Initial SymCrypt + SymCrypt-OpenSSL integration (#2035)

* Add Initial SPEC files and signatures

+ Based on Spencer's previous work, but updated to pull
  jitterentropy-library separately

* Update to remove static library from SymCrypt-OpenSSL install

+ Update cgmanifest.json, licenses.json, etc.
+ Make changes required by Spec linter

* Add OpenSSL patch (commented out by default)

+ Update SymCrypt and SymCrypt-OpenSSL SPECs

* Enable debuginfo for SCOSSL & update OpenSSL in pkggen/toolchain

* Track SymCrypt NOTICE (pointing to other LICENSEs) in %license files

+ Make libsymcrypt.so and libsymcrypt.so.101 symbolic links to
  libsymcrypt.so.101.0.0
+ Avoid installing internal SymCrypt headers (only install headers with
  symcrypt prefix)

* Fix changelog/License to pass Spec files check

* Finalize source tarball signatures for SymCrypt and SymCrypt-OpenSSL

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -2420,6 +2420,8 @@
                 "shim-unsigned-x64",
                 "span-lite",
                 "swupdate",
+                "SymCrypt",
+                "SymCrypt-OpenSSL",
                 "tinyxml2",
                 "toml11",
                 "tracelogging",

SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.signatures.json

@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "SymCrypt-OpenSSL-1.0.0.tar.gz": "5beec7b050bd48511c0d81a643f47df56d488c7af2bc5a69451a7c79f40688d9"
+ }
+}

SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec

@@ -0,0 +1,56 @@
+Summary:        The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
+Name:           SymCrypt-OpenSSL
+Version:        1.0.0
+Release:        1%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System/Libraries
+URL:            https://github.com/microsoft/SymCrypt-OpenSSL
+#Source0:       https://github.com/microsoft/SymCrypt-OpenSSL/archive/v%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.gz
+BuildRequires:  SymCrypt
+BuildRequires:  cmake
+BuildRequires:  gcc
+BuildRequires:  make
+
+%description
+The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
+
+# Only x86_64 and aarch64 are currently supported
+%ifarch x86_64
+%define symcrypt_arch AMD64
+%endif
+
+%ifarch aarch64
+%define symcrypt_arch ARM64
+%endif
+
+%prep
+%setup -q
+
+%build
+mkdir bin; cd bin
+
+cmake   .. \
+        -DOPENSSL_ROOT_DIR="%{_prefix}/local/ssl" \
+        -DCMAKE_INSTALL_LIBDIR=%{buildroot}%{_libdir} \
+        -DCMAKE_INSTALL_INCLUDEDIR=%{buildroot}%{_includedir} \
+        -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/LinuxUserMode-%{symcrypt_arch}.cmake" \
+        -DCMAKE_BUILD_TYPE=Release
+
+cmake --build .
+
+%install
+cd bin
+cmake --build . --target install
+
+%files
+%license LICENSE
+%{_libdir}/engines-1.1/symcryptengine.so
+%{_includedir}/scossl.h
+
+%changelog
+* Mon Feb 14 2022 Samuel Lee <saml@microsoft.com> - 1.0.0-1
+- Original version for CBL-Mariner
+- Verified license

SPECS/SymCrypt/SymCrypt.signatures.json

@@ -0,0 +1,6 @@
+{
+ "Signatures": {
+  "SymCrypt-101.0.0.tar.gz": "f082a7d008657e8c675796657be4db4fd49c0f77db3defbaf556d8517738d27d",
+  "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487"
+ }
+}

