Fix failures introduced with OpenSSL 3

Resolves: rhbz#1984621
Resolves: rhbz#1992339

Signed-off-by: Štěpán Horáček <shoracek@redhat.com>

0002-utils-Remove-unused-variables-from-certifyx509.patch

@@ -0,0 +1,54 @@
+From 87120cf7fedcfc063ba5cd28ae4571909209a547 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgoldman@us.ibm.com>
+Date: Mon, 23 Aug 2021 17:30:56 -0400
+Subject: [PATCH 2/7] utils: Remove unused variables from certifyx509
+
+notBefore and notAfter are set driectly in the partialCertificate
+structure, and that is used to directly set the x509 structure.
+
+Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
+---
+ utils/certifyx509.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/utils/certifyx509.c b/utils/certifyx509.c
+index ed42ac0..44640aa 100644
+--- a/utils/certifyx509.c
++++ b/utils/certifyx509.c
+@@ -204,6 +204,7 @@ int main(int argc, char *argv[])
+     setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+     TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+ 
++    curveID = curveID;		/* no longer used, get from parent */
+     /* command line argument defaults */
+     for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+ 	if (strcmp(argv[i],"-ho") == 0) {
+@@ -686,8 +687,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+     X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
+     size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
+     size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
+-    ASN1_TIME 	*notBefore = NULL;
+-    ASN1_TIME 	*notAfter = NULL;
+     uint8_t 	*tmpPartialDer = NULL;	/* for the i2d */
+ 
+     /* add issuer */
+@@ -717,8 +716,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	}
+     }
+     if (rc == 0) {
+-	/* can't fail, just returns a structure member */
+-	notBefore = X509_get_notBefore(x509Certificate);
+ 	irc = X509_set1_notBefore(x509Certificate, partialCertificate->validity->notBefore);
+ 	if (irc == 0) {
+ 	    printf("createPartialCertificate: Error setting notBefore time\n");
+@@ -737,7 +734,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	}
+     }
+     if (rc == 0) {
+-	notAfter = X509_get_notAfter(x509Certificate);
+ 	irc = X509_set1_notAfter(x509Certificate,partialCertificate->validity->notAfter);
+ 	if (irc == 0) {
+ 	    printf("createPartialCertificate: Error setting notAfter time\n");
+-- 
+2.34.1
+

