2185,11 @@ ifapi_get_tpm_key_fingerprint(
a56c8e
                    "Unsupported hash algorithm (%" PRIu16 ")", cleanup,
a56c8e
                    hashAlg);
a56c8e
 
a56c8e
-    evpPublicKey = EVP_PKEY_new();
a56c8e
-    goto_if_null2(evpPublicKey, "Out of memory.", r, TSS2_FAPI_RC_MEMORY, cleanup);
a56c8e
-
a56c8e
     if (tpmPublicKey->publicArea.type == TPM2_ALG_RSA) {
a56c8e
-        r = ossl_rsa_pub_from_tpm(tpmPublicKey, evpPublicKey);
a56c8e
-    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC)
a56c8e
-        r = ossl_ecc_pub_from_tpm(tpmPublicKey, evpPublicKey);
a56c8e
-    else {
a56c8e
+        r = ossl_rsa_pub_from_tpm(tpmPublicKey, &evpPublicKey);
a56c8e
+    } else if (tpmPublicKey->publicArea.type == TPM2_ALG_ECC) {
a56c8e
+        r = ossl_ecc_pub_from_tpm(tpmPublicKey, &evpPublicKey);
a56c8e
+    } else {
a56c8e
         goto_error(r,TSS2_FAPI_RC_BAD_VALUE, "Invalid alg id.", cleanup);
a56c8e
     }
a56c8e
     goto_if_error(r, "Get ossl public key.", cleanup);
a56c8e
diff --git a/test/helper/tpm_getek.c b/test/helper/tpm_getek.c
a56c8e
index c6a8e906..67f76b6a 100644
a56c8e
--- a/test/helper/tpm_getek.c
a56c8e
+++ b/test/helper/tpm_getek.c
a56c8e
@@ -7,8 +7,14 @@
a56c8e
 #include <stdio.h>
a56c8e
 #include <inttypes.h>
a56c8e
 #include <openssl/evp.h>
a56c8e
-#include <openssl/rsa.h>
a56c8e
 #include <openssl/pem.h>
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+#include <openssl/rsa.h>
a56c8e
+#else
a56c8e
+#include <openssl/core_names.h>
a56c8e
+#include <openssl/params.h>
a56c8e
+#include <openssl/param_build.h>
a56c8e
+#endif
a56c8e
 
a56c8e
 #include "tss2_sys.h"
a56c8e
 #include "tss2_mu.h"
a56c8e
@@ -109,7 +115,7 @@ main (int argc, char *argv[])
a56c8e
 
a56c8e
     /* Convert the key from out_public to PEM */
a56c8e
 
a56c8e
-    EVP_PKEY *evp = EVP_PKEY_new();
a56c8e
+    EVP_PKEY *evp = NULL;
a56c8e
     BIO *bio;
a56c8e
     FILE *out = NULL;
a56c8e
 
a56c8e
@@ -124,34 +130,35 @@ main (int argc, char *argv[])
a56c8e
     else
a56c8e
         bio = BIO_new_fp(stdout, BIO_NOCLOSE);
a56c8e
 
a56c8e
-    RSA *rsa = RSA_new();
a56c8e
-    BIGNUM *e = BN_new();
a56c8e
-    BIGNUM *d = BN_new();
a56c8e
-    BIGNUM *p = BN_new();
a56c8e
-    BIGNUM *q = BN_new();
a56c8e
-    BIGNUM *dmp1 = BN_new();
a56c8e
-    BIGNUM *dmq1 = BN_new();
a56c8e
-    BIGNUM *iqmp = BN_new();
a56c8e
     BIGNUM *n = BN_bin2bn(out_public.publicArea.unique.rsa.buffer,
a56c8e
                           out_public.publicArea.unique.rsa.size, NULL);
a56c8e
-    BN_set_word(d, 0);
a56c8e
-    BN_set_word(p, 0);
a56c8e
-    BN_set_word(q, 0);
a56c8e
-    BN_set_word(dmp1, 0);
a56c8e
-    BN_set_word(dmq1, 0);
a56c8e
-    BN_set_word(iqmp, 0);
a56c8e
     uint32_t exp;
a56c8e
     if (out_public.publicArea.parameters.rsaDetail.exponent == 0)
a56c8e
         exp = 65537;
a56c8e
     else
a56c8e
         exp = out_public.publicArea.parameters.rsaDetail.exponent;
a56c8e
+
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+    BIGNUM *e = BN_new();
a56c8e
     BN_set_word(e, exp);
a56c8e
 
