From 6372546998dc89ac5edb0d5ede28c0317da4caac Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 14 Jul 2015 15:17:31 +0200
Subject: [PATCH] No longer require trousers as dependency for main library.

The libtspi is loaded dynamically when needed.
---
 gnutls-3.4.3-no-trousers.patch | 669 +++++++++++++++++++++++++++++++++
 gnutls.spec                    |  18 +-
 2 files changed, 684 insertions(+), 3 deletions(-)
 create mode 100644 gnutls-3.4.3-no-trousers.patch

diff --git a/gnutls-3.4.3-no-trousers.patch b/gnutls-3.4.3-no-trousers.patch
new file mode 100644
index 0000000..e6c6573
--- /dev/null
+++ b/gnutls-3.4.3-no-trousers.patch
@@ -0,0 +1,669 @@
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index f19935d..9e5078d 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -137,7 +137,7 @@ libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \
+ 	auth/libgnutls_auth.la algorithms/libgnutls_alg.la \
+ 	extras/libgnutls_extras.la
+ thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \
+-	$(LTLIBICONV) $(P11_KIT_LIBS) $(LIB_SELECT) $(TSS_LIBS)
++	$(LTLIBICONV) $(P11_KIT_LIBS) $(LIB_SELECT)
+ 
+ if HAVE_LIBIDN
+ thirdparty_libadd += $(LIBIDN_LIBS)
+diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c
+index 6c4e458..9838b75 100644
+--- a/lib/gnutls_errors.c
++++ b/lib/gnutls_errors.c
+@@ -288,6 +288,8 @@ static const gnutls_error_entry error_entries[] = {
+ 
+ 	ERROR_ENTRY(N_("TPM error."),
+ 		    GNUTLS_E_TPM_ERROR),
++	ERROR_ENTRY(N_("The TPM library (trousers) cannot be found."),
++		    GNUTLS_E_TPM_NO_LIB),
+ 	ERROR_ENTRY(N_("TPM is not initialized."),
+ 		    GNUTLS_E_TPM_UNINITIALIZED),
+ 	ERROR_ENTRY(N_("TPM key was not found in persistent storage."),
+diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c
+index f177405..0fc50db 100644
+--- a/lib/gnutls_global.c
++++ b/lib/gnutls_global.c
+@@ -402,6 +402,9 @@ static void _gnutls_global_deinit(unsigned destructor)
+ 			gnutls_pkcs11_deinit();
+ 		}
+ #endif
++#ifdef HAVE_TROUSERS
++		_gnutls_tpm_global_deinit();
++#endif
+ 
+ 		gnutls_mutex_deinit(&_gnutls_file_mutex);
+ 		gnutls_mutex_deinit(&_gnutls_pkcs11_mutex);
+diff --git a/lib/gnutls_global.h b/lib/gnutls_global.h
+index 31e759e..e1a8f2e 100644
+--- a/lib/gnutls_global.h
++++ b/lib/gnutls_global.h
+@@ -43,5 +43,6 @@ extern gnutls_audit_log_func _gnutls_audit_log_func;
+ extern int _gnutls_log_level;
+ extern int gnutls_crypto_init(void);
+ extern void gnutls_crypto_deinit(void);
++extern void _gnutls_tpm_global_deinit(void);
+ 
+ #endif
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index 305ef0d..a1c688c 100644
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -2510,6 +2510,7 @@ int gnutls_fips140_mode_enabled(void);
+ #define GNUTLS_E_TPM_SESSION_ERROR -332
+ #define GNUTLS_E_TPM_KEY_NOT_FOUND -333
+ #define GNUTLS_E_TPM_UNINITIALIZED -334
++#define GNUTLS_E_TPM_NO_LIB -335
+ 
+ #define GNUTLS_E_NO_CERTIFICATE_STATUS -340
+ #define GNUTLS_E_OCSP_RESPONSE_ERROR -341
+diff --git a/lib/tpm.c b/lib/tpm.c
+index 41a238b..f5613c5 100644
+--- a/lib/tpm.c
++++ b/lib/tpm.c
+@@ -3,6 +3,7 @@
+  *
+  * Copyright © 2012 Free Software Foundation.
+  * Copyright © 2008-2012 Intel Corporation.
++ * Copyright © 2015 Red Hat, Inc.
