Skip to content

Commit 718a7a3

Browse files
tobiasb-msCopilot
authored andcommitted
feat(SymCrypt-OpenSSL): onboard SymCrypt-OpenSSL to Azure Linux 4.0
SymCrypt-OpenSSL (SCOSSL) has no upstream Azure Linux 4.0 package, so this ports it from 3.0. It builds and runs against the SymCrypt component in this repo. Starting from the pristine AZL3 spec, the targeted changes for 4.0 are: - Changed the contents and location of the config file so openssl automatically picks up the provider. - Patch out the SslPlay smoke test's SHA-1 RSA sign/verify cases, which fail because Azure Linux's default crypto policy disables SHA-1 signatures. - Manage release and changelog with rpmautospec. - Switch to %cmake* macros where possible. Upgraded to 1.9.6 in the same pass, which is required to build against SymCrypt 103.11.0 (it drops SymCrypt's internal UINT type, removed upstream in 103.11.0). Upstream had not updated the provider version string so patched that. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent b9ded39 commit 718a7a3

13 files changed

Lines changed: 629 additions & 0 deletions
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
From 115f648995926362080f05fe80d670ed6494ce5c Mon Sep 17 00:00:00 2001
2+
From: Tobias Brick <tobiasb@microsoft.com>
3+
Date: Fri, 26 Jun 2026 14:53:36 +0000
4+
Subject: [PATCH 1/2] Register the SymCrypt provider in [provider_sect] for
5+
config drop-in
6+
7+
Add a [provider_sect] stanza to symcrypt_prov.cnf that maps the
8+
symcryptprovider module to the existing [symcrypt_prov_sect]. OpenSSL
9+
merges same-named [provider_sect] sections across config includes, so
10+
with this in place, dropping symcrypt_prov.cnf into the OpenSSL config
11+
drop-in directory is enough to register and activate the provider; no
12+
edit to the main openssl.cnf is required.
13+
14+
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
15+
---
16+
SymCryptProvider/symcrypt_prov.cnf | 8 ++++++++
17+
1 file changed, 8 insertions(+)
18+
19+
diff --git a/SymCryptProvider/symcrypt_prov.cnf b/SymCryptProvider/symcrypt_prov.cnf
20+
index b0afe42..50b5c3a 100644
21+
--- a/SymCryptProvider/symcrypt_prov.cnf
22+
+++ b/SymCryptProvider/symcrypt_prov.cnf
23+
@@ -4,6 +4,14 @@
24+
# value assigned does not matter, and the provider will be
25+
# activated as long as the "activate" key is present.
26+
27+
+# Register the provider with libcrypto. This [provider_sect] is merged into
28+
+# the one in the main openssl.cnf, so dropping this file into the OpenSSL
29+
+# config drop-in directory is enough to make the provider available. The key
30+
+# (symcryptprovider) is the module name OpenSSL loads (symcryptprovider.so);
31+
+# it maps to the [symcrypt_prov_sect] configuration below.
32+
+[provider_sect]
33+
+symcryptprovider = symcrypt_prov_sect
34+
+
35+
[symcrypt_prov_sect]
36+
activate = 1
37+
identity = symcryptprovider
38+
--
39+
2.52.0
40+
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
From 4a0dc44dc83cc86f92feac65175fa1370c30efc2 Mon Sep 17 00:00:00 2001
2+
From: Tobias Brick <tobiasb@microsoft.com>
3+
Date: Fri, 26 Jun 2026 14:54:02 +0000
4+
Subject: [PATCH 2/2] Skip SHA-1 RSA sign/verify smoke tests disabled by crypto
5+
policy
6+
7+
Azure Linux ships the Red Hat "allow disabling of SHA-1 signatures"
8+
OpenSSL patch, and its default crypto policy disables SHA-1 signature
9+
creation and verification. The SslPlay smoke test exercised RSA-PKCS1
10+
sign/verify with SHA-1, which now fails with
11+
"evp_pkey_ctx_set_md: invalid digest" even under the default provider.
12+
13+
Remove the two SHA-1 RSA sign/verify cases so the smoke test reflects
14+
what the platform actually permits. SHA-1 used purely as a hash (the
15+
digest state-export and SSH-KDF cases) is unaffected, as the policy
16+
only restricts SHA-1 signatures.
17+
18+