a56c8e
-    RSA_set0_key(rsa, n, e, d);
a56c8e
-    RSA_set0_factors(rsa, p, q);
a56c8e
-    RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp);
a56c8e
+    RSA *rsa = RSA_new();
a56c8e
+    RSA_set0_key(rsa, n, e, NULL);
a56c8e
+    n = NULL;
a56c8e
+    e = NULL;
a56c8e
 
a56c8e
+    evp = EVP_PKEY_new();
a56c8e
     EVP_PKEY_assign_RSA(evp, rsa);
a56c8e
+#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */
a56c8e
+    OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new();
a56c8e
+    OSSL_PARAM_BLD_push_BN(build, OSSL_PKEY_PARAM_RSA_N, n);
a56c8e
+    OSSL_PARAM_BLD_push_uint32(build, OSSL_PKEY_PARAM_RSA_E, exp);
a56c8e
+    OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build);
a56c8e
+
a56c8e
+    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
a56c8e
+    EVP_PKEY_fromdata_init(ctx);
a56c8e
+    EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params);
a56c8e
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */
a56c8e
 
a56c8e
     if (!PEM_write_bio_PUBKEY(bio, evp)) {
a56c8e
         LOG_ERROR("PEM_write failed");
a56c8e
@@ -159,6 +166,14 @@ main (int argc, char *argv[])
a56c8e
     }
a56c8e
 
a56c8e
     EVP_PKEY_free(evp);
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+    /* ownership was taken by the EVP_PKEY */
a56c8e
+#else
a56c8e
+    EVP_PKEY_CTX_free(ctx);
a56c8e
+    OSSL_PARAM_free(params);
a56c8e
+    OSSL_PARAM_BLD_free(build);
a56c8e
+#endif
a56c8e
+    BN_free(n);
a56c8e
     BIO_free(bio);
a56c8e
     fclose(out);
a56c8e
 
a56c8e
diff --git a/test/helper/tpm_getek_ecc.c b/test/helper/tpm_getek_ecc.c
a56c8e
index 75165fdd..d4602925 100644
a56c8e
--- a/test/helper/tpm_getek_ecc.c
a56c8e
+++ b/test/helper/tpm_getek_ecc.c
a56c8e
@@ -7,9 +7,15 @@
a56c8e
 #include <stdio.h>
a56c8e
 #include <inttypes.h>
a56c8e
 #include <openssl/evp.h>
a56c8e
-#include <openssl/rsa.h>
a56c8e
 #include <openssl/pem.h>
a56c8e
 #include <openssl/err.h>
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+#include <openssl/ec.h>
a56c8e
+#else
a56c8e
+#include <openssl/core_names.h>
a56c8e
+#include <openssl/params.h>
a56c8e
+#include <openssl/param_build.h>
a56c8e
+#endif
a56c8e
 #include <string.h>
a56c8e
 
a56c8e
 #include "tss2_sys.h"
a56c8e
@@ -127,8 +133,7 @@ main (int argc, char *argv[])
a56c8e
 
a56c8e
     /* Convert the key from out_public to PEM */
a56c8e
 
a56c8e
-    EVP_PKEY *evp = EVP_PKEY_new();
a56c8e
-    EC_KEY *ecc_key = EC_KEY_new();
a56c8e
+    EVP_PKEY *evp = NULL;
a56c8e
     BIGNUM *x = NULL, *y = NULL;
a56c8e
     BIO *bio;
a56c8e
     FILE *out = NULL;
a56c8e
@@ -148,11 +153,6 @@ main (int argc, char *argv[])
a56c8e
     nid = EC_curve_nist2nid("P-256");
a56c8e
     EC_GROUP *ecgroup = EC_GROUP_new_by_curve_name(nid);
a56c8e
 
