Fix previous change for loading libtss2*

Resolves: #2057490 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2022-02-24 22:02:34 +01:00 · 2022-02-24 22:02:34 +01:00 · 79ee77ae83
parent ce3e58a2d0
commit 79ee77ae83
2 changed files with 285 additions and 296 deletions
--- a/gnutls-3.7.3-libtss2-dlopen.patch
+++ b/gnutls-3.7.3-libtss2-dlopen.patch
@ -1,4 +1,4 @@
-From 1719288f7e57d6b9593ef0c01fdcf7ac304c099f Mon Sep 17 00:00:00 2001
+From 958bd910fa4693d47b2507679267e9d3b4101096 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <ueno@gnu.org>
 Date: Wed, 23 Feb 2022 19:48:52 +0100
 Subject: [PATCH] tpm2: dynamically load tss2 libraries as needed
@ -10,15 +10,19 @@ multiple crypto libraries.
 Signed-off-by: Daiki Ueno <ueno@gnu.org>
 ---
- configure.ac    |  12 +-
+ configure.ac        |  11 ++-
- lib/Makefile.am |   6 +-
+ lib/Makefile.am     |   6 +-
- lib/tpm2.c      |   2 +-
+ lib/tpm2.c          |   2 +-
- lib/tpm2.h      |   2 +-
+ lib/tpm2.h          |   2 +-
- lib/tpm2_esys.c | 330 ++++++++++++++++++++++++++++++++++++++++++------
+ lib/tpm2_esys.c     | 205 ++++++++++++++++++++++++++++++++++----------
- 5 files changed, 303 insertions(+), 49 deletions(-)
+ tests/Makefile.am   |   3 +-
 tests/sanity-lib.sh |  36 ++++++++
 tests/tpm2.sh       |  14 ++-
 8 files changed, 224 insertions(+), 55 deletions(-)
 create mode 100644 tests/sanity-lib.sh
 diff --git a/configure.ac b/configure.ac
-index 53c3aefca1..be51b376a6 100644
+index 53c3aefca1..721ff208f0 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -882,6 +882,8 @@ AM_CONDITIONAL(P11KIT_0_23_11_API, $PKG_CONFIG --atleast-version=0.23.11 p11-kit
@ -30,11 +34,7 @@ index 53c3aefca1..be51b376a6 100644
 AC_ARG_WITH(tpm2,
 	AS_HELP_STRING([--without-tpm2],
 		[Disable TPM2 support.]),
-@@ -889,9 +891,11 @@ AC_ARG_WITH(tpm2,
+@@ -892,6 +894,7 @@ if test "$with_tpm2" != "no"; then
 if test "$with_tpm2" != "no"; then
 	PKG_CHECK_MODULES(TSS2, [tss2-esys tss2-mu tss2-tctildr],
 		[have_tpm2=yes], [have_tpm2=no])
 +	PKG_CHECK_EXISTS([tss2-esys], , [have_tpm2=no])
 	if test "$have_tpm2" = "yes"; then
 		tss2lib="tss2-esys tss2-mu tss2-tctildr"
 		AC_DEFINE([HAVE_TSS2], 1, [Have TSS2])
@ -42,7 +42,7 @@ index 53c3aefca1..be51b376a6 100644
 	elif test "$with_tpm2" = "yes"; then
 		AC_MSG_ERROR([[
 ***
-@@ -920,7 +924,8 @@ if test "$with_tpm" != "no"; then
+@@ -920,7 +923,8 @@ if test "$with_tpm" != "no"; then
 		   AC_SUBST([TSS_LIBS], [-ltspi])
 		   AC_SUBST([TSS_CFLAGS], [])
 		   AC_DEFINE([HAVE_TROUSERS], 1, [Enable TPM])
@ -52,7 +52,7 @@ index 53c3aefca1..be51b376a6 100644
 		  [AC_MSG_RESULT(no)
 		   AC_MSG_WARN([[
 *** 
-@@ -957,6 +962,9 @@ fi
+@@ -957,6 +961,9 @@ fi
 AC_DEFINE_UNQUOTED([TROUSERS_LIB], ["$ac_trousers_lib"], [the location of the trousers library])
 AC_SUBST(TROUSERS_LIB)
@ -62,7 +62,7 @@ index 53c3aefca1..be51b376a6 100644
 # For minitasn1.
 AC_CHECK_SIZEOF(unsigned long int, 4)
 AC_CHECK_SIZEOF(unsigned int, 4)
-@@ -1312,7 +1320,7 @@ AC_MSG_NOTICE([External hardware support:
+@@ -1312,7 +1319,7 @@ AC_MSG_NOTICE([External hardware support:
   Random gen. variant:  $rnd_variant
   PKCS#11 support:      $with_p11_kit
   TPM support:          $with_tpm
@ -127,10 +127,10 @@ index e40dc01df7..7966e2d811 100644
 void release_tpm2_ctx(struct tpm2_info_st *info);
 diff --git a/lib/tpm2_esys.c b/lib/tpm2_esys.c
-index 93e54413ba..e1a54f12a1 100644
+index 93e54413ba..584e384d2b 100644
 --- a/lib/tpm2_esys.c
 +++ b/lib/tpm2_esys.c
-@@ -72,6 +72,217 @@
+@@ -72,6 +72,102 @@
 #include <tss2/tss2_esys.h>
 #include <tss2/tss2_tctildr.h>
@ -140,215 +140,100 @@ index 93e54413ba..e1a54f12a1 100644
 + * crypto libraries.  Instead, only dlopen it as needed.