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
19+
---
20+
SslPlay/SslPlay.cpp | 8 ++++++--
21+
1 file changed, 6 insertions(+), 2 deletions(-)
22+
23+
diff --git a/SslPlay/SslPlay.cpp b/SslPlay/SslPlay.cpp
24+
index cb822a5..8cc626f 100644
25+
--- a/SslPlay/SslPlay.cpp
26+
+++ b/SslPlay/SslPlay.cpp
27+
@@ -1059,7 +1059,9 @@ void TestRsaEvp(int modulus, uint32_t exponent)
28+
29+
TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_MD5", EVP_md5(), 16);
30+
#endif
31+
- TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha1", EVP_sha1(), 20);
32+
+ // SHA-1 signature creation and verification are disabled by the default
33+
+ // crypto policy on Azure Linux (which ships the Red Hat "allow disabling of
34+
+ // SHA-1 signatures" OpenSSL patch), so this case is omitted.
35+
TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha256", EVP_sha256(), 32);
36+
TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha384", EVP_sha384(), 48);
37+
TestRsaSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha512", EVP_sha512(), 64);
38+
@@ -1079,7 +1081,9 @@ void TestRsaEvp(int modulus, uint32_t exponent)
39+
#if OPENSSL_VERSION_MAJOR == 1
40+
TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_MD5", EVP_md5());
41+
#endif
42+
- TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha1", EVP_sha1());
43+
+ // SHA-1 signature creation and verification are disabled by the default
44+
+ // crypto policy on Azure Linux (which ships the Red Hat "allow disabling of
45+
+ // SHA-1 signatures" OpenSSL patch), so this case is omitted.
46+
TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha256", EVP_sha256());
47+
TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha384", EVP_sha384());
48+
TestRsaDigestSignVerify(privateKey, publicKey, "RSA_PKCS1_PADDING", RSA_PKCS1_PADDING, 0, "EVP_sha512", EVP_sha512());
49+
--
50+
2.52.0
51+
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
From 9fc7d0510476acb5aa495e59c9b34248f3363ab2 Mon Sep 17 00:00:00 2001
2+
From: Tobias Brick <tobiasb@microsoft.com>
3+
Date: Fri, 26 Jun 2026 16:31:49 +0000
4+
Subject: [PATCH] Bump project version to 1.9.6 to match release tag
5+
6+
The v1.9.6 release tag was created without updating the CMake project
7+
version, so the provider still reports 1.9.5 via OSSL_PROV_PARAM_VERSION
8+
(e.g. in `openssl list -providers`). Bump it to match the tag.
9+
10+
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
11+
---
12+
CMakeLists.txt | 2 +-
13+
1 file changed, 1 insertion(+), 1 deletion(-)
14+
15+
diff --git a/CMakeLists.txt b/CMakeLists.txt
16+
index c09a03b..a75e7e0 100644
17+
--- a/CMakeLists.txt
18+
+++ b/CMakeLists.txt
19+
@@ -1,7 +1,7 @@
20+
cmake_minimum_required(VERSION 3.13.0)
21+
22+
project(SymCrypt-OpenSSL
23+
- VERSION 1.9.5
24+
+ VERSION 1.9.6
25+
DESCRIPTION "The SymCrypt engine and provider for OpenSSL (SCOSSL)"
26+
HOMEPAGE_URL "https://github.com/microsoft/SymCrypt-OpenSSL")
27+
28+
--
29+
2.52.0
30+
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
[components.SymCrypt-OpenSSL]
2+
spec = { type = "local", path = "SymCrypt-OpenSSL.spec" }
3+
4+
[[components.SymCrypt-OpenSSL.source-files]]
5+
filename = "SymCrypt-OpenSSL-1.9.6.tar.gz"
6+
hash = "a6ba9b154a24c7d47a0d3b6e58f986f33650db6d2151a38d8620655cfb3a2c58"
7+
hash-type = "SHA256"
8+
origin = { type = "download", uri = "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.9.6.tar.gz" }
Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
Summary: The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
2+
Name: SymCrypt-OpenSSL
3+
Version: 1.9.6
4+
Release: %autorelease
5+
License: MIT
6+
Vendor: Microsoft Corporation
7+
Distribution: Azure Linux
8+
Group: System/Libraries
9+
URL: https://github.com/microsoft/SymCrypt-OpenSSL
10+
Source0: https://github.com/microsoft/SymCrypt-OpenSSL/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
