openssl-tpm-engine: add package

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-06-02 13:30:33 +00:00 · 2017-10-08 10:24:48 -07:00
parent ef1e8d9144
commit aeb9e6c571
6 changed files with 570 additions and 0 deletions
@@ -0,0 +1,99 @@
 commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
 Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
 Date:   Wed Jun 19 18:57:13 2013 +0800
 support well-known password in openssl-tpm-engine.
 Add "-z" option to select well known password in create_tpm_key tool.
 Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
 diff --git a/create_tpm_key.c b/create_tpm_key.c
 index fee917f..7b94d62 100644
 --- a/create_tpm_key.c
 +++ b/create_tpm_key.c
@@ -46,6 +46,8 @@
 #include <trousers/tss.h>
 #include <trousers/trousers.h>
 +#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
 +
 #define print_error(a,b) \
 	fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
 		a, b, Trspi_Error_String(b))
@@ -70,6 +72,7 @@ usage(char *argv0)
 		"\t\t-e|--enc-scheme  encryption scheme to use [PKCSV15] or OAEP\n"
 		"\t\t-q|--sig-scheme  signature scheme to use [DER] or SHA1\n"
 		"\t\t-s|--key-size    key size in bits [2048]\n"
 +		"\t\t-z|--zerokey     use well known 20 bytes zero as SRK password.\n"
 		"\t\t-a|--auth        require a password for the key [NO]\n"
 		"\t\t-p|--popup       use TSS GUI popup dialogs to get the password "
 		"for the\n\t\t\t\t key [NO] (implies --auth)\n"
@@ -147,6 +150,7 @@ int main(int argc, char **argv)
 	int		asn1_len;
 	char		*filename, c, *openssl_key = NULL;
 	int		option_index, auth = 0, popup = 0, wrap = 0;
 +	int		wellknownkey = 0;
 	UINT32		enc_scheme = TSS_ES_RSAESPKCSV15;
 	UINT32		sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
 	UINT32		key_size = 2048;
@@ -154,12 +158,15 @@ int main(int argc, char **argv)
 	while (1) {
 		option_index = 0;
 -		c = getopt_long(argc, argv, "pe:q:s:ahw:",
 +		c = getopt_long(argc, argv, "pe:q:s:zahw:",
 				long_options, &option_index);
 		if (c == -1)
 			break;
 		switch (c) {
 +			case 'z':
 +				wellknownkey = 1;
 +				break;
 			case 'a':
 				initFlags |= TSS_KEY_AUTHORIZATION;
 				auth = 1;
@@ -293,6 +300,8 @@ int main(int argc, char **argv)
 	if (srk_authusage) {
 		char *authdata = calloc(1, 128);
 +		TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN;
 +		int authlen = 0;
 		if (!authdata) {
 			fprintf(stderr, "malloc failed.\n");
@@ -309,17 +318,26 @@ int main(int argc, char **argv)
 			exit(result);
 		}
 -		if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
 -			Tspi_Context_CloseObject(hContext, hKey);
 -			Tspi_Context_Close(hContext);
 -			free(authdata);
 -			exit(result);
 +		if (wellknownkey) {
 +			memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN);
 +			secretMode = TSS_SECRET_MODE_SHA1;
 +			authlen = TPM_WELL_KNOWN_KEY_LEN;
 +		}
 +		else {
 +			if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
 +				Tspi_Context_CloseObject(hContext, hKey);
 +				Tspi_Context_Close(hContext);
 +				free(authdata);
 +				exit(result);
 +			}
 +			secretMode = TSS_SECRET_MODE_PLAIN;
 +			authlen = strlen(authdata);
 		}
 		//Set Secret
 		if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
 -						    TSS_SECRET_MODE_PLAIN,
 -						    strlen(authdata),
 +						    secretMode,
 +						    authlen,
 						    (BYTE *)authdata))) {
 			print_error("Tspi_Policy_SetSecret", result);
 			free(authdata);
@@ -0,0 +1,80 @@
 commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
 Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
 Date:   Wed Jun 19 18:57:13 2013 +0800
 support reading SRK password from env TPM_SRK_PW
 Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
 use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.
 Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
 diff --git a/e_tpm.c b/e_tpm.c
 index f3e8bcf..7dcb75a 100644
 --- a/e_tpm.c
 +++ b/e_tpm.c
@@ -38,6 +38,8 @@
 #include "e_tpm.h"
 +#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
 +
 //#define DLOPEN_TSPI
 #ifndef OPENSSL_NO_HW
@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
 	TSS_RESULT result;
 	UINT32 authusage;
 	BYTE *auth;
 +	char *srkPasswd = NULL;
 +	TSS_FLAG secretMode = secret_mode;
 +	int authlen = 0;
 +
 	if (hSRK != NULL_HKEY) {
 		DBGFN("SRK is already loaded.");
@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
 		return 0;
 	}
 -	if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
 -				cb_data)) {
 -		Tspi_Context_CloseObject(hContext, hSRK);
 -		free(auth);
 -		TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
 -		return 0;
 +	srkPasswd = getenv("TPM_SRK_PW");
 +	if (NULL != srkPasswd) {
 +		if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
 +			memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
 +			secretMode = TSS_SECRET_MODE_SHA1;
 +			authlen = TPM_WELL_KNOWN_KEY_LEN;
 +		} else {
 +			int authbuflen = 128;
 +			memset(auth, 0, authbuflen);
 +			strncpy(auth, srkPasswd, authbuflen-1);
 +			secretMode = TSS_SECRET_MODE_PLAIN;
 +			authlen = strlen(auth);
 +		}
 +	}
 +	else {
 +		if (!tpm_engine_get_auth(ui, (char *)auth, 128,
 +				"SRK authorization: ", cb_data)) {
 +			Tspi_Context_CloseObject(hContext, hSRK);
 +			free(auth);
 +			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
 +			return 0;
 +		}
 +		secretMode = secret_mode;
 +		authlen = strlen(auth);
 	}
 	/* secret_mode is a global that may be set by engine ctrl
 	 * commands.  By default, its set to TSS_SECRET_MODE_PLAIN */
 -	if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
 -					      strlen((char *)auth), auth))) {
 +	if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
 +					      authlen, auth))) {
 		Tspi_Context_CloseObject(hContext, hSRK);
 		free(auth);
 		TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
@@ -0,0 +1,25 @@
 From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
 Date: Mon, 19 Jun 2017 14:54:28 +0800
 Subject: [PATCH] Fix not building libtpm.la
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
 Makefile.am | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/Makefile.am b/Makefile.am
 index 6695656..634a7e6 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi
 libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c
 create_tpm_key_SOURCES=create_tpm_key.c
 -create_tpm_key_LDADD=-ltspi
 +create_tpm_key_LDFLAGS=-ltspi
 +
 +LDADD=libtpm.la
 -- 
 2.7.5
@@ -0,0 +1,254 @@
 From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
 From: Limeng <Meng.Li@windriver.com>
 Date: Fri, 23 Jun 2017 11:39:04 +0800
 Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password 
 from env
 Before, we support reading SRK password from env TPM_SRK_PW,
 but it is a plain password and not secure.
 So, we improve it and support to get an encrypted (AES algorithm)
 SRK password from env, and then parse it. The default decrypting
 AES password and salt is set in bb file.
 When we initialize TPM, and set a SRK pw, and then we need to
 encrypt it with the same AES password and salt by AES algorithm.
 At last, we set a env as below:
 export TPM_SRK_ENC_PW=xxxxxxxx
 "xxxxxxxx" is the encrypted SRK password for libtpm.so.
 Signed-off-by: Meng Li <Meng.Li@windriver.com>
 ---
 e_tpm.c     | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 e_tpm.h     |   4 ++
 e_tpm_err.c |   4 ++
 3 files changed, 164 insertions(+), 1 deletion(-)
 diff --git a/e_tpm.c b/e_tpm.c
 index 7dcb75a..11bf74b 100644
 --- a/e_tpm.c
 +++ b/e_tpm.c
@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
 	ERR_clear_error();
 }
 +static int tpm_decode_base64(unsigned char *indata,
 +				int in_len,
 +				unsigned char *outdata,
 +				int *out_len)
 +{
 +	int total_len, len, ret;
 +	EVP_ENCODE_CTX dctx;
 +
 +	EVP_DecodeInit(&dctx);
 +
 +	total_len = 0;
 +	ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
 +	if (ret < 0) {
 +		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
 +		return 1;
 +	}
 +
 +	total_len += len;
 +	ret = EVP_DecodeFinal(&dctx, outdata, &len);
 +	if (ret < 0) {
 +		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
 +		return 1;
 +	}
 +	total_len += len;
 +
 +	*out_len = total_len;
 +
 +	return 0;
 +}
 +
 +static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
 +				unsigned char *outdata,
 +				int *out_len)
 +{
 +	int dec_data_len, dec_data_lenfinal;
 +	unsigned char dec_data[256];
 +	unsigned char *aes_pw;
 +	unsigned char aes_salt[PKCS5_SALT_LEN];
 +	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
 +	const EVP_CIPHER *cipher = NULL;
 +	const EVP_MD *dgst = NULL;
 +	EVP_CIPHER_CTX *ctx = NULL;
 +
 +	if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
 +		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
 +		return 1;
 +	}
 +
 +	aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
 +	if (aes_pw == NULL) {
 +		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
 +		return 1;
 +	}
 +
 +	memset(aes_salt, 0x00, sizeof(aes_salt));