0003-Update-certifyx509-for-Windows.patch

@@ -0,0 +1,99 @@
+From 1c462889a517d6dbab721aa3e0597878e9c237d5 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Wed, 25 Aug 2021 18:02:11 -0400
+Subject: [PATCH 3/7] : Update certifyx509 for Windows
+
+Add static_ to the ASN1_SEQUENCE_END macros to suppress a gcc warning.
+Change free to OPENSSL_free, required with i2d when OpenSSL is a dll.
+
+Remove the tmpx509i file handling from the .bat file since certifyx509
+no longer outputs it.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/certifyx509.c         | 10 +++++-----
+ utils/regtests/testx509.bat |  5 -----
+ 2 files changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/utils/certifyx509.c b/utils/certifyx509.c
+index 44640aa..5602f62 100644
+--- a/utils/certifyx509.c
++++ b/utils/certifyx509.c
+@@ -94,7 +94,7 @@ typedef struct {
+ ASN1_SEQUENCE(TPM_PARTIAL_CERT_VALIDITY) = {
+     ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notBefore, ASN1_TIME),
+     ASN1_SIMPLE(TPM_PARTIAL_CERT_VALIDITY, notAfter, ASN1_TIME),
+-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
++} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT_VALIDITY)
+ 
+ /* the signature algorithm is optional while the extension list is mandatory */
+ ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
+@@ -103,7 +103,7 @@ ASN1_SEQUENCE(TPM_PARTIAL_CERT) = {
+     ASN1_SIMPLE(TPM_PARTIAL_CERT, validity, TPM_PARTIAL_CERT_VALIDITY),
+     ASN1_SIMPLE(TPM_PARTIAL_CERT, subject, X509_NAME),
+     ASN1_EXP_SEQUENCE_OF(TPM_PARTIAL_CERT, extensions, X509_EXTENSION, 3),
+-} ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
++} static_ASN1_SEQUENCE_END(TPM_PARTIAL_CERT)
+ 
+ DECLARE_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
+ IMPLEMENT_ASN1_FUNCTIONS(TPM_PARTIAL_CERT)
+@@ -122,7 +122,7 @@ ASN1_SEQUENCE(TPM_ADDTOCERT) = {
+     ASN1_SIMPLE(TPM_ADDTOCERT, serialNumber, ASN1_INTEGER),
+     ASN1_SIMPLE(TPM_ADDTOCERT, signatureAlgorithm, X509_ALGOR),
+     ASN1_SIMPLE(TPM_ADDTOCERT, key, X509_PUBKEY),
+-} ASN1_SEQUENCE_END(TPM_ADDTOCERT)
++} static_ASN1_SEQUENCE_END(TPM_ADDTOCERT)
+ 
+ DECLARE_ASN1_FUNCTIONS(TPM_ADDTOCERT)
+ IMPLEMENT_ASN1_FUNCTIONS(TPM_ADDTOCERT)
+@@ -629,7 +629,7 @@ int main(int argc, char *argv[])
+ 	X509_free(x509Certificate);			/* @1 */
+     }
+     free(x509Der);					/* @2 */
+-    free(addToCert);					/* @3 */
++    OPENSSL_free(addToCert);				/* @3 */
+     return rc;
+ }
+ 
+@@ -808,7 +808,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ #endif
+     X509_NAME_free(x509IssuerName);	/* @1 */
+     X509_NAME_free(x509SubjectName);	/* @2 */
+-    free(tmpPartialDer);		/* @3 */
++    OPENSSL_free(tmpPartialDer);	/* @3 */
+     return rc;
+ }
+ 
+diff --git a/utils/regtests/testx509.bat b/utils/regtests/testx509.bat
+index 0951ad6..17b69f6 100644
+--- a/utils/regtests/testx509.bat
++++ b/utils/regtests/testx509.bat
+@@ -80,8 +80,6 @@ for /L %%i in (1,1,!L!) do (
+ 	exit /B 1
+     )
+ 
+-    rem # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i1.dump
+-    rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
+     rem # dumpasn1 -a -l -d     tmppart1.bin > tmppart1.dump
+     rem # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
+     rem # dumpasn1 -a -l -d     tmpadd1.bin  > tmpadd1.dump
+@@ -102,8 +100,6 @@ for /L %%i in (1,1,!L!) do (
+ 	exit /B 1
+     )
+ 
+-rem     # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i2.dump
+-rem     # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
+ rem     # dumpasn1 -a -l -d     tmppart2.bin > tmppart2.dump
+ rem     # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe 
+ rem     # dumpasn1 -a -l -d     tmpadd2.bin  > tmpadd2.dump
+@@ -446,7 +442,6 @@ rm tmpsig1.bin
+ rm tmpx5091.bin
+ rm tmpx5091.pem
+ rm tmpx5092.pem
+-rm tmpx509i.bin
+ rm tmppart2.bin
+ rm tmpadd2.bin
+ rm tmptbs2.bin
+-- 
+2.34.1
+

0004-utils-Clean-up-certifyx509-memory-allocation.patch

@@ -0,0 +1,111 @@
+From d77514273aa88f67b85c398a222ab2195c42f5fd Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Tue, 31 Aug 2021 13:45:21 -0400
+Subject: [PATCH 4/7] utils: Clean up certifyx509 memory allocation
+
+Make TPM_ADDTOCERT input const.  Annotate malloc and free calls.  Free
+TPM_PARTIAL_CERT.  Use TPM_ADDTOCERT_free.  Remove unused
+x509IssuerName and x509SubjectName and their frees.  Free
+TPM_PARTIAL_CERT issuer and subject because createX509Name() mallocs.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/certifyx509.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/utils/certifyx509.c b/utils/certifyx509.c
+index 5602f62..8ac5abd 100644
+--- a/utils/certifyx509.c
++++ b/utils/certifyx509.c
+@@ -147,7 +147,7 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *certificate,
+ TPM_RC reformCertificate(X509 			*x509Certificate,
+ 			 TPMI_ALG_HASH		halg,
+ 			 TPMI_ALG_SIG_SCHEME   	scheme,
+-			 TPM_ADDTOCERT		*addToCert,
++			 const TPM_ADDTOCERT	*addToCert,
+ 			 TPMT_SIGNATURE 	*tSignature);
+ TPM_RC addSignatureRsa(X509 		*x509Certificate,
+ 		       TPMI_ALG_HASH	halg,
+@@ -618,7 +618,7 @@ int main(int argc, char *argv[])
+     if (rc == 0) {
+ 	if (verbose) X509_print_fp(stdout, x509Certificate);	/* for debug */
+ 	rc = convertX509ToDer(&x509DerLength,
+-			      &x509Der,				/* freed @2 */
++			      &x509Der,				/* freed @4 */
+ 			      x509Certificate);
+     }
+     if ((rc == 0) && (outCertificateFilename != NULL)) {
+@@ -628,8 +628,13 @@ int main(int argc, char *argv[])
+     if (x509Certificate != NULL) {
+ 	X509_free(x509Certificate);			/* @1 */
+     }
+-    free(x509Der);					/* @2 */
+-    OPENSSL_free(addToCert);				/* @3 */
++    if (partialCertificate != NULL) {
++	TPM_PARTIAL_CERT_free(partialCertificate);	/* @2 */
++    }
++    if (addToCert != NULL) {
++	TPM_ADDTOCERT_free(addToCert);			/* @3 */
++    }
++    free(x509Der);					/* @4 */
+     return rc;
+ }
+ 
+@@ -683,8 +688,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+     int		irc;
+     ASN1_TIME	*arc;			/* return code */
+ 
+-    X509_NAME 	*x509IssuerName = NULL;	/* composite issuer name, key/value pairs */
+-    X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
+     size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
+     size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
+     uint8_t 	*tmpPartialDer = NULL;	/* for the i2d */
+@@ -693,6 +696,9 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+     if (rc == 0) {
+ 	if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n",
+ 			    (unsigned long)issuerEntriesSize);
++	/* _new allocates the member.  free it because createX509Name() allocates a new structure */
++	X509_NAME_free(partialCertificate->issuer);
++	partialCertificate->issuer = NULL;
+ 	rc = createX509Name(&partialCertificate->issuer,	/* freed @1 */
+ 			    issuerEntriesSize,
+ 			    issuerEntries);
+@@ -746,6 +752,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	if (!subeqiss) {
+ 	    if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n",
+ 				(unsigned long)subjectEntriesSize);
++	    X509_NAME_free(partialCertificate->subject);
++	    partialCertificate->subject = NULL;
+ 	    rc = createX509Name(&partialCertificate->subject,	/* freed @2 */
+ 				subjectEntriesSize,
+ 				subjectEntries);
+@@ -754,6 +762,8 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	else {
+ 	    if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n",
+ 				(unsigned long)issuerEntriesSize);
++	    X509_NAME_free(partialCertificate->subject);
++	    partialCertificate->subject = NULL;
+ 	    rc = createX509Name(&partialCertificate->subject,	/* freed @2 */
+ 				issuerEntriesSize,
+ 				issuerEntries);
+@@ -806,8 +816,6 @@ TPM_RC createPartialCertificate(TPM_PARTIAL_CERT *partialCertificate,	/* input /
+ 	if (verbose) X509_print_fp(stdout, x509Certificate);
+     }
+ #endif
+-    X509_NAME_free(x509IssuerName);	/* @1 */
+-    X509_NAME_free(x509SubjectName);	/* @2 */
+     OPENSSL_free(tmpPartialDer);	/* @3 */
+     return rc;
+ }
+@@ -956,7 +964,7 @@ TPM_RC addPartialCertExtensionTpmaOid(TPM_PARTIAL_CERT  *partialCertificate,
+ TPM_RC reformCertificate(X509 			*x509Certificate,
+ 			 TPMI_ALG_HASH		halg,
+ 			 TPMI_ALG_SIG_SCHEME   	scheme,
+-			 TPM_ADDTOCERT		*addToCert,
++			 const TPM_ADDTOCERT	*addToCert,
+ 			 TPMT_SIGNATURE 	*tSignature)
+ {
+     TPM_RC 		rc = 0;
+-- 
+2.34.1
+

