Support to test OpenSSL with SymCrypt enabled

.azure-pipelins/build-template.yml

@@ -25,6 +25,9 @@ jobs:
       /tmp/docker exec -t -u 0 ci-container \
       sh -c "apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -o Dpkg::Options::="--force-confold" -y install sudo"
     displayName: 'Install Sudo in container'
+  - script: |
+      sudo rm -rf $(ls -A1)
+    displayName: 'Clean Workspace'
   - script: |
       sudo mkdir -p $HOME
       sudo chown $USER $HOME
@@ -56,11 +59,39 @@ jobs:
       git submodule update --init -- jitterentropy-library
     displayName: 'Checkout Symcrypt submodules'
   - script: |
+      set -ex
       set -ex
       sudo mkdir -p $HOME
+      sudo mkdir -p /etc/fips
       sudo pip3 install -r src/SymCrypt/scripts/requirements.txt
+      ARCH=${{ parameters.arch }} make symcrypt
+      sudo dpkg -i target/symcrypt-openssl*.deb
+    displayName: 'Build and install symcrypt'
+  - script: |
+      set -ex
+      ARCH=${{ parameters.arch }} make openssl
+      sudo dpkg -i target/libssl*.deb target/openssl*.deb
+    displayName: 'Build and install openssl'
+  - script: |
+      set -ex
+
+      echo 1 | sudo tee /etc/fips/fips_enable
+      pushd src/openssl
+      git clean -xdf
+      git checkout -- .
+      popd
+
+      ARCH=${{ parameters.arch }} TARGET_PATH=target-test make openssl
+    condition: always()
+    displayName: 'Test openssl with fips enabled'
+
+  - script: |
       ARCH=${{ parameters.arch }} make all
-    displayName: 'Build'
+    displayName: 'Build others'
   - publish: $(System.DefaultWorkingDirectory)/target
     artifact: fips-symcrypt-${{ parameters.arch }}
     displayName: "Archive packages"
+  - publish:  $(Build.ArtifactStagingDirectory)
+    condition: failed()
+    artifact: '$fips-symcrypt-${{ parameters.arch }}-(System.JobAttempt)'
+    displayName: "Archive failed packages"

.gitignore

@@ -1 +1,2 @@
 target
+target.test

Makefile

@@ -5,7 +5,7 @@ SHELL = /bin/bash
 ARCH ?= amd64
 SRC_PATH = src
 RULES_PATH = rules
-TARGET_PATH = target
+TARGET_PATH ?= target
 ROOT := $(shell pwd)
 DEST = $(ROOT)/$(TARGET_PATH)
 
@@ -32,18 +32,32 @@ all: $(MAIN_TARGET_LIST)
 list:
 	@$(foreach target,$(MAIN_TARGET_LIST),echo $(target);)
 
+symcrypt : $(TARGET_PATH)/$(SYMCRYPT_OPENSSL)
+
+openssl: $(TARGET_PATH)/$(OPENSSL)
+
 $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix $(TARGET_PATH)/,$$($$*_DEPENDS))
 	# Remove target to force rebuild
 	rm -f $(addprefix $(TARGET_PATH)/, $*)
+	mkdir -p $(TARGET_PATH)
 	# Run pre script
 	if [ -n "$($*_PRE_SCRIPT)" ]; then :;$($*_PRE_SCRIPT) fi
 	# Copy debian folder
 	if [ -n "$($*_DEBIAN)" ]; then mkdir -p $($*_SRC_PATH)/debian; cp $($*_DEBIAN)/* -rf $($*_SRC_PATH)/debian/; fi
 	# Apply series of patches if exist
 	if [ -f $($*_SRC_PATH).patch/series ]; then pushd $($*_SRC_PATH) && QUILT_PATCHES=../$(notdir $($*_SRC_PATH)).patch quilt push -a && mv .pc .pc1; popd; fi
 	if [ -n "$($*_PATCH_EXT)" ]; then pushd $($*_SRC_PATH); QUILT_PATCHES=$($*_PATCH_EXT) quilt push -a && mv .pc .pc2; popd; fi
+	# Merge the debian patches if not applied
+	if [ -f $($*_SRC_PATH).patch/debian.patch/series ]; then
+	  LAST_PATCH=$$(tail -n1  $($*_SRC_PATH).patch/debian.patch/series)
+	  if ! grep -q $$LAST_PATCH $($*_SRC_PATH)/debian/patches/series 2>/null; then
+	    echo "Applying patches for $($*_SRC_PATH)/debian/patches/"
+	    cat $($*_SRC_PATH).patch/debian.patch/series >> $($*_SRC_PATH)/debian/patches/series
+	    cp $($*_SRC_PATH).patch/debian.patch/*.patch $($*_SRC_PATH)/debian/patches/
+	  fi
+	fi
 	if [ -n "$($*_MAKEFILE)" ]; then
-	  $($*_BUILD_OPTIONS) make -C $($*_SRC_PATH) -f $($*_MAKEFILE) $(DEST)/$*
+	  $($*_BUILD_OPTIONS) make -C $($*_SRC_PATH) -f $($*_MAKEFILE) $(DEST)/$* | tee $(DEST)/$*.log
 	elif [ -f $($*_SRC_PATH)/debian/control ]; then
 	  pushd $($*_SRC_PATH)
 	  VERSION=$$(dpkg-parsechangelog --show-field Version)
@@ -52,7 +66,7 @@ $(addprefix $(TARGET_PATH)/, $(MAIN_TARGETS)) : $(TARGET_PATH)/% : $$(addprefix
 	  fi
 	  # Fix Misc/NEWS not found issue for python
 	  if [[ "$*" == python3* ]]; then touch Misc/NEWS; fi
-	  $($*_BUILD_OPTIONS) dpkg-buildpackage -b -d -rfakeroot -us -uc
+	  $($*_BUILD_OPTIONS) dpkg-buildpackage -b -d -rfakeroot -us -uc | tee $(DEST)/$*.log
 	  popd
 	  mkdir -p $(DEST)
 	  mv -f $(addprefix $($*_SRC_PATH)/../, $* $($*_DERIVED_DEBS)) $(DEST)/