+  *
+  * Author: David Woodhouse <dwmw2@infradead.org>
+  * Author: Nikos Mavrogiannopoulos
+@@ -43,9 +44,134 @@
+ #include <pin.h>
+ #include <c-ctype.h>
+ 
++#include <dlfcn.h>
+ #include <trousers/tss.h>
+ #include <trousers/trousers.h>
+ 
++typedef char *(*Trspi_Error_Layer_func)(TSS_RESULT);
++typedef char *(*Trspi_Error_String_func)(TSS_RESULT);
++typedef TSS_RESULT (*Trspi_Error_Code_func)(TSS_RESULT);
++
++typedef TSS_RESULT (*Tspi_Context_CloseObject_func)(TSS_HCONTEXT, TSS_HOBJECT);
++typedef TSS_RESULT (*Tspi_Context_Close_func)(TSS_HCONTEXT);
++typedef TSS_RESULT (*Tspi_Context_CreateObject_func)(TSS_HCONTEXT, TSS_FLAG, TSS_FLAG, TSS_HOBJECT*);
++typedef TSS_RESULT (*Tspi_Context_FreeMemory_func)(TSS_HCONTEXT, BYTE*);
++typedef TSS_RESULT (*Tspi_Context_GetTpmObject_func)(TSS_HCONTEXT, TSS_HTPM*);
++typedef TSS_RESULT (*Tspi_Context_LoadKeyByUUID_func)(TSS_HCONTEXT, TSS_FLAG, TSS_UUID, TSS_HKEY*);
++typedef TSS_RESULT (*Tspi_Context_RegisterKey_func)(TSS_HCONTEXT, TSS_HKEY, TSS_FLAG, TSS_UUID, TSS_FLAG, TSS_UUID);
++typedef TSS_RESULT (*Tspi_Context_UnregisterKey_func)(TSS_HCONTEXT, TSS_FLAG, TSS_UUID, TSS_HKEY*);
++typedef TSS_RESULT (*Tspi_Key_CreateKey_func)(TSS_HKEY, TSS_HKEY, TSS_HPCRS);
++typedef TSS_RESULT (*Tspi_Hash_SetHashValue_func)(TSS_HHASH, UINT32, BYTE*);
++typedef TSS_RESULT (*Tspi_Hash_Sign_func)(TSS_HHASH, TSS_HKEY, UINT32*, BYTE**);
++typedef TSS_RESULT (*Tspi_Policy_SetSecret_func)(TSS_HPOLICY, TSS_FLAG, UINT32, BYTE*);
++typedef TSS_RESULT (*Tspi_Context_Create_func)(TSS_HCONTEXT*);
++typedef TSS_RESULT (*Tspi_Context_Connect_func)(TSS_HCONTEXT, TSS_UNICODE*);
++typedef TSS_RESULT (*Tspi_GetPolicyObject_func)(TSS_HOBJECT, TSS_FLAG, TSS_HPOLICY*);
++typedef TSS_RESULT (*Tspi_DecodeBER_TssBlob_func)(UINT32, BYTE*, UINT32*, UINT32*, BYTE*);
++typedef TSS_RESULT (*Tspi_Context_LoadKeyByBlob_func)(TSS_HCONTEXT, TSS_HKEY, UINT32, BYTE*, TSS_HKEY*);
++typedef TSS_RESULT (*Tspi_Policy_AssignToObject_func)(TSS_HPOLICY, TSS_HOBJECT);
++typedef TSS_RESULT (*Tspi_GetAttribData_func)(TSS_HOBJECT, TSS_FLAG, TSS_FLAG, UINT32*, BYTE**);
++typedef TSS_RESULT (*Tspi_Context_GetTpmObject_func)(TSS_HCONTEXT, TSS_HTPM*);
++typedef TSS_RESULT (*Tspi_TPM_StirRandom_func)(TSS_HTPM, UINT32, BYTE*);
++typedef TSS_RESULT (*Tspi_SetAttribUint32_func)(TSS_HOBJECT, TSS_FLAG, TSS_FLAG, UINT32);
++typedef TSS_RESULT (*Tspi_EncodeDER_TssBlob_func)(UINT32, BYTE*, UINT32, UINT32*, BYTE*);
++typedef TSS_RESULT (*Tspi_Context_GetRegisteredKeysByUUID2_func)(TSS_HCONTEXT, TSS_FLAG, TSS_UUID*, UINT32*, TSS_KM_KEYINFO2**);
++
++static Tspi_Context_CloseObject_func pTspi_Context_CloseObject;
++static Tspi_Context_Close_func pTspi_Context_Close;
++static Tspi_Context_CreateObject_func pTspi_Context_CreateObject;
++static Tspi_Context_FreeMemory_func pTspi_Context_FreeMemory;
++static Tspi_Context_GetTpmObject_func pTspi_Context_GetTpmObject;
++static Tspi_Context_LoadKeyByUUID_func pTspi_Context_LoadKeyByUUID;
++static Tspi_Context_RegisterKey_func pTspi_Context_RegisterKey;
++static Tspi_Context_UnregisterKey_func pTspi_Context_UnregisterKey;
++static Tspi_Key_CreateKey_func pTspi_Key_CreateKey;
++static Tspi_Hash_SetHashValue_func pTspi_Hash_SetHashValue;