0005-utils-Fix-errors-detected-by-gcc-asan.patch

@@ -0,0 +1,91 @@
+From bcbc2f0400cfc2f596283e8c528aed4576bfea69 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Fri, 3 Sep 2021 14:58:20 -0400
+Subject: [PATCH 5/7] utils: Fix errors detected by gcc asan
+
+In Uint32_Convert(), case the byte to uint32_t before the left shift
+24 to suppress a warning.
+
+In TSS_EFI_GetNameIndex(), do not compare data if the length does not
+match, because this could cause a buffer overflow.  Test should be &&,
+not &.
+
+TSS_Delete should only memset sessionData if the pointer is not NULL.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/efilib.c   | 11 +++++++----
+ utils/eventlib.c | 10 +++++-----
+ utils/tss.c      |  6 ++++--
+ 3 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/utils/efilib.c b/utils/efilib.c
+index 201a1f5..ab8177b 100644
+--- a/utils/efilib.c
++++ b/utils/efilib.c
+@@ -399,16 +399,19 @@ static void TSS_EFI_GetNameIndex(size_t *index,
+ 				 const uint8_t *name,
+ 				 uint64_t nameLength)	/* half the total bytes in array */
+ {
+-    int m1,m2;
++    int m1 = 0;
++    int m2 = 0;
+     for (*index = 0 ;
+ 	 *index < sizeof(tagTable) / sizeof(TAG_TABLE)  ;
+ 	 (*index)++) {
+ 
+ 	/* length match */
+ 	m1 = (nameLength * 2) == tagTable[*index].nameLength;
+-	/* string match */
+-	m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
+-	if (m1 & m2) {
++	if (m1) {
++	    /* string match */
++	    m2 = memcmp(name, tagTable[*index].name, (size_t)(nameLength * 2)) == 0;
++	}
++	if (m1 && m2) {
+ 	    return;
+ 	}
+     }
+diff --git a/utils/eventlib.c b/utils/eventlib.c
+index 0c2801c..c56a22f 100644
+--- a/utils/eventlib.c
++++ b/utils/eventlib.c
+@@ -1346,12 +1346,12 @@ static uint32_t Uint32_Convert(uint32_t in)
+ {
+     uint32_t out = 0;
+     unsigned char *inb = (unsigned char *)&in;
+-    
++
+     /* little endian input */
+-    out = (inb[0] <<  0) |
+-	  (inb[1] <<  8) |
+-	  (inb[2] << 16) |
+-	  (inb[3] << 24);
++    out = ((((uint32_t)inb[0]) <<  0) |
++	   (((uint32_t)inb[1]) <<  8) |
++	   (((uint32_t)inb[2]) << 16) |
++	   (((uint32_t)inb[3]) << 24));
+     return out;
+ }
+ #endif /* TPM_TSS_NOFILE */
+diff --git a/utils/tss.c b/utils/tss.c
+index 574c448..6f0eede 100644
+--- a/utils/tss.c
++++ b/utils/tss.c
+@@ -179,8 +179,10 @@ TPM_RC TSS_Delete(TSS_CONTEXT *tssContext)
+ 	    for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
+ 		tssContext->sessions[i].sessionHandle = TPM_RH_NULL;
+ 		/* erase any secrets */
+-		memset(tssContext->sessions[i].sessionData,
+-		       0, tssContext->sessions[i].sessionDataLength);
++		if (tssContext->sessions[i].sessionData != NULL) {
++		    memset(tssContext->sessions[i].sessionData,
++			   0, tssContext->sessions[i].sessionDataLength);
++		}
+ 		free(tssContext->sessions[i].sessionData);
+ 		tssContext->sessions[i].sessionData = NULL;
+ 		tssContext->sessions[i].sessionDataLength = 0;
+-- 
+2.34.1
+