 +	memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
 +	memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
 +
 +	cipher = EVP_get_cipherbyname("aes-128-cbc");
 +	if (cipher == NULL) {
 +		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
 +		free(aes_pw);
 +		return 1;
 +	}
 +	dgst = EVP_sha256();
 +
 +	EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
 +
 +	ctx = EVP_CIPHER_CTX_new();
 +	/* Don't set key or IV right away; we want to check lengths */
 +	if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
 +		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
 +		free(aes_pw);
 +		return 1;
 +	}
 +
 +	OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
 +	OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
 +
 +	if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
 +		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
 +		free(aes_pw);
 +		return 1;
 +	}
 +
 +	if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
 +		/* Error */
 +		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
 +		free(aes_pw);
 +		EVP_CIPHER_CTX_free(ctx);
 +		return 1;
 +	}
 +
 +	if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
 +		/* Error */
 +		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
 +		free(aes_pw);
 +		EVP_CIPHER_CTX_free(ctx);
 +		return 1;
 +	}
 +
 +	dec_data_len = dec_data_len + dec_data_lenfinal;
 +
 +	memcpy(outdata, dec_data, dec_data_len);
 +	*out_len = dec_data_len;
 +
 +	free(aes_pw);
 +	EVP_CIPHER_CTX_free(ctx);
 +
 +	return 0;
 +}
 +
 int tpm_load_srk(UI_METHOD *ui, void *cb_data)
 {
 	TSS_RESULT result;
@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
 		return 0;
 	}
 -	srkPasswd = getenv("TPM_SRK_PW");
 +	srkPasswd = getenv("TPM_SRK_ENC_PW");
 	if (NULL != srkPasswd) {
 +		int in_len = strlen(srkPasswd);
 +		int out_len;
 +		unsigned char *out_buf;
 +
 +		if (!in_len || in_len % 4) {
 +			Tspi_Context_CloseObject(hContext, hSRK);
 +			free(auth);
 +			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
 +			return 0;
 +		}
 +
 +		out_len = in_len * 3 / 4;
 +		out_buf = malloc(out_len);
 +		if (NULL == out_buf) {
 +			Tspi_Context_CloseObject(hContext, hSRK);
 +			free(auth);
 +			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
 +			return 0;
 +		}
 +
 +		if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
 +					out_buf, &out_len)) {
 +			Tspi_Context_CloseObject(hContext, hSRK);
 +			free(auth);
 +			free(out_buf);
 +			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
 +			return 0;
 +		}
 +
 +		if (tpm_decrypt_srk_pw(out_buf, out_len,
 +							auth, &authlen)) {
 +			Tspi_Context_CloseObject(hContext, hSRK);
 +			free(auth);
 +			free(out_buf);
 +			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
 +			return 0;
 +		}
 +		secretMode = TSS_SECRET_MODE_PLAIN;
 +		free(out_buf);
 +	}
 +#ifdef TPM_SRK_PLAIN_PW
 +	else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
 		if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
 			memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
 			secretMode = TSS_SECRET_MODE_SHA1;
@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
 			authlen = strlen(auth);
 		}
 	}
 +#endif
 	else {
 		if (!tpm_engine_get_auth(ui, (char *)auth, 128,
 				"SRK authorization: ", cb_data)) {
 diff --git a/e_tpm.h b/e_tpm.h
 index 6316e0b..56ff202 100644
 --- a/e_tpm.h
 +++ b/e_tpm.h
@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
 #define TPM_F_TPM_FILL_RSA_OBJECT		116
 #define TPM_F_TPM_ENGINE_GET_AUTH		117
 #define TPM_F_TPM_CREATE_SRK_POLICY		118
 +#define TPM_F_TPM_DECODE_BASE64			119
 +#define TPM_F_TPM_DECRYPT_SRK_PW		120
 /* Reason codes. */
 #define TPM_R_ALREADY_LOADED			100
@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
 #define TPM_R_ID_INVALID			125
 #define TPM_R_UI_METHOD_FAILED			126
 #define TPM_R_UNKNOWN_SECRET_MODE		127
 +#define TPM_R_DECODE_BASE64_FAILED		128
 +#define TPM_R_DECRYPT_SRK_PW_FAILED		129
 /* structure pointed to by the RSA object's app_data pointer */
 struct rsa_app_data
 diff --git a/e_tpm_err.c b/e_tpm_err.c
 index 25a5d0f..439e267 100644
 --- a/e_tpm_err.c
 +++ b/e_tpm_err.c
@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
 	{ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
 	{ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
 	{ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
 +	{ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
 +	{ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
 	{0, NULL}
 };
@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
 	{TPM_R_FILE_READ_FAILED, "failed reading the key file"},
 	{TPM_R_ID_INVALID, "engine id doesn't match"},
 	{TPM_R_UI_METHOD_FAILED, "ui function failed"},
 +	{TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
 +	{TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
 	{0, NULL}
 };
 -- 
 2.9.3
@@ -0,0 +1,34 @@
 From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001
 From: Limeng <Meng.Li@windriver.com>
 Date: Fri, 21 Jul 2017 16:32:02 +0800
 Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char
 into int
 refer to getopt_long() function definition, its return value type is
 int. So, change variable c type from char into int.