++static Tspi_Hash_Sign_func pTspi_Hash_Sign;
++static Tspi_Policy_SetSecret_func pTspi_Policy_SetSecret;
++static Tspi_Context_Create_func pTspi_Context_Create;
++static Tspi_Context_Connect_func pTspi_Context_Connect;
++static Tspi_GetPolicyObject_func pTspi_GetPolicyObject;
++static Tspi_DecodeBER_TssBlob_func pTspi_DecodeBER_TssBlob;
++static Tspi_Context_LoadKeyByBlob_func pTspi_Context_LoadKeyByBlob;
++static Tspi_Policy_AssignToObject_func pTspi_Policy_AssignToObject;
++static Tspi_GetAttribData_func pTspi_GetAttribData;
++static Tspi_Context_GetTpmObject_func pTspi_Context_GetTpmObject;
++static Tspi_TPM_StirRandom_func pTspi_TPM_StirRandom;
++static Tspi_SetAttribUint32_func pTspi_SetAttribUint32;
++static Tspi_EncodeDER_TssBlob_func pTspi_EncodeDER_TssBlob;
++static Tspi_Context_GetRegisteredKeysByUUID2_func pTspi_Context_GetRegisteredKeysByUUID2;
++
++static Trspi_Error_Layer_func pTrspi_Error_Layer;
++static Trspi_Error_String_func pTrspi_Error_String;
++static Trspi_Error_Code_func pTrspi_Error_Code;
++
++static void *tpm_dl = NULL;
++
++#define _DLSYM(dl, sym) \
++	p##sym = dlsym(dl, #sym); \
++	if (p##sym == NULL) { \
++		dlclose(dl); \
++		dl = NULL; \
++		return -1; \
++	}
++
++static int check_init(void)
++{
++	if (tpm_dl == NULL) {
++		tpm_dl = dlopen(TROUSERS_LIB, RTLD_LAZY);
++		if (tpm_dl == NULL) {
++			_gnutls_debug_log("couldn't open %s\n", TROUSERS_LIB);
++			return -1;
++		}
++
++		_DLSYM(tpm_dl,Tspi_Context_CloseObject);
++		_DLSYM(tpm_dl,Tspi_Context_Close);
++		_DLSYM(tpm_dl,Tspi_Context_CreateObject);
++		_DLSYM(tpm_dl,Tspi_Context_FreeMemory);
++		_DLSYM(tpm_dl,Tspi_Context_GetTpmObject);
++		_DLSYM(tpm_dl,Tspi_Context_LoadKeyByUUID);
++		_DLSYM(tpm_dl,Tspi_Context_RegisterKey);
++		_DLSYM(tpm_dl,Tspi_Context_UnregisterKey);
++		_DLSYM(tpm_dl,Tspi_Key_CreateKey);
++		_DLSYM(tpm_dl,Tspi_Hash_SetHashValue);
++		_DLSYM(tpm_dl,Tspi_Hash_Sign);
++		_DLSYM(tpm_dl,Tspi_Policy_SetSecret);
++		_DLSYM(tpm_dl,Tspi_Context_Create);
++		_DLSYM(tpm_dl,Tspi_Context_Connect);
++		_DLSYM(tpm_dl,Tspi_GetPolicyObject);
++		_DLSYM(tpm_dl,Tspi_DecodeBER_TssBlob);
++		_DLSYM(tpm_dl,Tspi_Context_LoadKeyByBlob);
++		_DLSYM(tpm_dl,Tspi_Policy_AssignToObject);
++		_DLSYM(tpm_dl,Tspi_GetAttribData);
++		_DLSYM(tpm_dl,Tspi_Context_GetTpmObject);
++		_DLSYM(tpm_dl,Tspi_TPM_StirRandom);
++		_DLSYM(tpm_dl,Tspi_SetAttribUint32);
++		_DLSYM(tpm_dl,Tspi_EncodeDER_TssBlob);
++		_DLSYM(tpm_dl,Tspi_Context_GetRegisteredKeysByUUID2);
++
++		_DLSYM(tpm_dl,Trspi_Error_Layer);
++		_DLSYM(tpm_dl,Trspi_Error_String);
++		_DLSYM(tpm_dl,Trspi_Error_Code);
++	}
++
++	return 0;
++}
++
++#define CHECK_INIT \
++		if (check_init() < 0) return gnutls_assert_val(GNUTLS_E_TPM_NO_LIB)
++
++#define CHECK_INIT_VOID \
++		if (check_init() < 0) return
++
++void _gnutls_tpm_global_deinit(void)
++{
++	if (tpm_dl) {
++		dlclose(tpm_dl);
++		tpm_dl = NULL;
++	}
++}
++
+ struct tpm_ctx_st {
+ 	TSS_HCONTEXT tpm_ctx;
+ 	TSS_HKEY tpm_key;
+@@ -83,8 +209,8 @@ static int encode_tpmkey_url(char **url, const TSS_UUID * uuid,
+ static int tss_err_pwd(TSS_RESULT err, int pwd_error)
+ {
+ 	_gnutls_debug_log("TPM (%s) error: %s (%x)\n",
+-			  Trspi_Error_Layer(err), Trspi_Error_String(err),