 + */
 +
 +#if !((defined __GNUC__ && 2 <= __GNUC__) || \
 +      (defined __clang_major__ && 4 <= __clang_major__))
 +# error "typeof compiler keyword is needed for TPM2 support"
 +#endif
 +
 +static void *_gnutls_tss2_esys_dlhandle;
 +static void *_gnutls_tss2_mu_dlhandle;
 +static void *_gnutls_tss2_tctildr_dlhandle;
 +
-+#define DEFINE_TSS2_FUNC(sys, ret, func, args, argscall)			\
+static typeof(Esys_GetCapability) (*_gnutls_tss2_Esys_GetCapability);
-+	typedef ret(*_gnutls_tss2_##sys##_PTR_##func) args;		\
+static typeof(Esys_Free) (*_gnutls_tss2_Esys_Free);
-+	static _gnutls_tss2_##sys##_PTR_##func _g_##func = 0;		\
+static typeof(Esys_TR_SetAuth) (*_gnutls_tss2_Esys_TR_SetAuth);
-+	static inline ret _gnutls_tss2_##sys##_##func args			\
+static typeof(Esys_CreatePrimary) (*_gnutls_tss2_Esys_CreatePrimary);
-+	{								\
+static typeof(Esys_Initialize) (*_gnutls_tss2_Esys_Initialize);
-+		if (unlikely(!_g_##func)) {				\
+static typeof(Esys_Startup) (*_gnutls_tss2_Esys_Startup);
-+			_g_##func = dlsym(_gnutls_tss2_##sys##_dlhandle,\
+static typeof(Esys_TR_FromTPMPublic) (*_gnutls_tss2_Esys_TR_FromTPMPublic);
-+					  #func);			\
+static typeof(Esys_ReadPublic) (*_gnutls_tss2_Esys_ReadPublic);
-+		}							\
+static typeof(Esys_Load) (*_gnutls_tss2_Esys_Load);
-+		return _g_##func argscall;				\
+static typeof(Esys_FlushContext) (*_gnutls_tss2_Esys_FlushContext);
 +static typeof(Esys_Finalize) (*_gnutls_tss2_Esys_Finalize);
 +static typeof(Esys_RSA_Decrypt) (*_gnutls_tss2_Esys_RSA_Decrypt);
 +static typeof(Esys_Sign) (*_gnutls_tss2_Esys_Sign);
 +
 +static typeof(Tss2_MU_TPM2B_PRIVATE_Unmarshal)
 +(*_gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal);
 +static typeof(Tss2_MU_TPM2B_PUBLIC_Unmarshal)
 +(*_gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal);
 +
 +static typeof(Tss2_TctiLdr_Initialize) (*_gnutls_tss2_Tss2_TctiLdr_Initialize);
 +static typeof(Tss2_TctiLdr_Finalize) (*_gnutls_tss2_Tss2_TctiLdr_Finalize);
 +
 +#define DLSYM_TSS2(sys, sym)						\
 +	_gnutls_tss2_##sym = dlsym(_gnutls_tss2_##sys##_dlhandle, #sym); \
 +	if (!_gnutls_tss2_##sym) {					\
 +		return -1;						\
 +	}
 +
-+DEFINE_TSS2_FUNC(esys, TSS2_RC,
+static int
-+		 Esys_GetCapability,
+init_tss2_funcs(void)
-+		 (ESYS_CONTEXT *esysContext,
+{
-+		  ESYS_TR shandle1,
+	if (!_gnutls_tss2_esys_dlhandle) {
-+		  ESYS_TR shandle2,
+		_gnutls_tss2_esys_dlhandle =
-+		  ESYS_TR shandle3,
+			dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL);
-+		  TPM2_CAP capability,
+		if (!_gnutls_tss2_esys_dlhandle) {
-+		  UINT32 property,
+			_gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n");
-+		  UINT32 propertyCount,
+			return -1;
-+		  TPMI_YES_NO *moreData,
+		}
-+		  TPMS_CAPABILITY_DATA **capabilityData),
+	}
 +		 (esysContext,
 +		  shandle1,
 +		  shandle2,
 +		  shandle3,
 +		  capability,
 +		  property,
 +		  propertyCount,
 +		  moreData,
 +		  capabilityData))
 +DEFINE_TSS2_FUNC(esys, void, Esys_Free, (void *__ptr), (__ptr))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_TR_SetAuth,
 +		 (ESYS_CONTEXT *esysContext,
 +		  ESYS_TR handle,
 +		  TPM2B_AUTH const *authValue),
 +		 (esysContext,
 +		  handle,
 +		  authValue))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_CreatePrimary,
 +		 (ESYS_CONTEXT *esysContext,
 +		  ESYS_TR primaryHandle,
 +		  ESYS_TR shandle1,
 +		  ESYS_TR shandle2,
 +		  ESYS_TR shandle3,
 +		  const TPM2B_SENSITIVE_CREATE *inSensitive,
 +		  const TPM2B_PUBLIC *inPublic,
 +		  const TPM2B_DATA *outsideInfo,
 +		  const TPML_PCR_SELECTION *creationPCR,
 +		  ESYS_TR *objectHandle,
 +		  TPM2B_PUBLIC **outPublic,
 +		  TPM2B_CREATION_DATA **creationData,
 +		  TPM2B_DIGEST **creationHash,
 +		  TPMT_TK_CREATION **creationTicket),
 +		 (esysContext,
 +		  primaryHandle,
 +		  shandle1,
 +		  shandle2,
 +		  shandle3,
 +		  inSensitive,
 +		  inPublic,
 +		  outsideInfo,
 +		  creationPCR,
 +		  objectHandle,