11+
Patch0001: 0001-register-symcrypt-provider-for-config-drop-in.patch
12+
Patch0002: 0002-skip-sha1-signature-tests-disabled-by-crypto-policy.patch
13+
# The v1.9.6 release tag shipped without bumping the CMake project version, so
14+
# the provider reports 1.9.5 via OSSL_PROV_PARAM_VERSION. Correct it downstream.
15+
Patch0003: 0003-bump-project-version-to-match-release-tag.patch
16+
17+
BuildRequires: openssl-devel
18+
BuildRequires: openssl-devel-engine
19+
BuildRequires: SymCrypt >= 103.8.0
20+
BuildRequires: cmake
21+
BuildRequires: gcc
22+
BuildRequires: gcc-c++
23+
BuildRequires: make
24+
25+
Requires: SymCrypt >= 103.8.0
26+
Requires: openssl-libs
27+
28+
%description
29+
The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
30+
31+
# Only x86_64 and aarch64 are currently supported
32+
%ifarch x86_64
33+
%define symcrypt_arch AMD64
34+
%endif
35+
36+
%ifarch aarch64
37+
%define symcrypt_arch ARM64
38+
%endif
39+
40+
%prep
41+
%autosetup -p1
42+
43+
%build
44+
%cmake \
45+
-DKEYSINUSE_ENABLED=1 \
46+
-DOPENSSL_ROOT_DIR="%{_prefix}/local/ssl" \
47+
-DSYMCRYPT_ROOT_DIR=%{buildroot}%{_includedir}/.. \
48+
-DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/LinuxUserMode-%{symcrypt_arch}.cmake" \
49+
-DCMAKE_BUILD_TYPE=RelWithDebInfo
50+
51+
%cmake_build
52+
53+
%install
54+
mkdir -p %{buildroot}%{_libdir}/engines-3/
55+
mkdir -p %{buildroot}%{_libdir}/ossl-modules/
56+
mkdir -p %{buildroot}%{_includedir}
57+
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/openssl.d/
58+
mkdir -p %{buildroot}%{_localstatedir}/log/keysinuse/
59+
60+
# We still install the engine for backwards compatibility with legacy applications. Callers must
61+
# explicitly load the engine to use it. It will be removed in a future release.
62+
install %{__cmake_builddir}/SymCryptEngine/dynamic/symcryptengine.so %{buildroot}%{_libdir}/engines-3/symcryptengine.so
63+
install %{__cmake_builddir}/SymCryptProvider/symcryptprovider.so %{buildroot}%{_libdir}/ossl-modules/symcryptprovider.so
64+
install SymCryptEngine/inc/e_scossl.h %{buildroot}%{_includedir}/e_scossl.h
65+
install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/openssl.d/symcrypt_prov.cnf
66+
67+
%check
68+
# Run in a subshell so the exit code of the test does not affect the main shell's exit code.
69+
# This is important because the entire section is wrapped in a script by rpmbuild itself.
70+
# The test is run twice: once with the default provider and once with the SymCrypt provider.
71+
# The SHA-1 RSA sign/verify cases are removed by Patch1, since SHA-1 signatures
72+
# are disabled by the default crypto policy on Azure Linux.
73+
(
74+
set -e
75+
./%{__cmake_builddir}/SslPlay/SslPlay
76+
./%{__cmake_builddir}/SslPlay/SslPlay --provider-path ./%{__cmake_builddir}/SymCryptProvider/ --provider symcryptprovider --no-engine
77+
)
78+
79+
%files
80+
%license LICENSE
81+
%{_libdir}/engines-3/symcryptengine.so
82+
%{_libdir}/ossl-modules/symcryptprovider.so
83+
%{_includedir}/e_scossl.h
84+
%config %{_sysconfdir}/pki/tls/openssl.d/symcrypt_prov.cnf
85+
86+
# The log directory for certsinuse logging has permissions set to 1733.
87+
# These permissions are a result of a security review to mitigate potential risks:
88+
# - Group and others are denied read access to prevent user-level code from inferring
89+
# details about other running applications and their certsinuse usage.
90+
# - All users have write and execute permissions to create new log files and to
91+
# check file attributes (e.g., to ensure a log file hasn't been tampered with or
92+
# replaced by a symlink).
93+
# - The sticky bit is set to prevent malicious users from deleting the log files
94+
# and interfering with certsinuse alerting mechanisms.
95+
%dir %attr(1733, root, root) %{_localstatedir}/log/keysinuse/