SPECS/SymCrypt/SymCrypt.spec

@@ -0,0 +1,66 @@
+%define debug_package %{nil}
+Summary:        A core cryptographic library written by Microsoft
+Name:           SymCrypt
+Version:        101.0.0
+Release:        1%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System/Libraries
+URL:            https://github.com/microsoft/SymCrypt
+#Source0:       https://github.com/microsoft/SymCrypt/archive/v%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.gz
+#Source1        https://github.com/smuellerDD/jitterentropy-library/archive/v3.3.1.tar.gz
+Source1:        jitterentropy-library-3.3.1.tar.gz
+BuildRequires:  cmake
+BuildRequires:  gcc
+BuildRequires:  make
+BuildRequires:  python3
+BuildRequires:  python3-pyelftools
+
+%description
+A core cryptographic library written by Microsoft
+
+# Only x86_64 and aarch64 are currently supported
+%ifarch x86_64
+%define symcrypt_arch AMD64
+%endif
+
+%ifarch aarch64
+%define symcrypt_arch ARM64
+%endif
+
+%prep
+%setup -q
+%setup -q -a 1
+# Create a symbolic link as if jitterentropy-library has been pulled in as git submodule
+rm -rf jitterentropy-library
+ln -s jitterentropy-library-3.3.1 jitterentropy-library
+
+%build
+mkdir bin; cd bin
+
+cmake   .. \
+        -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/LinuxUserMode-%{symcrypt_arch}.cmake" \
+        -DCMAKE_BUILD_TYPE=Release
+
+cmake --build .
+
+%install
+mkdir -p %{buildroot}%{_libdir}
+mkdir -p %{buildroot}%{_includedir}
+install inc/symcrypt* %{buildroot}%{_includedir}
+# Use cp -P to preserve symbolic links
+cp -P bin/module/%{symcrypt_arch}/LinuxUserMode/generic/libsymcrypt.so* %{buildroot}%{_libdir}
+chmod 755 %{buildroot}%{_libdir}/libsymcrypt.so.%{version}
+
+%files
+%license LICENSE
+%license NOTICE
+%{_libdir}/libsymcrypt.so*
+%{_includedir}/*
+
+%changelog
+* Mon Feb 14 2022 Samuel Lee <saml@microsoft.com> - 101.0.0-1
+- Original version for CBL-Mariner
+- Verified license

SPECS/openssl/openssl-1.1.1-fips-SymCrypt.patch

@@ -0,0 +1,89 @@
+diff --git a/crypto/init.c b/crypto/init.c
+index 1b0d523bea..9482633c9b 100644
+--- a/crypto/init.c
++++ b/crypto/init.c
+@@ -402,6 +402,67 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg)
+ }
+ #  endif
+ # endif
++
++# ifndef OPENSSL_NO_SYMCRYPT_ENGINE
++static CRYPTO_ONCE engine_symcrypt = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(ossl_init_engine_symcrypt)
++{
++    int ret = 0;
++
++    // Get the default engine directory from the environment - may be NULL
++    char* load_dir = ossl_safe_getenv("OPENSSL_ENGINES");
++
++    #ifdef ENGINESDIR
++    // Use the default engines directory, if defined
++    if(load_dir == NULL)
++    {
++            load_dir = ENGINESDIR;
++    }
++    #endif
++
++    ENGINE *dynamic = NULL;
++    ENGINE *symcrypt = NULL;
++
++    dynamic = ENGINE_by_id("dynamic");
++    if (!dynamic)
++        goto err;
++    
++    // Add the engines directory to the list of directories to load from and specify that loading
++    // from the directory list is mandatory (via DIR_LOAD = 2). Otherwise OpenSSL will try to load
++    // the engine from the default ld search path, fail, and skip loading from the engines dir.
++    if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_ADD", load_dir, 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_LOAD", "2", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "SO_PATH", "symcryptengine.so", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "ID", "symcrypt", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "LIST_ADD", "2", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "LOAD", NULL, 0))
++        goto err;
++
++    symcrypt = ENGINE_by_id("symcrypt");
++    if (!symcrypt)
++        goto err;
++
++    // Make SymCrypt the default engine for all algorithms
++    if (!ENGINE_set_default_string(symcrypt, "ALL"))
++        goto err;
++
++err:
++    ENGINE_free(symcrypt);
++    ENGINE_free(dynamic);
++
++#  ifdef OPENSSL_INIT_DEBUG
++    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_symcrypt: %d\n",
++        ret);
++#  endif
++
++    return ret;
++}
++# endif
+ #endif
+ 
+ #ifndef OPENSSL_NO_COMP
+@@ -723,9 +784,13 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+             && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
+         return 0;
+ # endif
+-    if ((opts & OPENSSL_INIT_ENGINE_DYNAMIC)
+-            && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
+-        return 0;
++    if (opts & OPENSSL_INIT_ENGINE_DYNAMIC)
++    {
++        if (!RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
++            return 0;
++        
++        RUN_ONCE(&engine_symcrypt, ossl_init_engine_symcrypt);
++    }
+ # ifndef OPENSSL_NO_STATIC_ENGINE
+ #  if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
+     if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)