0006-tss-Port-HMAC-operations-to-openssl-3.0.patch

@@ -0,0 +1,103 @@
+From 7128994537a7103b25acb1df238db747d7cb3274 Mon Sep 17 00:00:00 2001
+From: Ken Goldman <kgold@linux.ibm.com>
+Date: Fri, 10 Sep 2021 16:33:10 -0400
+Subject: [PATCH 6/7] tss: Port HMAC operations to openssl 3.0
+
+Replace the deprecated APIs.
+
+- Compared to the next branch commit 6e22032d, changes related to HMAC are
+  ommited.
+
+Signed-off-by: Ken Goldman <kgold@linux.ibm.com>
+---
+ utils/tsscrypto.c | 58 ++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 21 deletions(-)
+
+diff --git a/utils/tsscrypto.c b/utils/tsscrypto.c
+index 23d3b6e..1974563 100644
+--- a/utils/tsscrypto.c
++++ b/utils/tsscrypto.c
+@@ -79,6 +79,7 @@ extern int tssVerbose;
+ 
+ /* local prototypes */
+ 
++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg);
+ static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+ 			     TPMI_ALG_HASH hashAlg);
+ 
+@@ -129,36 +130,51 @@ TPM_RC TSS_Crypto_Init(void)
+   Digests
+ */
+ 
+-static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+-			     TPMI_ALG_HASH hashAlg)
++/* TSS_Hash_GetString() maps from the TCG hash algorithm to the OpenSSL string */
++
++static TPM_RC TSS_Hash_GetOsslString(const char **str, TPMI_ALG_HASH hashAlg)
+ {
+-    TPM_RC		rc = 0;
++    TPM_RC	rc = 0;
+ 
+-    if (rc == 0) {
+-	switch (hashAlg) {
++    switch (hashAlg) {
+ #ifdef TPM_ALG_SHA1
+-	  case TPM_ALG_SHA1:
+-	    *md = EVP_get_digestbyname("sha1");
+-	    break;
++      case TPM_ALG_SHA1:
++	*str = "sha1";
++	break;
+ #endif
+-#ifdef TPM_ALG_SHA256	
+-	  case TPM_ALG_SHA256:
+-	    *md = EVP_get_digestbyname("sha256");
+-	    break;
++#ifdef TPM_ALG_SHA256
++      case TPM_ALG_SHA256:
++	*str = "sha256";
++	break;
+ #endif
+ #ifdef TPM_ALG_SHA384
+-	  case 	TPM_ALG_SHA384:
+-	    *md = EVP_get_digestbyname("sha384");
+-	    break;
++      case TPM_ALG_SHA384:
++	*str = "sha384";
++	break;
+ #endif
+ #ifdef TPM_ALG_SHA512
+-	  case 	TPM_ALG_SHA512:
+-	    *md = EVP_get_digestbyname("sha512");
+-	    break;
++      case TPM_ALG_SHA512:
++	*str = "sha512";
++	break;
+ #endif
+-	  default:
+-	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+-	}
++      default:
++	*str = NULL;
++	rc = TSS_RC_BAD_HASH_ALGORITHM;
++    }
++    return rc;
++}
++
++static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
++			     TPMI_ALG_HASH hashAlg)
++{
++    TPM_RC		rc = 0;
++    const char 		*str = NULL; 
++
++    if (rc == 0) {
++	rc =  TSS_Hash_GetOsslString(&str, hashAlg);
++    }
++    if (rc == 0) {
++	*md = EVP_get_digestbyname(str);
+     }
+     return rc;
+ }
+-- 
+2.34.1
+

tss2.spec

@@ -7,7 +7,7 @@
 
 Name:		tss2
 Version:	1.6.0
-Release:	4%{?dist}
+Release:	5%{?dist}
 Epoch:	        1
 Summary:	IBM's TCG Software Stack (TSS) for TPM 2.0 and related utilities
 
@@ -15,6 +15,13 @@ License:	BSD
 URL:		http://sourceforge.net/projects/ibmtpm20tss/
 Source0:	https://sourceforge.net/projects/ibmtpm20tss/files/ibmtss%{version}.tar.gz
 Patch0:         tss2-1.6.0-manpage-cleanup.patch
+Patch1:		0001-utils-Update-certifyx509-for-Openssl-3.0.0.patch
+Patch2:		0002-utils-Remove-unused-variables-from-certifyx509.patch
+Patch3:		0003-Update-certifyx509-for-Windows.patch
+Patch4:		0004-utils-Clean-up-certifyx509-memory-allocation.patch
+Patch5:		0005-utils-Fix-errors-detected-by-gcc-asan.patch
+Patch6:		0006-tss-Port-HMAC-operations-to-openssl-3.0.patch
+Patch7:		0007-utils-Port-to-openssl-3.0.0-replaces-RSA-with-EVP_PK.patch
 
 BuildRequires: automake
 BuildRequires: autoconf
@@ -70,6 +77,11 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %doc ibmtss.doc
 
 %changelog
+* Fri Jan 28 2022 Stepan Horacek <shoracek@redhat.com> - 1:1.6.0-5
+- Fix failures introduced with OpenSSL 3
+  Resolves: rhbz#1984621
+  Resolves: rhbz#1992339
+
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.6.0-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688