+-			  (unsigned int) Trspi_Error_Code(err));
++			  pTrspi_Error_Layer(err), pTrspi_Error_String(err),
++			  (unsigned int) pTrspi_Error_Code(err));
+ 
+ 	switch (ERROR_LAYER(err)) {
+ 	case TSS_LAYER_TPM:
+@@ -121,8 +247,8 @@ static void tpm_deinit_fn(gnutls_privkey_t key, void *_s)
+ {
+ 	struct tpm_ctx_st *s = _s;
+ 
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy);
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key);
+ 
+ 	tpm_close_session(s);
+ 	gnutls_free(s);
+@@ -140,31 +266,31 @@ tpm_sign_fn(gnutls_privkey_t key, void *_s,
+ 			  data->size);
+ 
+ 	err =
+-	    Tspi_Context_CreateObject(s->tpm_ctx,
++	    pTspi_Context_CreateObject(s->tpm_ctx,
+ 				      TSS_OBJECT_TYPE_HASH, TSS_HASH_OTHER,
+ 				      &hash);
+ 	if (err) {
+ 		gnutls_assert();
+ 		_gnutls_debug_log("Failed to create TPM hash object: %s\n",
+-				  Trspi_Error_String(err));
++				  pTrspi_Error_String(err));
+ 		return GNUTLS_E_PK_SIGN_FAILED;
+ 	}
+-	err = Tspi_Hash_SetHashValue(hash, data->size, data->data);
++	err = pTspi_Hash_SetHashValue(hash, data->size, data->data);
+ 	if (err) {
+ 		gnutls_assert();
+ 		_gnutls_debug_log
+ 		    ("Failed to set value in TPM hash object: %s\n",
+-		     Trspi_Error_String(err));
+-		Tspi_Context_CloseObject(s->tpm_ctx, hash);
++		     pTrspi_Error_String(err));
++		pTspi_Context_CloseObject(s->tpm_ctx, hash);
+ 		return GNUTLS_E_PK_SIGN_FAILED;
+ 	}
+-	err = Tspi_Hash_Sign(hash, s->tpm_key, &sig->size, &sig->data);
+-	Tspi_Context_CloseObject(s->tpm_ctx, hash);
++	err = pTspi_Hash_Sign(hash, s->tpm_key, &sig->size, &sig->data);
++	pTspi_Context_CloseObject(s->tpm_ctx, hash);
+ 	if (err) {
+ 		if (s->tpm_key_policy || err != TPM_E_AUTHFAIL)
+ 			_gnutls_debug_log
+ 			    ("TPM hash signature failed: %s\n",
+-			     Trspi_Error_String(err));
++			     pTrspi_Error_String(err));
+ 		if (err == TPM_E_AUTHFAIL)
+ 			return GNUTLS_E_TPM_KEY_PASSWORD_ERROR;
+ 		else
+@@ -226,13 +352,13 @@ static TSS_RESULT myTspi_Policy_SetSecret(TSS_HPOLICY hPolicy,
+ {
+ 	if (rgbSecret == NULL) {
+ 		/* Well known NULL key */
+-		return Tspi_Policy_SetSecret(hPolicy,
++		return pTspi_Policy_SetSecret(hPolicy,
+ 					     TSS_SECRET_MODE_SHA1,
+ 					     sizeof(nullpass),
+ 					     (BYTE *) nullpass);
+ 	} else {		/* key is given */
+ 
+-		return Tspi_Policy_SetSecret(hPolicy,
++		return pTspi_Policy_SetSecret(hPolicy,
+ 					     TSS_SECRET_MODE_PLAIN,
+ 					     ulSecretLength, rgbSecret);
+ 	}
+@@ -244,13 +370,13 @@ static int tpm_open_session(struct tpm_ctx_st *s, const char *srk_password)
+ {
+ 	int err, ret;
+ 
+-	err = Tspi_Context_Create(&s->tpm_ctx);
++	err = pTspi_Context_Create(&s->tpm_ctx);
+ 	if (err) {
+ 		gnutls_assert();
+ 		return tss_err(err);
+ 	}
+ 
+-	err = Tspi_Context_Connect(s->tpm_ctx, NULL);
++	err = pTspi_Context_Connect(s->tpm_ctx, NULL);
+ 	if (err) {
+ 		gnutls_assert();
+ 		ret = tss_err(err);
+@@ -258,7 +384,7 @@ static int tpm_open_session(struct tpm_ctx_st *s, const char *srk_password)
+ 	}
+ 
+ 	err =
+-	    Tspi_Context_LoadKeyByUUID(s->tpm_ctx, TSS_PS_TYPE_SYSTEM,
++	    pTspi_Context_LoadKeyByUUID(s->tpm_ctx, TSS_PS_TYPE_SYSTEM,
+ 				       srk_uuid, &s->srk);