SPECS/openssl/openssl.spec

@@ -4,7 +4,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1k
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        OpenSSL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -41,6 +41,7 @@ Patch18:        openssl-1.1.1-fips-curves.patch
 Patch19:        openssl-1.1.1-sp80056arev3.patch
 Patch20:        openssl-1.1.1-jitterentropy.patch
 Patch21:        openssl-1.1.1-drbg-seed.patch
+Patch22:        openssl-1.1.1-fips-SymCrypt.patch
 BuildRequires:  perl-Test-Warnings
 BuildRequires:  perl-Text-Template
 BuildRequires:  perl(FindBin)
@@ -133,6 +134,7 @@ cp %{SOURCE4} test/
 %patch19 -p1
 %patch20 -p1
 %patch21 -p1
+# %patch22 -p1
 
 %build
 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
@@ -324,6 +326,9 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Feb 14 2022 Samuel Lee <saml@microsoft.com> - 1.1.1k-9
+- Add optional patch to use SymCrypt as default engine
+
 * Sun Jan 23 2022 Jon Slobodzian <joslobo@microsoft.com> - 1.1.1k-8
 - Add build requires for perl dependencies
 
@@ -340,7 +345,7 @@ rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 * Tue Jun 15 2021 Nicolas Ontiveros <niontive@microsoft.com> - 1.1.1k-4
 - In FIPS mode, use jitterentropy for DRBG nonce.
 - In FIPS mode, concatenate Linux RNG with personalization string during DRBG instantiation
-- In FIPS mode, concatenate Linux RNG with additional input string during DRBG reseed 
+- In FIPS mode, concatenate Linux RNG with additional input string during DRBG reseed
 
 * Tue May 18 2021 Nicolas Ontiveros <niontive@microsoft.com> - 1.1.1k-3
 - In FIPS mode, use only jitterentropy for entropy pool