 On arm platform, when getopt_long() calling fails, if we define c as
 char type, its value will be 255, not -1. This will cause code enter
 wrong case.
 Signed-off-by: Meng Li <Meng.Li@windriver.com>
 ---
 create_tpm_key.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/create_tpm_key.c b/create_tpm_key.c
 index 7b94d62..f30af90 100644
 --- a/create_tpm_key.c
 +++ b/create_tpm_key.c
@@ -148,7 +148,8 @@ int main(int argc, char **argv)
 	ASN1_OCTET_STRING *blob_str;
 	unsigned char	*blob_asn1 = NULL;
 	int		asn1_len;
 -	char		*filename, c, *openssl_key = NULL;
 +	char		*filename, *openssl_key = NULL;
 +	int		c;
 	int		option_index, auth = 0, popup = 0, wrap = 0;
 	int		wellknownkey = 0;
 	UINT32		enc_scheme = TSS_ES_RSAESPKCSV15;
 -- 
 1.7.9.5
@@ -0,0 +1,78 @@
 DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
 HOMEPAGE = "https://sourceforge.net/projects/trousers/"
 SECTION = "security/tpm"
 LICENSE = "openssl"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
 DEPENDS += "openssl trousers"
 SRC_URI = "\
    git://git.code.sf.net/p/trousers/openssl_tpm_engine \
    file://0001-create-tpm-key-support-well-known-key-option.patch \
    file://0002-libtpm-support-env-TPM_SRK_PW.patch \
    file://0003-Fix-not-building-libtpm.la.patch \
    file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
    file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
 "
 SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60"
 S = "${WORKDIR}/git"
 inherit autotools-brokensep
 # The definitions below are used to decrypt the srk password.
 # It is allowed to define the values in 3 forms: string, hex number and
 # the hybrid, e.g,
 # srk_dec_pw = "incendia"
 # srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
 # srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
 #
 # Due to the limit of escape character, the hybrid must be written in
 # above style. The actual values defined below in C code style are:
 # srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
 # srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
 srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
 srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
 CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
 # Uncomment below line if using the plain srk password for development
 #CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
 do_configure_prepend() {
    cd "${S}"
    cp LICENSE COPYING
    touch NEWS AUTHORS ChangeLog
 }
 do_install_append() {
    install -m 0755 -d "${D}${libdir}/engines"
    install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines"
    install -m 0755 -d "${D}${libdir}/ssl/engines"
    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0"
    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so"
    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so"
    mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so"
    mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la"
    rm -rf "${D}${libdir}/openssl"
 }
 FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la"
 FILES_${PN}-dbg += "\
    ${libdir}/ssl/engines/.debug \
    ${libdir}/engines/.debug \
    ${prefix}/local/ssl/lib/engines/.debug \
 "
 FILES_${PN} += "\
    ${libdir}/ssl/engines/libtpm.so* \
    ${libdir}/engines/libtpm.so* \
    ${libdir}/libtpm.so* \
    ${prefix}/local/ssl/lib/engines/libtpm.so* \
 "
 RDEPENDS_${PN} += "libcrypto libtspi"
 INSANE_SKIP_${PN} = "libdir"
 INSANE_SKIP_${PN}-dbg = "libdir"