 +		  outPublic,
 +		  creationData,
 +		  creationHash,
 +		  creationTicket))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Initialize,
 +		 (ESYS_CONTEXT **esys_context,
 +		  TSS2_TCTI_CONTEXT *tcti,
 +		  TSS2_ABI_VERSION *abiVersion),
 +		 (esys_context,
 +		  tcti,
 +		  abiVersion))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Startup,
 +		 (ESYS_CONTEXT *esysContext,
 +		  TPM2_SU startupType),
 +		 (esysContext,
 +		  startupType))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_TR_FromTPMPublic,
 +		 (ESYS_CONTEXT *esysContext,
 +		  TPM2_HANDLE tpm_handle,
 +		  ESYS_TR optionalSession1,
 +		  ESYS_TR optionalSession2,
 +		  ESYS_TR optionalSession3,
 +		  ESYS_TR *object),
 +		 (esysContext,
 +		  tpm_handle,
 +		  optionalSession1,
 +		  optionalSession2,
 +		  optionalSession3,
 +		  object))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_ReadPublic,
 +		 (ESYS_CONTEXT *esysContext,
 +		  ESYS_TR objectHandle,
 +		  ESYS_TR shandle1,
 +		  ESYS_TR shandle2,
 +		  ESYS_TR shandle3,
 +		  TPM2B_PUBLIC **outPublic,
 +		  TPM2B_NAME **name,
 +		  TPM2B_NAME **qualifiedName),
 +		 (esysContext,
 +		  objectHandle,
 +		  shandle1,
 +		  shandle2,
 +		  shandle3,
 +		  outPublic,
 +		  name,
 +		  qualifiedName))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Load,
 +		 (ESYS_CONTEXT *esysContext,
 +		  ESYS_TR parentHandle,
 +		  ESYS_TR shandle1,
 +		  ESYS_TR shandle2,
 +		  ESYS_TR shandle3,
 +		  const TPM2B_PRIVATE *inPrivate,
 +		  const TPM2B_PUBLIC *inPublic,
 +		  ESYS_TR *objectHandle),
 +		 (esysContext,
 +		  parentHandle,
 +		  shandle1,
 +		  shandle2,
 +		  shandle3,
 +		  inPrivate,
 +		  inPublic,
 +		  objectHandle))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_FlushContext,
 +		 (ESYS_CONTEXT *esysContext,
 +		  ESYS_TR flushHandle),
 +		 (esysContext,
 +		  flushHandle))
 +DEFINE_TSS2_FUNC(esys, void, Esys_Finalize, (ESYS_CONTEXT **context), (context))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_RSA_Decrypt,
 +		 (ESYS_CONTEXT *esysContext,
 +		  ESYS_TR keyHandle,
 +		  ESYS_TR shandle1,
 +		  ESYS_TR shandle2,
 +		  ESYS_TR shandle3,
 +		  const TPM2B_PUBLIC_KEY_RSA *cipherText,
 +		  const TPMT_RSA_DECRYPT *inScheme,
 +		  const TPM2B_DATA *label,
 +		  TPM2B_PUBLIC_KEY_RSA **message),
 +		 (esysContext,
 +		  keyHandle,
 +		  shandle1,
 +		  shandle2,
 +		  shandle3,
 +		  cipherText,
 +		  inScheme,
 +		  label,
 +		  message))
 +DEFINE_TSS2_FUNC(esys, TSS2_RC, Esys_Sign,
 +		 (ESYS_CONTEXT *esysContext,
 +		  ESYS_TR keyHandle,
 +		  ESYS_TR shandle1,
 +		  ESYS_TR shandle2,
 +		  ESYS_TR shandle3,
 +		  const TPM2B_DIGEST *digest,
 +		  const TPMT_SIG_SCHEME *inScheme,
 +		  const TPMT_TK_HASHCHECK *validation,
 +		  TPMT_SIGNATURE **signature),
 +		 (esysContext,
 +		  keyHandle,
 +		  shandle1,
 +		  shandle2,
 +		  shandle3,
 +		  digest,
 +		  inScheme,
 +		  validation,
 +		  signature))
 +
-+DEFINE_TSS2_FUNC(mu, TSS2_RC, Tss2_MU_TPM2B_PRIVATE_Unmarshal,
+	DLSYM_TSS2(esys, Esys_GetCapability)
-+		 (uint8_t const buffer[],
+	DLSYM_TSS2(esys, Esys_Free)
-+		  size_t buffer_size,
+	DLSYM_TSS2(esys, Esys_TR_SetAuth)
-+		  size_t *offset,
+	DLSYM_TSS2(esys, Esys_CreatePrimary)
-+		  TPM2B_PRIVATE *dest),
+	DLSYM_TSS2(esys, Esys_Initialize)
-+		 (buffer,
+	DLSYM_TSS2(esys, Esys_Startup)
-+		  buffer_size,
+	DLSYM_TSS2(esys, Esys_TR_FromTPMPublic)
-+		  offset,
+	DLSYM_TSS2(esys, Esys_ReadPublic)
-+		  dest))
+	DLSYM_TSS2(esys, Esys_Load)
-+DEFINE_TSS2_FUNC(mu, TSS2_RC, Tss2_MU_TPM2B_PUBLIC_Unmarshal,
+	DLSYM_TSS2(esys, Esys_FlushContext)
-+		 (uint8_t const buffer[],
+	DLSYM_TSS2(esys, Esys_Finalize)
-+		  size_t buffer_size,
+	DLSYM_TSS2(esys, Esys_RSA_Decrypt)
-+		  size_t *offset,
+	DLSYM_TSS2(esys, Esys_Sign)
 +		  TPM2B_PUBLIC *dest),
 +		 (buffer,
 +		  buffer_size,
 +		  offset,
 +		  dest))
 +
-+DEFINE_TSS2_FUNC(tctildr, TSS2_RC, Tss2_TctiLdr_Initialize,