96+
97+
%changelog
98+
%autochangelog
Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
* Fri Mar 06 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.9.5-1
2+
- Auto-upgrade to 1.9.5 - bug fixes
3+
4+
* Thu Nov 13 2025 Tobias Brick <tobiasb@microsoft.com> - 1.9.4-2
5+
- Add conflicts with openssl-fips-provider
6+
7+
* Tue Oct 28 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.9.4-1
8+
- Auto-upgrade to 1.9.4 - bug fixes
9+
10+
* Tue Sep 30 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.9.3-1
11+
- Auto-upgrade to 1.9.3 - bug fixes
12+
13+
* Mon Sep 22 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.9.2-1
14+
- Auto-upgrade to 1.9.2 - bug fixes
15+
16+
* Fri Jul 25 2025 Tobias Brick <tobiasb@microsoft.com> - 1.9.1-1
17+
- Upgrade SymCrypt-OpenSSL to 1.9.1 for compatability and bug fixes.
18+
19+
* Wed Jun 11 2025 Tobias Brick <tobiasb@microsoft.com> - 1.9.0-1
20+
- Auto-upgrade to 1.9.0 - Support digest state exports.
21+
- Added second test run that forces the use of the SymCrypt provider.
22+
23+
* Tue May 13 2025 Tobias Brick <tobiasb@microsoft.com> - 1.8.1-1
24+
- Upgrade to SymCrypt-OpenSSL 1.8.1 with minor bugfixes.
25+
26+
* Thu May 08 2025 Tobias Brick <tobiasb@microsoft.com> - 1.8.0-2
27+
- Update mechanism for creating keysinuse logging directory.
28+
29+
* Thu Mar 27 2025 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.8.0-1
30+
- Upgrade to SymCrypt-OpenSSL 1.8.0 with PBKDF2 and minor bugfixes
31+
32+
* Fri Jan 31 2025 Tobias Brick <tobiasb@microsoft.com> - 1.7.0-1
33+
- Add optional debug logging instead of writing some errors to stderr
34+
- Add optional KeysInUse feature, which can be turned on by config
35+
36+
* Wed Nov 27 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.6.1-1
37+
- Auto-upgrade to 1.6.1 - bug fixes
38+
39+
* Mon Nov 25 2024 Tobias Brick <tobiasb@microsoft.com> - 1.6.0-1
40+
- Upgrade to SymCrypt-OpenSSL 1.6.0
41+
42+
* Wed Oct 02 2024 Tobias Brick <tobiasb@microsoft.com> - 1.5.1-2
43+
- Add sources to debuginfo package
44+
45+
* Wed Aug 21 2024 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.5.1-1
46+
- Fix minor behavior differences with default provider
47+
48+
* Thu Aug 15 2024 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.5.0-1
49+
- Fix AES-CFB to match expected OpenSSL calling patterns
50+
- Support ECC key X and Y coordinate export
51+
52+
* Thu May 16 2024 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.4.3-1
53+
- Additional bugfixes for TLS connections
54+
- Add variable length GCM IV support to the SymCrypt engine
55+
56+
* Thu Apr 25 2024 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.4.2-1
57+
- Support additional parameters in the SymCrypt provider required for TLS connections
58+
- Various bugfixes for TLS scenarios
59+
60+
* Wed Apr 17 2024 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.4.1-1
61+
- Update SymCrypt-OpenSSL to v1.4.1
62+
- Adds support for RSASSA-PSS keys, SP800-108 KDF
63+
- Fixes smoke test for check in OpenSSL 3.1
64+
65+
* Thu Dec 28 2023 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.4.0-1
66+
- Update SymCrypt-OpenSSL to v1.4.0.
67+
- Adds SymCrypt-OpenSSL provider for OpenSSL 3.
68+
69+
* Mon May 22 2023 Samuel Lee <saml@microsoft.com> - 1.3.0-1
70+
- Update SymCrypt-OpenSSL to v1.3.0. Adds support for HMAC and fixes corner RSA-PSS bug. Run smoke test in check
71+
72+
* Mon Jun 06 2022 Samuel Lee <saml@microsoft.com> - 1.2.0-1
73+
- Update SymCrypt-OpenSSL to v1.2.0 to improve performance and fix some corner case bugs
74+
75+
* Tue Mar 29 2022 Samuel Lee <saml@microsoft.com> - 1.1.0-1
76+
- Update SymCrypt-OpenSSL to v1.1.0 to include FIPS self-tests, and fix aarch64 build
77+
78+
* Mon Feb 14 2022 Samuel Lee <saml@microsoft.com> - 1.0.0-1
79+
- Original version for CBL-Mariner
80+
- Verified license