+ 	if (err) {
+ 		gnutls_assert();
+@@ -267,7 +393,7 @@ static int tpm_open_session(struct tpm_ctx_st *s, const char *srk_password)
+ 	}
+ 
+ 	err =
+-	    Tspi_GetPolicyObject(s->srk, TSS_POLICY_USAGE, &s->srk_policy);
++	    pTspi_GetPolicyObject(s->srk, TSS_POLICY_USAGE, &s->srk_policy);
+ 	if (err) {
+ 		gnutls_assert();
+ 		ret = tss_err(err);
+@@ -286,13 +412,13 @@ static int tpm_open_session(struct tpm_ctx_st *s, const char *srk_password)
+ 	return 0;
+ 
+       out_srkpol:
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->srk_policy);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->srk_policy);
+ 	s->srk_policy = 0;
+       out_srk:
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->srk);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->srk);
+ 	s->srk = 0;
+       out_tspi_ctx:
+-	Tspi_Context_Close(s->tpm_ctx);
++	pTspi_Context_Close(s->tpm_ctx);
+ 	s->tpm_ctx = 0;
+ 	return ret;
+ 
+@@ -300,11 +426,11 @@ static int tpm_open_session(struct tpm_ctx_st *s, const char *srk_password)
+ 
+ static void tpm_close_session(struct tpm_ctx_st *s)
+ {
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->srk_policy);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->srk_policy);
+ 	s->srk_policy = 0;
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->srk);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->srk);
+ 	s->srk = 0;
+-	Tspi_Context_Close(s->tpm_ctx);
++	pTspi_Context_Close(s->tpm_ctx);
+ 	s->tpm_ctx = 0;
+ }
+ 
+@@ -402,7 +528,7 @@ static int load_key(TSS_HCONTEXT tpm_ctx, TSS_HKEY srk,
+ 
+ 		tint2 = asn1.size;
+ 		err =
+-		    Tspi_DecodeBER_TssBlob(fdata->size, fdata->data, &type,
++		    pTspi_DecodeBER_TssBlob(fdata->size, fdata->data, &type,
+ 					   &tint2, asn1.data);
+ 		if (err != 0) {
+ 			gnutls_assert();
+@@ -414,7 +540,7 @@ static int load_key(TSS_HCONTEXT tpm_ctx, TSS_HKEY srk,
+ 	}
+ 
+ 	/* ... we get it here instead. */
+-	err = Tspi_Context_LoadKeyByBlob(tpm_ctx, srk,
++	err = pTspi_Context_LoadKeyByBlob(tpm_ctx, srk,
+ 					 asn1.size, asn1.data, tpm_key);
+ 	if (err != 0) {
+ 		gnutls_assert();
+@@ -465,7 +591,7 @@ import_tpm_key(gnutls_privkey_t pkey,
+ 		}
+ 	} else if (uuid) {
+ 		err =
+-		    Tspi_Context_LoadKeyByUUID(s->tpm_ctx, storage,
++		    pTspi_Context_LoadKeyByUUID(s->tpm_ctx, storage,
+ 					       *uuid, &s->tpm_key);
+ 
+ 		if (err) {
+@@ -493,7 +619,7 @@ import_tpm_key(gnutls_privkey_t pkey,
+ 				     &tmp_sig);
+ 	if (ret == GNUTLS_E_TPM_KEY_PASSWORD_ERROR) {
+ 		if (!s->tpm_key_policy) {
+-			err = Tspi_Context_CreateObject(s->tpm_ctx,
++			err = pTspi_Context_CreateObject(s->tpm_ctx,
+ 							TSS_OBJECT_TYPE_POLICY,
+ 							TSS_POLICY_USAGE,
+ 							&s->
+@@ -505,7 +631,7 @@ import_tpm_key(gnutls_privkey_t pkey,
+ 			}
+ 
+ 			err =
+-			    Tspi_Policy_AssignToObject(s->tpm_key_policy,
++			    pTspi_Policy_AssignToObject(s->tpm_key_policy,
+ 						       s->tpm_key);
+ 			if (err) {
+ 				gnutls_assert();
+@@ -530,10 +656,10 @@ import_tpm_key(gnutls_privkey_t pkey,
+ 
+ 	return 0;
+       out_key_policy:
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key_policy);
+ 	s->tpm_key_policy = 0;
+       out_key:
+-	Tspi_Context_CloseObject(s->tpm_ctx, s->tpm_key);