+	if (!_gnutls_tss2_mu_dlhandle) {
-+		 (const char *nameConf,
+		_gnutls_tss2_mu_dlhandle =
-+		  TSS2_TCTI_CONTEXT **context),
+			dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL);
-+		 (nameConf,
+		if (!_gnutls_tss2_mu_dlhandle) {
-+		  context))
+			_gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n");
-+DEFINE_TSS2_FUNC(tctildr, void, Tss2_TctiLdr_Finalize,
+			return -1;
-+		 (TSS2_TCTI_CONTEXT **context),
+		}
-+		 (context))
+	}
 +
 +	DLSYM_TSS2(mu, Tss2_MU_TPM2B_PRIVATE_Unmarshal)
 +	DLSYM_TSS2(mu, Tss2_MU_TPM2B_PUBLIC_Unmarshal)
 +
 +	if (!_gnutls_tss2_tctildr_dlhandle) {
 +		_gnutls_tss2_tctildr_dlhandle =
 +			dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL);
 +		if (!_gnutls_tss2_tctildr_dlhandle) {
 +			_gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n");
 +			return -1;
 +		}
 +	}
 +
 +	DLSYM_TSS2(tctildr, Tss2_TctiLdr_Initialize)
 +	DLSYM_TSS2(tctildr, Tss2_TctiLdr_Finalize)
 +
 +	return 0;
 +}
 +
 struct tpm2_info_st {
 	TPM2B_PUBLIC pub;
 	TPM2B_PRIVATE priv;
-@@ -227,10 +438,10 @@ get_primary_template(ESYS_CONTEXT *ctx)
+@@ -227,10 +323,10 @@ get_primary_template(ESYS_CONTEXT *ctx)
 	UINT32 i;
 	TSS2_RC rc;
@ -356,86 +241,61 @@ index 93e54413ba..e1a54f12a1 100644
 -				 ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
 -				 TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
 -				 NULL, &capability_data);
-+	rc = _gnutls_tss2_esys_Esys_GetCapability(ctx,
+	rc = _gnutls_tss2_Esys_GetCapability(ctx,
 +				ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
 +				TPM2_CAP_ALGS, 0, TPM2_MAX_CAP_ALGS,
 +				NULL, &capability_data);
 	if (rc) {
 		_gnutls_debug_log("tpm2: Esys_GetCapability failed: 0x%x\n", rc);
 		return NULL;
-@@ -239,7 +450,7 @@ get_primary_template(ESYS_CONTEXT *ctx)
+@@ -239,7 +335,7 @@ get_primary_template(ESYS_CONTEXT *ctx)
 	for (i = 0; i < capability_data->data.algorithms.count; i++) {
 		if (capability_data->data.algorithms.algProperties[i].alg ==
 		    TPM2_ALG_ECC) {
 -			Esys_Free(capability_data);
-+			_gnutls_tss2_esys_Esys_Free(capability_data);
+			_gnutls_tss2_Esys_Free(capability_data);
 			return &primary_template_ecc;
 		}
 	}
-@@ -247,12 +458,12 @@ get_primary_template(ESYS_CONTEXT *ctx)
+@@ -247,12 +343,12 @@ get_primary_template(ESYS_CONTEXT *ctx)
 	for (i = 0; i < capability_data->data.algorithms.count; i++) {
 		if (capability_data->data.algorithms.algProperties[i].alg ==
 		    TPM2_ALG_RSA) {
 -			Esys_Free(capability_data);
-+			_gnutls_tss2_esys_Esys_Free(capability_data);
+			_gnutls_tss2_Esys_Free(capability_data);
 			return &primary_template_rsa;
 		}
         }
 -	Esys_Free(capability_data);
-+	_gnutls_tss2_esys_Esys_Free(capability_data);
+	_gnutls_tss2_Esys_Free(capability_data);
 	_gnutls_debug_log("tpm2: unable to find primary template\n");
 	return NULL;
 }
-@@ -320,7 +531,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
+@@ -320,7 +416,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
 		install_tpm_passphrase(&info->ownerauth, pass);
 		info->need_ownerauth = false;
 	}
 -	rc = Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
-+	rc = _gnutls_tss2_esys_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
+	rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, hierarchy, &info->ownerauth);
 	if (rc) {
 		_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
-@@ -329,7 +540,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
+@@ -329,7 +425,7 @@ static int init_tpm2_primary(struct tpm2_info_st *info,
 	if (!primary_template) {
 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
 	}
 -	rc = Esys_CreatePrimary(ctx, hierarchy,
-+	rc = _gnutls_tss2_esys_Esys_CreatePrimary(ctx, hierarchy,
+	rc = _gnutls_tss2_Esys_CreatePrimary(ctx, hierarchy,
 				ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
 				&primary_sensitive,
 				primary_template,
