diff -Nru tpm2-tss-2.3.2/debian/changelog tpm2-tss-2.3.2/debian/changelog
--- tpm2-tss-2.3.2/debian/changelog	2020-01-19 09:21:48.000000000 +0000
+++ tpm2-tss-2.3.2/debian/changelog	2022-07-30 00:06:05.000000000 +0000
@@ -1,3 +1,13 @@
+tpm2-tss (2.3.2-1ubuntu0.20.04.1) focal; urgency=medium
+
+  * Fix LP: #1983160 - Cannot start a salted session using an RSA key in
+    FIPS mode
+    - add debian/patches/0001-Drop-support-for-OpenSSL-1.1.0.patch
+    - add debian/patches/0002-Fix-RSA-secret-sharing-in-FIPS-mode.patch
+    - update debian/patches/series
+
+ -- Chris Coulson <chris.coulson@canonical.com>  Sat, 30 Jul 2022 01:06:05 +0100
+
 tpm2-tss (2.3.2-1) unstable; urgency=low
 
   [ Ying-Chun Liu (PaulLiu) <paulliu@debian.org> ]
diff -Nru tpm2-tss-2.3.2/debian/patches/0001-Drop-support-for-OpenSSL-1.1.0.patch tpm2-tss-2.3.2/debian/patches/0001-Drop-support-for-OpenSSL-1.1.0.patch
--- tpm2-tss-2.3.2/debian/patches/0001-Drop-support-for-OpenSSL-1.1.0.patch	1970-01-01 00:00:00.000000000 +0000
+++ tpm2-tss-2.3.2/debian/patches/0001-Drop-support-for-OpenSSL-1.1.0.patch	2022-07-30 00:06:05.000000000 +0000
@@ -0,0 +1,76 @@
+From db77cc47cd36ca5bc26b6bf4557565569ae7bd74 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 22 Jul 2022 14:26:43 +0100
+Subject: [PATCH 1/2] Drop support for OpenSSL < 1.1.0
+
+Delete code written to support OpenSSL < 1.1.0
+
+Delete functions that have no effect in OpenSSL >= 1.1.0
+ - ENGINE_load_builtin_engines()
+ - OpenSSL_add_all_algorithms()
+---
+ src/tss2-esys/esys_crypto_ossl.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
+index 12450196..84d2f88e 100644
+--- a/src/tss2-esys/esys_crypto_ossl.c
++++ b/src/tss2-esys/esys_crypto_ossl.c
+@@ -510,11 +510,7 @@ iesys_cryptossl_random2b(TPM2B_NONCE * nonce, size_t num_bytes)
+         nonce->size = num_bytes;
+     }
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+     RAND_set_rand_method(RAND_OpenSSL());
+-#else
+-    RAND_set_rand_method(RAND_SSLeay());
+-#endif
+     if (1 != RAND_bytes(&nonce->buffer[0], nonce->size)) {
+         RAND_set_rand_method(rand_save);
+         return_error(TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -548,11 +544,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+                            size_t * out_size, const char *label)
+ {
+     const RAND_METHOD *rand_save = RAND_get_rand_method();
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+     RAND_set_rand_method(RAND_OpenSSL());
+-#else
+-    RAND_set_rand_method(RAND_SSLeay());
+-#endif
+ 
+     TSS2_RC r = TSS2_RC_SUCCESS;
+     const EVP_MD * hashAlg = NULL;
+@@ -615,14 +607,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Could not create evp key.", cleanup);
+     }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-    if (!BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
+-                           pub_tpm_key->publicArea.unique.rsa.size,
+-                           rsa_key->n)) {
+-        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+-                   "Could not create rsa n.", cleanup);
+-    }
+-#else
+     BIGNUM *n = NULL;
+     if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
+                         pub_tpm_key->publicArea.unique.rsa.size,
+@@ -635,7 +619,6 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Could not set rsa n.", cleanup);
+     }
+-#endif
+ 
+     if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -1114,7 +1097,5 @@ iesys_cryptossl_sym_aes_decrypt(uint8_t * key,
+  */
+ TSS2_RC
+ iesys_cryptossl_init() {
+-    ENGINE_load_builtin_engines();
+-    OpenSSL_add_all_algorithms();
+     return TSS2_RC_SUCCESS;
+ }
+-- 
+2.35.1
+
diff -Nru tpm2-tss-2.3.2/debian/patches/0002-Fix-RSA-secret-sharing-in-FIPS-mode.patch tpm2-tss-2.3.2/debian/patches/0002-Fix-RSA-secret-sharing-in-FIPS-mode.patch
--- tpm2-tss-2.3.2/debian/patches/0002-Fix-RSA-secret-sharing-in-FIPS-mode.patch	1970-01-01 00:00:00.000000000 +0000
+++ tpm2-tss-2.3.2/debian/patches/0002-Fix-RSA-secret-sharing-in-FIPS-mode.patch	2022-07-30 00:06:05.000000000 +0000
@@ -0,0 +1,75 @@
+From 1d4159bd49484f77b5b8621ee08eb8fff61a393d Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 22 Jul 2022 14:30:53 +0100
+Subject: [PATCH 2/2] Fix RSA secret sharing in FIPS mode
+
+iesys_cryptossl_pk_encrypt generates an RSA key and then overwrites the
+public modulus with the one associated with the TPM key. The problem with
+this is that in FIPS mode, openssl performs a test on the generated key
+which results in the Montgomery value associated with the generated public
+modulus being cached. This cached value is not updated when the public
+modulus is changed and is used during the subsequent encryption operation.