++	pTspi_Context_CloseObject(s->tpm_ctx, s->tpm_key);
+ 	s->tpm_key = 0;
+       out_session:
+ 	tpm_close_session(s);
+@@ -569,6 +695,8 @@ gnutls_privkey_import_tpm_raw(gnutls_privkey_t pkey,
+ 			      const char *srk_password,
+ 			      const char *key_password, unsigned int flags)
+ {
++	CHECK_INIT;
++
+ 	if (flags & GNUTLS_PRIVKEY_DISABLE_CALLBACKS)
+ 		return import_tpm_key(pkey, fdata, format, NULL, 0,
+ 				      srk_password, key_password);
+@@ -845,6 +973,8 @@ gnutls_privkey_import_tpm_url(gnutls_privkey_t pkey,
+ 	gnutls_datum_t fdata = { NULL, 0 };
+ 	int ret;
+ 
++	CHECK_INIT;
++
+ 	ret = decode_tpmkey_url(url, &durl);
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+@@ -914,7 +1044,7 @@ static int read_pubkey(gnutls_pubkey_t pub, TSS_HKEY key_ctx,
+ 
+ 	/* read the public key */
+ 
+-	tssret = Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_RSAKEY_INFO,
++	tssret = pTspi_GetAttribData(key_ctx, TSS_TSPATTRIB_RSAKEY_INFO,
+ 				    TSS_TSPATTRIB_KEYINFO_RSA_MODULUS,
+ 				    &tint, (void *) &tdata);
+ 	if (tssret != 0) {
+@@ -925,12 +1055,12 @@ static int read_pubkey(gnutls_pubkey_t pub, TSS_HKEY key_ctx,
+ 	m.data = tdata;
+ 	m.size = tint;
+ 
+-	tssret = Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_RSAKEY_INFO,
++	tssret = pTspi_GetAttribData(key_ctx, TSS_TSPATTRIB_RSAKEY_INFO,
+ 				    TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT,
+ 				    &tint, (void *) &tdata);
+ 	if (tssret != 0) {
+ 		gnutls_assert();
+-		Tspi_Context_FreeMemory(key_ctx, m.data);
++		pTspi_Context_FreeMemory(key_ctx, m.data);
+ 		return tss_err(tssret);
+ 	}
+ 
+@@ -939,8 +1069,8 @@ static int read_pubkey(gnutls_pubkey_t pub, TSS_HKEY key_ctx,
+ 
+ 	ret = gnutls_pubkey_import_rsa_raw(pub, &m, &e);
+ 
+-	Tspi_Context_FreeMemory(key_ctx, m.data);
+-	Tspi_Context_FreeMemory(key_ctx, e.data);
++	pTspi_Context_FreeMemory(key_ctx, m.data);
++	pTspi_Context_FreeMemory(key_ctx, e.data);
+ 
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+@@ -976,7 +1106,7 @@ import_tpm_pubkey(gnutls_pubkey_t pkey,
+ 		}
+ 	} else if (uuid) {
+ 		err =
+-		    Tspi_Context_LoadKeyByUUID(s.tpm_ctx, storage,
++		    pTspi_Context_LoadKeyByUUID(s.tpm_ctx, storage,
+ 					       *uuid, &s.tpm_key);
+ 		if (err) {
+ 			gnutls_assert();
+@@ -1064,6 +1194,8 @@ gnutls_pubkey_import_tpm_raw(gnutls_pubkey_t pkey,
+ 			     gnutls_tpmkey_fmt_t format,
+ 			     const char *srk_password, unsigned int flags)
+ {
++	CHECK_INIT;
++
+ 	if (flags & GNUTLS_PUBKEY_DISABLE_CALLBACKS)
+ 		return import_tpm_pubkey_cb(pkey, fdata, format, NULL, 0,
+ 					    srk_password);
+@@ -1103,6 +1235,8 @@ gnutls_pubkey_import_tpm_url(gnutls_pubkey_t pkey,
+ 	gnutls_datum_t fdata = { NULL, 0 };
+ 	int ret;
+ 
++	CHECK_INIT;
++
+ 	ret = decode_tpmkey_url(url, &durl);
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+@@ -1210,6 +1344,8 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 	TSS_HTPM htpm;
+ 	uint8_t buf[32];
+ 
++	CHECK_INIT;
++
+ 	privkey->data = NULL;
+ 	if (pubkey != NULL)
+ 		pubkey->data = NULL;
+@@ -1244,7 +1380,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 	/* put some randomness into TPM. 
+ 	 * Let's not trust it completely.