-@@ -355,18 +566,39 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -359,14 +455,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 	ESYS_TR parent_handle = ESYS_TR_NONE;
 	TSS2_RC rc;
 +	if (!_gnutls_tss2_esys_dlhandle) {
 +		_gnutls_tss2_esys_dlhandle =
 +			dlopen("libtss2-esys.so.0", RTLD_NOW | RTLD_GLOBAL);
 +		if (!_gnutls_tss2_esys_dlhandle) {
 +			_gnutls_debug_log("tpm2: unable to dlopen libtss2-esys\n");
 +			goto error;
 +		}
 +		_gnutls_tss2_mu_dlhandle =
 +			dlopen("libtss2-mu.so.0", RTLD_NOW | RTLD_GLOBAL);
 +		if (!_gnutls_tss2_mu_dlhandle) {
 +			_gnutls_debug_log("tpm2: unable to dlopen libtss2-mu\n");
 +			goto error;
 +		}
 +		_gnutls_tss2_tctildr_dlhandle =
 +			dlopen("libtss2-tctildr.so.0", RTLD_NOW | RTLD_GLOBAL);
 +		if (!_gnutls_tss2_tctildr_dlhandle) {
 +			_gnutls_debug_log("tpm2: unable to dlopen libtss2-tctildr\n");
 +			goto error;
 +		}
 +	}
 +
 	*key_handle = ESYS_TR_NONE;
 	_gnutls_debug_log("tpm2: establishing connection with TPM\n");
 -	rc = Esys_Initialize(ctx, tcti_ctx, NULL);
-+	rc = _gnutls_tss2_esys_Esys_Initialize(ctx, tcti_ctx, NULL);
+	rc = _gnutls_tss2_Esys_Initialize(ctx, tcti_ctx, NULL);
 	if (rc) {
 		gnutls_assert();
 		_gnutls_debug_log("tpm2: Esys_Initialize failed: 0x%x\n", rc);
@ -443,149 +303,149 @@ index 93e54413ba..e1a54f12a1 100644
 	}
 -	rc = Esys_Startup(*ctx, TPM2_SU_CLEAR);
-+	rc = _gnutls_tss2_esys_Esys_Startup(*ctx, TPM2_SU_CLEAR);
+	rc = _gnutls_tss2_Esys_Startup(*ctx, TPM2_SU_CLEAR);
 	if (rc == TPM2_RC_INITIALIZE) {
 		_gnutls_debug_log("tpm2: was already started up thus false positive failing in tpm2tss log\n");
 	} else if (rc) {
-@@ -381,7 +613,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -381,7 +477,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 			goto error;
 		}
 	} else {
 -		rc = Esys_TR_FromTPMPublic(*ctx, info->parent,
-+		rc = _gnutls_tss2_esys_Esys_TR_FromTPMPublic(*ctx, info->parent,
+		rc = _gnutls_tss2_Esys_TR_FromTPMPublic(*ctx, info->parent,
 					   ESYS_TR_NONE,
 					   ESYS_TR_NONE,
 					   ESYS_TR_NONE,
-@@ -399,7 +631,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -399,7 +495,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 		if (!info->did_ownerauth && !info->ownerauth.size) {
 			TPM2B_PUBLIC *pub = NULL;
 -			rc = Esys_ReadPublic(*ctx, parent_handle,
-+			rc = _gnutls_tss2_esys_Esys_ReadPublic(*ctx, parent_handle,
+			rc = _gnutls_tss2_Esys_ReadPublic(*ctx, parent_handle,
 					     ESYS_TR_NONE,
 					     ESYS_TR_NONE,
 					     ESYS_TR_NONE,
-@@ -408,7 +640,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -408,7 +504,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 			    !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA)) {
 				info->need_ownerauth = true;
 			}
 -			Esys_Free(pub);
-+			_gnutls_tss2_esys_Esys_Free(pub);
+			_gnutls_tss2_Esys_Free(pub);
 		}
 	reauth:
 		if (info->need_ownerauth) {
-@@ -420,7 +652,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -420,7 +516,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 			install_tpm_passphrase(&info->ownerauth, pass);
 			info->need_ownerauth = false;
 		}
 -		rc = Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
-+		rc = _gnutls_tss2_esys_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
+		rc = _gnutls_tss2_Esys_TR_SetAuth(*ctx, parent_handle, &info->ownerauth);
 		if (rc) {
 			gnutls_assert();
 			_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n",
-@@ -432,7 +664,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -432,7 +528,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 	_gnutls_debug_log("tpm2: loading TPM2 key blob, parent handle 0x%x\n",
 			  parent_handle);
 -	rc = Esys_Load(*ctx, parent_handle,
-+	rc = _gnutls_tss2_esys_Esys_Load(*ctx, parent_handle,
+	rc = _gnutls_tss2_Esys_Load(*ctx, parent_handle,
 		       ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
 		       &info->priv, &info->pub,
 		       key_handle);