cgmanifest.json

@@ -8186,6 +8186,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "jitterentropy-library",
+          "version": "3.3.1",
+          "downloadUrl": "https://github.com/smuellerDD/jitterentropy-library/archive/v3.3.1.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -28012,6 +28022,26 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "SymCrypt",
+          "version": "101.0.0",
+          "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v101.0.0.tar.gz"
+        }
+      }
+    },
+    {
+      "component": {
+        "type": "SymCrypt-OpenSSL",
+        "other": {
+          "name": "SymCrypt-OpenSSL",
+          "version": "1.0.0",
+          "downloadUrl": "https://github.com/microsoft/SymCrypt-OpenSSL/archive/v1.0.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -163,11 +163,11 @@ perl-5.32.0-465.cm2.aarch64.rpm
 texinfo-6.8-1.cm2.aarch64.rpm
 autoconf-2.69-11.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-8.cm2.aarch64.rpm
-openssl-devel-1.1.1k-8.cm2.aarch64.rpm
-openssl-libs-1.1.1k-8.cm2.aarch64.rpm
-openssl-perl-1.1.1k-8.cm2.aarch64.rpm
-openssl-static-1.1.1k-8.cm2.aarch64.rpm
+openssl-1.1.1k-9.cm2.aarch64.rpm
+openssl-devel-1.1.1k-9.cm2.aarch64.rpm
+openssl-libs-1.1.1k-9.cm2.aarch64.rpm
+openssl-perl-1.1.1k-9.cm2.aarch64.rpm
+openssl-static-1.1.1k-9.cm2.aarch64.rpm
 libcap-2.26-2.cm2.aarch64.rpm
 libcap-devel-2.26-2.cm2.aarch64.rpm
 debugedit-5.0-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -163,11 +163,11 @@ perl-5.32.0-465.cm2.x86_64.rpm
 texinfo-6.8-1.cm2.x86_64.rpm
 autoconf-2.69-11.cm2.noarch.rpm
 automake-1.16.5-1.cm2.noarch.rpm
-openssl-1.1.1k-8.cm2.x86_64.rpm
-openssl-devel-1.1.1k-8.cm2.x86_64.rpm
-openssl-libs-1.1.1k-8.cm2.x86_64.rpm
-openssl-perl-1.1.1k-8.cm2.x86_64.rpm
-openssl-static-1.1.1k-8.cm2.x86_64.rpm
+openssl-1.1.1k-9.cm2.x86_64.rpm
+openssl-devel-1.1.1k-9.cm2.x86_64.rpm
+openssl-libs-1.1.1k-9.cm2.x86_64.rpm
+openssl-perl-1.1.1k-9.cm2.x86_64.rpm
+openssl-static-1.1.1k-9.cm2.x86_64.rpm
 libcap-2.26-2.cm2.x86_64.rpm
 libcap-devel-2.26-2.cm2.x86_64.rpm
 debugedit-5.0-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -251,12 +251,12 @@ nspr-4.21-2.cm2.aarch64.rpm
 nspr-debuginfo-4.21-2.cm2.aarch64.rpm
 nspr-devel-4.21-2.cm2.aarch64.rpm
 ntsysv-1.20-2.cm2.aarch64.rpm
-openssl-1.1.1k-8.cm2.aarch64.rpm
-openssl-debuginfo-1.1.1k-8.cm2.aarch64.rpm
-openssl-devel-1.1.1k-8.cm2.aarch64.rpm
-openssl-libs-1.1.1k-8.cm2.aarch64.rpm
-openssl-perl-1.1.1k-8.cm2.aarch64.rpm
-openssl-static-1.1.1k-8.cm2.aarch64.rpm
+openssl-1.1.1k-9.cm2.aarch64.rpm
+openssl-debuginfo-1.1.1k-9.cm2.aarch64.rpm
+openssl-devel-1.1.1k-9.cm2.aarch64.rpm
+openssl-libs-1.1.1k-9.cm2.aarch64.rpm
+openssl-perl-1.1.1k-9.cm2.aarch64.rpm
+openssl-static-1.1.1k-9.cm2.aarch64.rpm
 p11-kit-0.23.22-3.cm2.aarch64.rpm
 p11-kit-debuginfo-0.23.22-3.cm2.aarch64.rpm
 p11-kit-devel-0.23.22-3.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -251,12 +251,12 @@ nspr-4.21-2.cm2.x86_64.rpm
 nspr-debuginfo-4.21-2.cm2.x86_64.rpm
 nspr-devel-4.21-2.cm2.x86_64.rpm
 ntsysv-1.20-2.cm2.x86_64.rpm
-openssl-1.1.1k-8.cm2.x86_64.rpm
-openssl-debuginfo-1.1.1k-8.cm2.x86_64.rpm
-openssl-devel-1.1.1k-8.cm2.x86_64.rpm
-openssl-libs-1.1.1k-8.cm2.x86_64.rpm
-openssl-perl-1.1.1k-8.cm2.x86_64.rpm
-openssl-static-1.1.1k-8.cm2.x86_64.rpm
+openssl-1.1.1k-9.cm2.x86_64.rpm
+openssl-debuginfo-1.1.1k-9.cm2.x86_64.rpm
+openssl-devel-1.1.1k-9.cm2.x86_64.rpm
+openssl-libs-1.1.1k-9.cm2.x86_64.rpm
+openssl-perl-1.1.1k-9.cm2.x86_64.rpm
+openssl-static-1.1.1k-9.cm2.x86_64.rpm
 p11-kit-0.23.22-3.cm2.x86_64.rpm
 p11-kit-debuginfo-0.23.22-3.cm2.x86_64.rpm
 p11-kit-devel-0.23.22-3.cm2.x86_64.rpm