+ 	 */
+-	tssret = Tspi_Context_GetTpmObject(s.tpm_ctx, &htpm);
++	tssret = pTspi_Context_GetTpmObject(s.tpm_ctx, &htpm);
+ 	if (tssret != 0) {
+ 		gnutls_assert();
+ 		ret = tss_err(tssret);
+@@ -1258,13 +1394,13 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 		goto err_cc;
+ 	}
+ 
+-	tssret = Tspi_TPM_StirRandom(htpm, sizeof(buf), buf);
++	tssret = pTspi_TPM_StirRandom(htpm, sizeof(buf), buf);
+ 	if (tssret) {
+ 		gnutls_assert();
+ 	}
+ 
+ 	tssret =
+-	    Tspi_Context_CreateObject(s.tpm_ctx, TSS_OBJECT_TYPE_RSAKEY,
++	    pTspi_Context_CreateObject(s.tpm_ctx, TSS_OBJECT_TYPE_RSAKEY,
+ 				      tpm_flags, &key_ctx);
+ 	if (tssret != 0) {
+ 		gnutls_assert();
+@@ -1273,7 +1409,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 	}
+ 
+ 	tssret =
+-	    Tspi_SetAttribUint32(key_ctx, TSS_TSPATTRIB_KEY_INFO,
++	    pTspi_SetAttribUint32(key_ctx, TSS_TSPATTRIB_KEY_INFO,
+ 				 TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
+ 				 TSS_SS_RSASSAPKCS1V15_DER);
+ 	if (tssret != 0) {
+@@ -1285,7 +1421,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 	/* set the password of the actual key */
+ 	if (key_password) {
+ 		tssret =
+-		    Tspi_GetPolicyObject(key_ctx, TSS_POLICY_USAGE,
++		    pTspi_GetPolicyObject(key_ctx, TSS_POLICY_USAGE,
+ 					 &key_policy);
+ 		if (tssret != 0) {
+ 			gnutls_assert();
+@@ -1303,7 +1439,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 		}
+ 	}
+ 
+-	tssret = Tspi_Key_CreateKey(key_ctx, s.srk, 0);
++	tssret = pTspi_Key_CreateKey(key_ctx, s.srk, 0);
+ 	if (tssret != 0) {
+ 		gnutls_assert();
+ 		ret = tss_err(tssret);
+@@ -1320,7 +1456,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 		}
+ 
+ 		tssret =
+-		    Tspi_Context_RegisterKey(s.tpm_ctx, key_ctx,
++		    pTspi_Context_RegisterKey(s.tpm_ctx, key_ctx,
+ 					     storage_type, key_uuid,
+ 					     TSS_PS_TYPE_SYSTEM, srk_uuid);
+ 		if (tssret != 0) {
+@@ -1335,7 +1471,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 		if (ret < 0) {
+ 			TSS_HKEY tkey;
+ 
+-			Tspi_Context_UnregisterKey(s.tpm_ctx, storage_type,
++			pTspi_Context_UnregisterKey(s.tpm_ctx, storage_type,
+ 						   key_uuid, &tkey);
+ 			gnutls_assert();
+ 			goto err_sa;
+@@ -1346,7 +1482,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 
+ 
+ 		tssret =
+-		    Tspi_GetAttribData(key_ctx, TSS_TSPATTRIB_KEY_BLOB,
++		    pTspi_GetAttribData(key_ctx, TSS_TSPATTRIB_KEY_BLOB,
+ 				       TSS_TSPATTRIB_KEYBLOB_BLOB, &tint,
+ 				       (void *) &tdata);
+ 		if (tssret != 0) {
+@@ -1387,7 +1523,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 
+ 			tint2 = tmpkey.size;
+ 			tssret =
+-			    Tspi_EncodeDER_TssBlob(tint, tdata,
++			    pTspi_EncodeDER_TssBlob(tint, tdata,
+ 						   TSS_BLOB_TYPE_PRIVATEKEY,
+ 						   &tint2, tmpkey.data);
+ 			if (tssret != 0) {
+@@ -1452,7 +1588,7 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 	gnutls_free(tmpkey.data);
+ 	tmpkey.data = NULL;
+       err_sa:
+-	Tspi_Context_CloseObject(s.tpm_ctx, key_ctx);
++	pTspi_Context_CloseObject(s.tpm_ctx, key_ctx);
+       err_cc:
+ 	tpm_close_session(&s);
+ 	return ret;
+@@ -1469,8 +1605,10 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+  **/
+ void gnutls_tpm_key_list_deinit(gnutls_tpm_key_list_t list)
+ {
++	CHECK_INIT_VOID;
++
+ 	if (list->tpm_ctx != 0)
+-		Tspi_Context_Close(list->tpm_ctx);
++		pTspi_Context_Close(list->tpm_ctx);
+ 	gnutls_free(list);
+ }
+ 
+@@ -1495,6 +1633,8 @@ int
+ gnutls_tpm_key_list_get_url(gnutls_tpm_key_list_t list, unsigned int idx,
+ 			    char **url, unsigned int flags)
+ {
++	CHECK_INIT;
++
+ 	if (idx >= list->size)
+ 		return
+ 		    gnutls_assert_val
+@@ -1521,18 +1661,20 @@ int gnutls_tpm_get_registered(gnutls_tpm_key_list_t * list)
+ 	TSS_RESULT tssret;
+ 	int ret;
+ 
++	CHECK_INIT;
++
+ 	*list = gnutls_calloc(1, sizeof(struct tpm_key_list_st));
+ 	if (*list == NULL)
+ 		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ 