a56c8e
-    if (!EC_KEY_set_group(ecc_key, ecgroup))
a56c8e
-        exit(1);
a56c8e
-
a56c8e
-    EC_GROUP_free(ecgroup);
a56c8e
-
a56c8e
     /* Set the ECC parameters in the OpenSSL key */
a56c8e
     x = BN_bin2bn(out_public.publicArea.unique.ecc.x.buffer,
a56c8e
                   out_public.publicArea.unique.ecc.x.size, NULL);
a56c8e
@@ -164,15 +164,46 @@ main (int argc, char *argv[])
a56c8e
         exit(1);
a56c8e
     }
a56c8e
 
a56c8e
-    if (!EC_KEY_set_public_key_affine_coordinates(ecc_key, x, y)) {
a56c8e
+    EC_POINT *point = EC_POINT_new(ecgroup);
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
a56c8e
+    EC_POINT_set_affine_coordinates_GFp(ecgroup, point, x, y, NULL);
a56c8e
+#else
a56c8e
+    EC_POINT_set_affine_coordinates(ecgroup, point, x, y, NULL);
a56c8e
+#endif
a56c8e
+
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+    EC_KEY *ecc_key = EC_KEY_new();
a56c8e
+    if (!EC_KEY_set_group(ecc_key, ecgroup))
a56c8e
+        exit(1);
a56c8e
+
a56c8e
+    if (!EC_KEY_set_public_key(ecc_key, point)) {
a56c8e
         exit(1);
a56c8e
     }
a56c8e
 
a56c8e
+    evp = EVP_PKEY_new();
a56c8e
     if (!EVP_PKEY_assign_EC_KEY(evp, ecc_key)) {
a56c8e
         handleErrors();
a56c8e
         LOG_ERROR("PEM_write failed");
a56c8e
         exit(1);
a56c8e
     }
a56c8e
+#else /* OPENSSL_VERSION_NUMBER < 0x30000000 */
a56c8e
+    unsigned char *puboct = NULL;
a56c8e
+    size_t bsize;
a56c8e
+
a56c8e
+    bsize = EC_POINT_point2buf(ecgroup, point, POINT_CONVERSION_UNCOMPRESSED,
a56c8e
+                               &puboct, NULL);
a56c8e
+
a56c8e
+    OSSL_PARAM_BLD *build = OSSL_PARAM_BLD_new();
a56c8e
+    OSSL_PARAM_BLD_push_utf8_string(build, OSSL_PKEY_PARAM_GROUP_NAME,
a56c8e
+                                    (char *)OBJ_nid2sn(nid), 0);
a56c8e
+    OSSL_PARAM_BLD_push_octet_string(build, OSSL_PKEY_PARAM_PUB_KEY,
a56c8e
+                                     puboct, bsize);
a56c8e
+    OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(build);
a56c8e
+
a56c8e
+    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
a56c8e
+    EVP_PKEY_fromdata_init(ctx);
a56c8e
+    EVP_PKEY_fromdata(ctx, &evp, EVP_PKEY_PUBLIC_KEY, params);
a56c8e
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000 */
a56c8e
 
a56c8e
     if (!PEM_write_bio_PUBKEY(bio, evp)) {
a56c8e
         handleErrors();
a56c8e
@@ -180,9 +211,19 @@ main (int argc, char *argv[])
a56c8e
         exit(1);
a56c8e
     }
a56c8e
 
a56c8e
+    EVP_PKEY_free(evp);
a56c8e
+#if OPENSSL_VERSION_NUMBER < 0x30000000
a56c8e
+    /* ownership was taken by the EVP_PKEY */
a56c8e
+#else
a56c8e
+    EVP_PKEY_CTX_free(ctx);
a56c8e
+    OSSL_PARAM_free(params);
a56c8e
+    OSSL_PARAM_BLD_free(build);
a56c8e
+    OPENSSL_free(puboct);
a56c8e
+#endif
a56c8e
+    EC_POINT_free(point);
a56c8e
+    EC_GROUP_free(ecgroup);
a56c8e
     BN_free(y);
a56c8e
     BN_free(x);
a56c8e
-    EVP_PKEY_free(evp);
a56c8e
     BIO_free(bio);
a56c8e
     fclose(out);
a56c8e
 
a56c8e
-- 
a56c8e
2.26.3
a56c8e