-@@ -450,7 +682,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -450,7 +546,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 	info->did_ownerauth = true;
 	if (parent_is_generated(info->parent)) {
 -		rc = Esys_FlushContext(*ctx, parent_handle);
-+		rc = _gnutls_tss2_esys_Esys_FlushContext(*ctx, parent_handle);
+		rc = _gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
 		if (rc) {
 			_gnutls_debug_log("tpm2: Esys_FlushContext for generated primary failed: 0x%x\n",
 					  rc);
-@@ -461,14 +693,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
+@@ -461,14 +557,14 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *key_handle,
 	return 0;
  error:
 	if (parent_is_generated(info->parent) && parent_handle != ESYS_TR_NONE) {
 -		Esys_FlushContext(*ctx, parent_handle);
-+		_gnutls_tss2_esys_Esys_FlushContext(*ctx, parent_handle);
+		_gnutls_tss2_Esys_FlushContext(*ctx, parent_handle);
 	}
 	if (*key_handle != ESYS_TR_NONE) {
 -		Esys_FlushContext(*ctx, *key_handle);
-+		_gnutls_tss2_esys_Esys_FlushContext(*ctx, *key_handle);
+		_gnutls_tss2_Esys_FlushContext(*ctx, *key_handle);
 	}
 	*key_handle = ESYS_TR_NONE;
 -	Esys_Finalize(ctx);
-+	_gnutls_tss2_esys_Esys_Finalize(ctx);
+	_gnutls_tss2_Esys_Finalize(ctx);
 	return GNUTLS_E_TPM_ERROR;
 }
-@@ -488,7 +720,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle)
+@@ -488,7 +584,7 @@ auth_tpm2_key(struct tpm2_info_st *info, ESYS_CONTEXT *ctx, ESYS_TR key_handle)
 		info->need_userauth = false;
 	}
 -	rc = Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
-+	rc = _gnutls_tss2_esys_Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
+	rc = _gnutls_tss2_Esys_TR_SetAuth(ctx, key_handle, &info->userauth);
 	if (rc) {
 		_gnutls_debug_log("tpm2: Esys_TR_SetAuth failed: 0x%x\n", rc);
 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
-@@ -574,7 +806,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+@@ -574,7 +670,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 		goto out;
 	}
 -	rc = Esys_RSA_Decrypt(ectx, key_handle,
-+	rc = _gnutls_tss2_esys_Esys_RSA_Decrypt(ectx, key_handle,
+	rc = _gnutls_tss2_Esys_RSA_Decrypt(ectx, key_handle,
 			      ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
 			      &digest, &in_scheme, &label, &tsig);
 	if (rc_is_key_auth_failed(rc)) {
-@@ -591,14 +823,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+@@ -591,14 +687,14 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 	ret = _gnutls_set_datum(sig, tsig->buffer, tsig->size);
  out:
 -	Esys_Free(tsig);
-+	_gnutls_tss2_esys_Esys_Free(tsig);
+	_gnutls_tss2_Esys_Free(tsig);
 	if (key_handle != ESYS_TR_NONE) {
 -		Esys_FlushContext(ectx, key_handle);
-+		_gnutls_tss2_esys_Esys_FlushContext(ectx, key_handle);
+		_gnutls_tss2_Esys_FlushContext(ectx, key_handle);
 	}
 	if (ectx) {
 -		Esys_Finalize(&ectx);
-+		_gnutls_tss2_esys_Esys_Finalize(&ectx);
+		_gnutls_tss2_Esys_Finalize(&ectx);
 	}
 	return ret;
-@@ -661,7 +893,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+@@ -661,7 +757,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 		goto out;
 	}
 -	rc = Esys_Sign(ectx, key_handle,
-+	rc = _gnutls_tss2_esys_Esys_Sign(ectx, key_handle,
+	rc = _gnutls_tss2_Esys_Sign(ectx, key_handle,
 		       ESYS_TR_PASSWORD, ESYS_TR_NONE, ESYS_TR_NONE,
 		       &digest, &in_scheme, &validation,
 		       &tsig);
-@@ -682,14 +914,14 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+@@ -682,31 +778,23 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 	ret = gnutls_encode_rs_value(sig, &sig_r, &sig_s);
  out:
 -	Esys_Free(tsig);
-+	_gnutls_tss2_esys_Esys_Free(tsig);
+	_gnutls_tss2_Esys_Free(tsig);
 	if (key_handle != ESYS_TR_NONE) {
 -		Esys_FlushContext(ectx, key_handle);
-+		_gnutls_tss2_esys_Esys_FlushContext(ectx, key_handle);
+		_gnutls_tss2_Esys_FlushContext(ectx, key_handle);
 	}
 	if (ectx) {
 -		Esys_Finalize(&ectx);
-+		_gnutls_tss2_esys_Esys_Finalize(&ectx);
+		_gnutls_tss2_Esys_Finalize(&ectx);
 	}