+-	tssret = Tspi_Context_Create(&(*list)->tpm_ctx);
++	tssret = pTspi_Context_Create(&(*list)->tpm_ctx);
+ 	if (tssret) {
+ 		gnutls_assert();
+ 		ret = tss_err(tssret);
+ 		goto cleanup;
+ 	}
+ 
+-	tssret = Tspi_Context_Connect((*list)->tpm_ctx, NULL);
++	tssret = pTspi_Context_Connect((*list)->tpm_ctx, NULL);
+ 	if (tssret) {
+ 		gnutls_assert();
+ 		ret = tss_err(tssret);
+@@ -1540,7 +1682,7 @@ int gnutls_tpm_get_registered(gnutls_tpm_key_list_t * list)
+ 	}
+ 
+ 	tssret =
+-	    Tspi_Context_GetRegisteredKeysByUUID2((*list)->tpm_ctx,
++	    pTspi_Context_GetRegisteredKeysByUUID2((*list)->tpm_ctx,
+ 						  TSS_PS_TYPE_SYSTEM, NULL,
+ 						  &(*list)->size,
+ 						  &(*list)->ki);
+@@ -1578,6 +1720,8 @@ int gnutls_tpm_privkey_delete(const char *url, const char *srk_password)
+ 	TSS_HKEY tkey;
+ 	int ret;
+ 
++	CHECK_INIT;
++
+ 	ret = decode_tpmkey_url(url, &durl);
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+@@ -1590,7 +1734,7 @@ int gnutls_tpm_privkey_delete(const char *url, const char *srk_password)
+ 		return gnutls_assert_val(ret);
+ 
+ 	tssret =
+-	    Tspi_Context_UnregisterKey(s.tpm_ctx, durl.storage, durl.uuid,
++	    pTspi_Context_UnregisterKey(s.tpm_ctx, durl.storage, durl.uuid,
+ 				       &tkey);
+ 	if (tssret != 0) {
+ 		gnutls_assert();
diff --git a/gnutls.spec b/gnutls.spec
index 741a605..3a7ca79 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -3,7 +3,7 @@
 Summary: A TLS protocol implementation
 Name: gnutls
 Version: 3.4.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The libraries are LGPLv2.1+, utilities are GPLv3+
 License: GPLv3+ and LGPLv2+
 Group: System Environment/Libraries
@@ -18,6 +18,7 @@ BuildRequires: gperf
 Requires: crypto-policies
 Requires: p11-kit-trust
 Requires: libtasn1 >= 4.3
+Recommends: trousers >= 0.3.11.2
 
 %if %{with dane}
 BuildRequires: unbound-devel unbound-libs
@@ -36,6 +37,7 @@ Patch1: gnutls-3.2.7-rpath.patch
 Patch3: gnutls-3.1.11-nosrp.patch
 Patch4: gnutls-3.4.1-default-policy.patch
 Patch5: gnutls-3.4.2-no-now-guile.patch
+Patch6: gnutls-3.4.3-no-trousers.patch
 
 # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174
 Provides: bundled(gnulib) = 20130424
@@ -139,17 +141,22 @@ This package contains Guile bindings for the library.
 %patch3 -p1 -b .nosrp
 %patch4 -p1 -b .default-policy
 %patch5 -p1 -b .guile
+%patch6 -p1 -b .no-trousers
 
 sed 's/gnutls_srp.c//g' -i lib/Makefile.in
 sed 's/gnutls_srp.lo//g' -i lib/Makefile.in
+sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
 rm -f lib/minitasn1/*.c lib/minitasn1/*.h
 rm -f src/libopts/*.c src/libopts/*.h src/libopts/compat/*.c src/libopts/compat/*.h 
-sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spec="/lib /usr/lib %{_libdir}|g' configure
+
+#remove these in 3.4.4
+sed 's|TROUSERS_LIB|"%{_libdir}/libtspi.so.1"|g' -i lib/tpm.c
+sed 's|$(TSS_LIBS)||g' -i lib/Makefile.in
+touch doc/*.texi doc/*.info doc/*.html doc/stamp_functions doc/stamp_enums doc/manpages/stamp_mans
 
 %{SOURCE2} -e
 
 %build
-
 %configure --with-libtasn1-prefix=%{_prefix} \
            --with-included-libcfg \
            --disable-static \
@@ -158,6 +165,7 @@ sed -i -e 's|sys_lib_dlsearch_path_spec="/lib /usr/lib|sys_lib_dlsearch_path_spe
 	   --disable-non-suiteb-curves \
 	   --with-system-priority-file=%{_sysconfdir}/crypto-policies/back-ends/gnutls.config \
 	   --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" \
+	   --with-trousers-lib=%{_libdir}/libtspi.so.1 \
 %if %{with guile}
            --enable-guile \
 %else
@@ -271,6 +279,10 @@ fi
 %endif
 
 %changelog
+* Mon Jul 13 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.4.3-2
+- Don't link against trousers but rather dlopen() it when available.
+  That avoids a dependency on openssl by the main library.
+
 * Mon Jul 13 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> 3.4.3-1
 - new upstream release