base/comps/components-publish-channels.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2416,6 +2416,7 @@ components = [
24162416
"swig",
24172417
"swtpm",
24182418
"SymCrypt",
2419+
"SymCrypt-OpenSSL",
24192420
"symlinks",
24202421
"sympy",
24212422
"synce4l",

locks/SymCrypt-OpenSSL.lock

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
# Managed by azldev component update. Do not edit manually.
2+
version = 1
3+
input-fingerprint = 'sha256:f231b108cecf880952eb6436274cfa28e5b42939a1984d520374daa570b72a2d'
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
From 115f648995926362080f05fe80d670ed6494ce5c Mon Sep 17 00:00:00 2001
2+
From: Tobias Brick <tobiasb@microsoft.com>
3+
Date: Fri, 26 Jun 2026 14:53:36 +0000
4+
Subject: [PATCH 1/2] Register the SymCrypt provider in [provider_sect] for
5+
config drop-in
6+
7+
Add a [provider_sect] stanza to symcrypt_prov.cnf that maps the
8+
symcryptprovider module to the existing [symcrypt_prov_sect]. OpenSSL
9+
merges same-named [provider_sect] sections across config includes, so
10+
with this in place, dropping symcrypt_prov.cnf into the OpenSSL config
11+
drop-in directory is enough to register and activate the provider; no
12+
edit to the main openssl.cnf is required.
13+
14+
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
15+
---
16+
SymCryptProvider/symcrypt_prov.cnf | 8 ++++++++
17+
1 file changed, 8 insertions(+)
18+
19+
diff --git a/SymCryptProvider/symcrypt_prov.cnf b/SymCryptProvider/symcrypt_prov.cnf
20+
index b0afe42..50b5c3a 100644
21+
--- a/SymCryptProvider/symcrypt_prov.cnf
22+
+++ b/SymCryptProvider/symcrypt_prov.cnf
23+
@@ -4,6 +4,14 @@
24+
# value assigned does not matter, and the provider will be
25+
# activated as long as the "activate" key is present.
26+
27+
+# Register the provider with libcrypto. This [provider_sect] is merged into
28+
+# the one in the main openssl.cnf, so dropping this file into the OpenSSL
29+
+# config drop-in directory is enough to make the provider available. The key
30+
+# (symcryptprovider) is the module name OpenSSL loads (symcryptprovider.so);
31+
+# it maps to the [symcrypt_prov_sect] configuration below.
32+
+[provider_sect]
33+
+symcryptprovider = symcrypt_prov_sect
34+
+
35+
[symcrypt_prov_sect]
36+
activate = 1
37+
identity = symcryptprovider
38+
--
39+
2.52.0
40+

0 commit comments

Comments
 (0)