 	return ret;
-@@ -697,14 +929,6 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
+ }
 GNUTLS_ONCE(tcti_once);
 -GNUTLS_ONCE(tcti_once);
 -
 -void
 -tpm2_tcti_deinit(void)
 -{
@ -593,20 +453,36 @@ index 93e54413ba..e1a54f12a1 100644
 -		Tss2_TctiLdr_Finalize(&tcti_ctx);
 -	}
 -}
-
+GNUTLS_ONCE(tpm2_esys_once);
 static void
- tcti_once_init(void)
+-tcti_once_init(void)
 +tpm2_esys_once_init(void)
 {
-@@ -727,7 +951,7 @@ tcti_once_init(void)
+ 	const char *tcti;
 	const char * const tcti_vars[] = {
@@ -718,6 +806,11 @@ tcti_once_init(void)
 	size_t i;
 	TSS2_RC rc;
 +	if (init_tss2_funcs() < 0) {
 +		_gnutls_debug_log("tpm2: unable to initialize TSS2 functions\n");
 +		return;
 +	}
 +
 	for (i = 0; i < sizeof(tcti_vars) / sizeof(tcti_vars[0]); i++) {
 		tcti = secure_getenv(tcti_vars[i]);
 		if (tcti && *tcti != '\0') {
@@ -727,7 +820,7 @@ tcti_once_init(void)
 		}
 	}
 	if (tcti && *tcti != '\0') {
 -		rc = Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
-+		rc = _gnutls_tss2_tctildr_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
+		rc = _gnutls_tss2_Tss2_TctiLdr_Initialize(tcti, &tcti_ctx);
 		if (rc) {
 			_gnutls_debug_log("tpm2: TSS2_TctiLdr_Initialize failed: 0x%x\n",
 					  rc);
-@@ -735,6 +959,28 @@ tcti_once_init(void)
+@@ -735,13 +828,35 @@ tcti_once_init(void)
 	}
 }
@ -615,7 +491,7 @@ index 93e54413ba..e1a54f12a1 100644
 +tpm2_esys_deinit(void)
 +{
 +	if (tcti_ctx) {
-+		_gnutls_tss2_tctildr_Tss2_TctiLdr_Finalize(&tcti_ctx);
+		_gnutls_tss2_Tss2_TctiLdr_Finalize(&tcti_ctx);
 +		tcti_ctx = NULL;
 +	}
 +	if (_gnutls_tss2_esys_dlhandle) {
@ -635,13 +511,21 @@ index 93e54413ba..e1a54f12a1 100644
 int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
 		     unsigned int parent, bool emptyauth,
 		     gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
-@@ -757,16 +1003,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
+ {
 	TSS2_RC rc;
 -	(void)gnutls_once(&tcti_once, tcti_once_init);
 +	(void)gnutls_once(&tpm2_esys_once, tpm2_esys_once_init);
 	if (!tcti_ctx) {
 		return gnutls_assert_val(GNUTLS_E_TPM_ERROR);
@@ -757,16 +872,16 @@ int install_tpm2_key(struct tpm2_info_st *info, gnutls_privkey_t pkey,
 	info->parent = parent;
 -	rc = Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
 -					     &info->priv);
-+	rc = _gnutls_tss2_mu_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
+	rc = _gnutls_tss2_Tss2_MU_TPM2B_PRIVATE_Unmarshal(privdata->data, privdata->size, NULL,
 +							     &info->priv);
 	if (rc) {
 		_gnutls_debug_log("tpm2: failed to import private key data: 0x%x\n",
@ -651,11 +535,113 @@ index 93e54413ba..e1a54f12a1 100644
 -	rc = Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
 -					    &info->pub);
-+	rc = _gnutls_tss2_mu_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
+	rc = _gnutls_tss2_Tss2_MU_TPM2B_PUBLIC_Unmarshal(pubdata->data, pubdata->size, NULL,
 +							    &info->pub);
 	if (rc) {
 		_gnutls_debug_log("tpm2: failed to import public key data: 0x%x\n",
 				  rc);
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index 529f1cc077..64ce470a02 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -515,7 +515,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start
 	psktool.sh ocsp-tests/ocsp-load-chain.sh gnutls-cli-save-data.sh gnutls-cli-debug.sh \
 	sni-resume.sh ocsp-tests/ocsptool.sh cert-reencoding.sh pkcs7-cat.sh long-crl.sh \
 	serv-udp.sh logfile-option.sh gnutls-cli-resume.sh profile-tests.sh \
 -	server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh
 +	server-weak-keys.sh ocsp-tests/ocsp-signer-verify.sh cfg-test.sh \
 +	sanity-lib.sh
 if !DISABLE_SYSTEM_CONFIG
 dist_check_SCRIPTS += system-override-sig.sh system-override-hash.sh \
 diff --git a/tests/sanity-lib.sh b/tests/sanity-lib.sh
 new file mode 100644
 index 0000000000..fd38c764fb
 --- /dev/null
 +++ b/tests/sanity-lib.sh
@@ -0,0 +1,36 @@
 +#!/bin/sh
 +
 +# Copyright (C) 2022 Red Hat, Inc.
