feat(SymCrypt and SymCrypt-OpenSSL): Add SymCrypt OpenSSL provider to AZL4#17873
Merged
Conversation
reubeno
reviewed
Jun 30, 2026
SymCrypt has no upstream Azure Linux 4.0 package, so this ports it from 3.0. Starting from the pristine AZL3 spec, the targeted changes for 4.0 are: - Preserve the FIPS integrity HMAC under AZL4's defaults: strip -Wl,-z,pack-relative-relocs (DT_RELR relocations break it) and drop the custom debuginfo post-processing inherited from 3.0. - Manage release and changelog with rpmautospec. - Switched to %cmake* macros where possible Upgraded to SymCrypt 103.11.0 in the same pass. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
SymCrypt-OpenSSL (SCOSSL) has no upstream Azure Linux 4.0 package, so this ports it from 3.0. It builds and runs against the SymCrypt component in this repo. Starting from the pristine AZL3 spec, the targeted changes for 4.0 are: - Changed the contents and location of the config file so openssl automatically picks up the provider. - Patch out the SslPlay smoke test's SHA-1 RSA sign/verify cases, which fail because Azure Linux's default crypto policy disables SHA-1 signatures. - Manage release and changelog with rpmautospec. - Switch to %cmake* macros where possible. Upgraded to 1.9.6 in the same pass, which is required to build against SymCrypt 103.11.0 (it drops SymCrypt's internal UINT type, removed upstream in 103.11.0). Upstream had not updated the provider version string so patched that. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
87cb36c to
59c0655
Compare
reubeno
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds two packages:
SymCrypt, which is a cryptographic library from Microsoft.SymCrypt-OpenSSL, which implements anOpenSSLprovider usingSymCrypt.Fedora does not carry these packages so I based them AZL3, modifying them for AZL4 and updating the versions. I also have a different branch with a more complete history, which may be useful to see the differences between AZL4 and AZL3. However, I squashed those commits for the PR.
Validation:
openssloperations withSymCrypt-OpenSSLinstalledopenssl speedwhich does a bunch of cryptographic operations