+
+Openssl has a flag to control this behaviour, but it's better to just avoid
+performing an unnecessary key generation in the first place.
+---
+ src/tss2-esys/esys_crypto_ossl.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/src/tss2-esys/esys_crypto_ossl.c b/src/tss2-esys/esys_crypto_ossl.c
+index 84d2f88e..2d86cb58 100644
+--- a/src/tss2-esys/esys_crypto_ossl.c
++++ b/src/tss2-esys/esys_crypto_ossl.c
+@@ -551,7 +551,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+     RSA * rsa_key = NULL;
+     EVP_PKEY *evp_rsa_key = NULL;
+     EVP_PKEY_CTX *ctx = NULL;
+-    BIGNUM* bne = NULL;
++    BIGNUM *bne = NULL, *n = NULL;
+     int padding;
+     char *label_copy = NULL;
+ 
+@@ -596,18 +596,10 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+                    "Could not allocate RSA key", cleanup);
+     }
+ 
+-    if (1 != RSA_generate_key_ex(rsa_key,
+-                                 pub_tpm_key->publicArea.parameters.rsaDetail.keyBits,
+-                                 bne, NULL)) {
+-        goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE, "Could not generate RSA key",
+-                   cleanup);
+-    }
+-
+     if (!(evp_rsa_key = EVP_PKEY_new())) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Could not create evp key.", cleanup);
+     }
+-    BIGNUM *n = NULL;
+     if (!(n = BN_bin2bn(pub_tpm_key->publicArea.unique.rsa.buffer,
+                         pub_tpm_key->publicArea.unique.rsa.size,
+                         NULL))) {
+@@ -615,10 +607,12 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+                    "Could not create rsa n.", cleanup);
+     }
+ 
+-    if (1 != RSA_set0_key(rsa_key, n, NULL, NULL)) {
++    if (1 != RSA_set0_key(rsa_key, n, bne, NULL)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+                    "Could not set rsa n.", cleanup);
+     }
++    n = NULL;
++    bne = NULL;
+ 
+     if (1 != EVP_PKEY_set1_RSA(evp_rsa_key, rsa_key)) {
+         goto_error(r, TSS2_ESYS_RC_GENERAL_FAILURE,
+@@ -681,6 +675,7 @@ iesys_cryptossl_pk_encrypt(TPM2B_PUBLIC * pub_tpm_key,
+     OSSL_FREE(evp_rsa_key, EVP_PKEY);
+     OSSL_FREE(rsa_key, RSA);
+     OSSL_FREE(bne, BN);
++    OSSL_FREE(n, BN);
+     RAND_set_rand_method(rand_save);
+     return r;
+ }
+-- 
+2.35.1
+
diff -Nru tpm2-tss-2.3.2/debian/patches/series tpm2-tss-2.3.2/debian/patches/series
--- tpm2-tss-2.3.2/debian/patches/series	2020-01-19 09:20:52.000000000 +0000
+++ tpm2-tss-2.3.2/debian/patches/series	2022-07-30 00:06:05.000000000 +0000
@@ -1 +1,3 @@
 fix_pkg-config-bad-directive.patch
+0001-Drop-support-for-OpenSSL-1.1.0.patch
+0002-Fix-RSA-secret-sharing-in-FIPS-mode.patch