 +#
 +# Author: Daiki Ueno
 +#
 +# This file is part of GnuTLS.
 +#
 +# GnuTLS is free software; you can redistribute it and/or modify it
 +# under the terms of the GNU General Public License as published by the
 +# Free Software Foundation; either version 3 of the License, or (at
 +# your option) any later version.
 +#
 +# GnuTLS is distributed in the hope that it will be useful, but
 +# WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# General Public License for more details.
 +#
 +# You should have received a copy of the GNU Lesser General Public License
 +# along with this program.  If not, see <https://www.gnu.org/licenses/>
 +
 +: ${top_builddir=..}
 +: ${CLI_DEBUG=../src/gnutls-cli-debug${EXEEXT}}
 +: ${LDD=ldd}
 +: ${LIBTOOL=libtool}
 +
 +# ldd.sh doesn't check recursive dependencies
 +${LDD} --version >/dev/null || exit 77
 +
 +# We use gnutls-cli-debug, as it has the fewest dependencies among our
 +# commands (e.g., gnutls-cli pulls in OpenSSL through libunbound).
 +if ${LIBTOOL} --mode=execute ${LDD} ${CLI_DEBUG} | \
 +    grep '^[[:space:]]*\(libcrypto\.\|libssl\.\|libgcrypt\.\)'; then
 +    echo "gnutls-cli-debug links to other crypto library"
 +    exit 1
 +fi
 diff --git a/tests/tpm2.sh b/tests/tpm2.sh
 index 854986c552..6f8e44c64b 100755
 --- a/tests/tpm2.sh
 +++ b/tests/tpm2.sh
@@ -21,8 +21,6 @@
 # along with GnuTLS; if not, write to the Free Software Foundation,
 # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 -set +e
 -
 : ${srcdir=.}
 : ${CERTTOOL=../src/certtool${EXEEXT}}
 KEYPEMFILE=tpmkey.$$.key.pem
@@ -192,6 +190,10 @@ run_tests()
 	echo " - Generating ${KEYPEMFILE}"
 	tpm2tss-genkey -a ${kalg} -o ${OPASS} ${KEYPEMFILE}
 +	if [ $? -ne 0 ]; then
 +		echo "unable to generate key"
 +		return 1
 +	fi
 	cat ${KEYPEMFILE}
 	echo " - Generating certificate based on key"
@@ -200,6 +202,10 @@ run_tests()
 	"${CERTTOOL}" --generate-self-signed -d 3 \
 		--load-privkey "${KEYPEMFILE}" \
 		--template "${srcdir}/cert-tests/templates/template-test.tmpl"
 +	if [ $? -ne 0 ]; then
 +		echo "unable to generate certificate"
 +		return 1
 +	fi
 	if test "${kalg}" = "rsa";then
 		echo " - Generating RSA-PSS certificate based on key"
@@ -207,6 +213,10 @@ run_tests()
 			--load-privkey "${KEYPEMFILE}" \
 			--sign-params rsa-pss \
 			--template "${srcdir}/cert-tests/templates/template-test.tmpl"
 +		if [ $? -ne 0 ]; then
 +			echo "unable to generate certificate"
 +			return 1
 +		fi
 	fi
 	stop_swtpm
 -- 
 2.34.1
--- a/gnutls.spec
+++ b/gnutls.spec
@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 Version: 3.7.3
-Release: 7%{?dist}
+Release: 8%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
 Patch3:	gnutls-3.7.2-enable-intel-cet.patch
@ -343,6 +343,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 %changelog
 * Thu Feb 24 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-8
 - Fix previous change for loading libtss2* (#2057490)
 * Wed Feb 23 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-7
 - Increase GNUTLS_MAX_ALGORITHM_NUM for allowlisting (#2033220)
 - Ensure allowlisting API is called before priority string is constructed (#2042532)