Skip to content

feat(SymCrypt and SymCrypt-OpenSSL): Add SymCrypt OpenSSL provider to AZL4#17873

Open
tobiasb-ms wants to merge 2 commits into
4.0from
tobiasb-ms/symcrypt
Open

feat(SymCrypt and SymCrypt-OpenSSL): Add SymCrypt OpenSSL provider to AZL4#17873
tobiasb-ms wants to merge 2 commits into
4.0from
tobiasb-ms/symcrypt

Conversation

@tobiasb-ms

Copy link
Copy Markdown
Contributor

Adds two packages:

  • SymCrypt, which is a cryptographic library from Microsoft.
  • SymCrypt-OpenSSL, which implements an OpenSSL provider using SymCrypt.

Fedora does not carry these packages so I based them AZL3, modifying them for AZL4 and updating the versions. I also have a different branch with a more complete history, which may be useful to see the differences between AZL4 and AZL3. However, I squashed those commits for the PR.

Validation:

  • Build locally
  • Installed on a container using a local yum repo (proves closure)
  • Did basic openssl operations with SymCrypt-OpenSSL installed
  • Ran openssl speed which does a bunch of cryptographic operations

@tobiasb-ms tobiasb-ms requested a review from a team as a code owner June 30, 2026 18:49
Copilot AI review requested due to automatic review settings June 30, 2026 18:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Comment thread base/comps/SymCrypt-OpenSSL/SymCrypt-OpenSSL.comp.toml Outdated
Comment thread base/comps/SymCrypt-OpenSSL/SymCrypt-OpenSSL.comp.toml Outdated
Comment thread base/comps/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec Outdated
Comment thread base/comps/SymCrypt/SymCrypt.comp.toml Outdated
@@ -0,0 +1,5 @@
#!/bin/bash

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If symcrypt needs this info to build, it really should be included in the released artifacts from the SymCrypt project. This requires us as a consumer to understand/know the upstream-upstream source/branch origin of the specific release that we're pinning to -- and also requires a manual/custom step on upgrades.

If we need to take it on for now to mirror what we did in 3.0, then so be it -- but we should file a bug and try to work with them upstream on this.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hadn't thought of that. This is a great point that I'll discuss with the upstream maintainers.

Comment thread base/comps/SymCrypt/SymCrypt.spec Outdated
Comment thread base/comps/SymCrypt/SymCrypt.spec
Comment thread base/comps/SymCrypt/SymCrypt.spec Outdated
tobiasb-ms and others added 2 commits June 30, 2026 23:15
SymCrypt has no upstream Azure Linux 4.0 package, so this ports it from
3.0. Starting from the pristine AZL3 spec, the targeted changes for 4.0
are:

- Preserve the FIPS integrity HMAC under AZL4's defaults: strip
  -Wl,-z,pack-relative-relocs (DT_RELR relocations break it) and drop the
  custom debuginfo post-processing inherited from 3.0.
- Manage release and changelog with rpmautospec.
- Switched to %cmake* macros where possible

Upgraded to SymCrypt 103.11.0 in the same pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
SymCrypt-OpenSSL (SCOSSL) has no upstream Azure Linux 4.0 package, so this
ports it from 3.0. It builds and runs against the SymCrypt component in
this repo. Starting from the pristine AZL3 spec, the targeted changes for
4.0 are:

- Changed the contents and location of the config file so openssl
  automatically picks up the provider.
- Patch out the SslPlay smoke test's SHA-1 RSA sign/verify cases, which
  fail because Azure Linux's default crypto policy disables SHA-1
  signatures.
- Manage release and changelog with rpmautospec.
- Switch to %cmake* macros where possible.

Upgraded to 1.9.6 in the same pass, which is required to build against
SymCrypt 103.11.0 (it drops SymCrypt's internal UINT type, removed
upstream in 103.11.0). Upstream had not updated the provider version
string so patched that.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@tobiasb-ms tobiasb-ms force-pushed the tobiasb-ms/symcrypt branch from 87cb36c to 59c0655 Compare June 30, 2026 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants