feat(SymCrypt and SymCrypt-OpenSSL): Add SymCrypt OpenSSL provider to AZL4#17873
Open
tobiasb-ms wants to merge 2 commits into
Open
feat(SymCrypt and SymCrypt-OpenSSL): Add SymCrypt OpenSSL provider to AZL4#17873tobiasb-ms wants to merge 2 commits into
tobiasb-ms wants to merge 2 commits into
Conversation
reubeno
reviewed
Jun 30, 2026
| @@ -0,0 +1,5 @@ | |||
| #!/bin/bash | |||
Member
There was a problem hiding this comment.
If symcrypt needs this info to build, it really should be included in the released artifacts from the SymCrypt project. This requires us as a consumer to understand/know the upstream-upstream source/branch origin of the specific release that we're pinning to -- and also requires a manual/custom step on upgrades.
If we need to take it on for now to mirror what we did in 3.0, then so be it -- but we should file a bug and try to work with them upstream on this.
Contributor
Author
There was a problem hiding this comment.
I hadn't thought of that. This is a great point that I'll discuss with the upstream maintainers.
SymCrypt has no upstream Azure Linux 4.0 package, so this ports it from 3.0. Starting from the pristine AZL3 spec, the targeted changes for 4.0 are: - Preserve the FIPS integrity HMAC under AZL4's defaults: strip -Wl,-z,pack-relative-relocs (DT_RELR relocations break it) and drop the custom debuginfo post-processing inherited from 3.0. - Manage release and changelog with rpmautospec. - Switched to %cmake* macros where possible Upgraded to SymCrypt 103.11.0 in the same pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
SymCrypt-OpenSSL (SCOSSL) has no upstream Azure Linux 4.0 package, so this ports it from 3.0. It builds and runs against the SymCrypt component in this repo. Starting from the pristine AZL3 spec, the targeted changes for 4.0 are: - Changed the contents and location of the config file so openssl automatically picks up the provider. - Patch out the SslPlay smoke test's SHA-1 RSA sign/verify cases, which fail because Azure Linux's default crypto policy disables SHA-1 signatures. - Manage release and changelog with rpmautospec. - Switch to %cmake* macros where possible. Upgraded to 1.9.6 in the same pass, which is required to build against SymCrypt 103.11.0 (it drops SymCrypt's internal UINT type, removed upstream in 103.11.0). Upstream had not updated the provider version string so patched that. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
87cb36c to
59c0655
Compare
reubeno
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds two packages:
SymCrypt, which is a cryptographic library from Microsoft.SymCrypt-OpenSSL, which implements anOpenSSLprovider usingSymCrypt.Fedora does not carry these packages so I based them AZL3, modifying them for AZL4 and updating the versions. I also have a different branch with a more complete history, which may be useful to see the differences between AZL4 and AZL3. However, I squashed those commits for the PR.
Validation:
openssloperations withSymCrypt-OpenSSLinstalledopenssl speedwhich does a bunch of cryptographic operations