rules/openssl.mk

@@ -4,6 +4,7 @@ OPENSSL_VERSION = 1.1.1k-1+deb11u1
 OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION)+fips
 OPENSSL = openssl_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb
 $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl
+$(OPENSSL)_BUILD_OPTIONS = LDLIBS="-lsymcryptengine"
 
 MAIN_TARGETS += $(OPENSSL)
 $(OPENSSL)_DERIVED_DEBS = libssl1.1_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb

src/SymCrypt-OpenSSL-Debian/Makefile

@@ -20,6 +20,7 @@ LIB_INSTALL_NAME = arm-linux-gnueabihf
 endif
 
 INSTALL_PATH = $(BUILD_ROOT_DIR)/usr/lib/$(LIB_INSTALL_NAME)
+ENGINES_PATH = $(INSTALL_PATH)/engines-1.1
 DEBIAN_DIR = $(BUILD_ROOT_DIR)/DEBIAN
 
 ROOT_PATH = $(shell realpath $(shell pwd)/../..)
@@ -56,10 +57,13 @@ $(LIBSYMCRYPTENGINE): $(LIBSYMCRYPT)
 
 $(TARGET): $(DEPENDS)
 	mkdir -p $(INSTALL_PATH)
+	mkdir -p $(ENGINES_PATH)
 	mkdir -p $(DEBIAN_DIR)
 	mkdir -p $(BUILD_ROOT_DIR)/usr/lib/ssl
 	cp -a $(DEST)/libsymcrypt.so* $(INSTALL_PATH)/
 	cp $(LIBSYMCRYPTENGINE) $(INSTALL_PATH)
+	ln -sf $(shell basename $(LIBSYMCRYPTENGINE)) $(INSTALL_PATH)/symcryptengine.so
+	ln -sf ../$(shell basename $(LIBSYMCRYPTENGINE)) $(ENGINES_PATH)/symcryptengine.so
 	chmod o+r $(INSTALL_PATH)/*
 	cp -rf debian/* $(DEBIAN_DIR)/
 	cp openssl.cnf $(BUILD_ROOT_DIR)/usr/lib/ssl/openssl-fips.cnf

src/openssl.patch/10-support-fips-mode.patch

@@ -1,8 +1,76 @@
 diff --git a/crypto/init.c b/crypto/init.c
-index 1b0d523bea..af171bda16 100644
+index 1b0d523bea..31fbd42cd2 100644
 --- a/crypto/init.c
 +++ b/crypto/init.c
-@@ -612,6 +612,70 @@ void OPENSSL_cleanup(void)
+@@ -404,6 +404,67 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_afalg)
+ # endif
+ #endif
+
++# ifndef OPENSSL_NO_SYMCRYPT_ENGINE
++static CRYPTO_ONCE engine_symcrypt = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(ossl_init_engine_symcrypt)
++{
++    int ret = 0;
++
++    // Get the default engine directory from the environment - may be NULL
++    char* load_dir = ossl_safe_getenv("OPENSSL_ENGINES");
++
++    #ifdef ENGINESDIR
++    // Use the default engines directory, if defined
++    if(load_dir == NULL)
++    {
++            load_dir = ENGINESDIR;
++    }
++    #endif
++
++    ENGINE *dynamic = NULL;
++    ENGINE *symcrypt = NULL;
++
++    dynamic = ENGINE_by_id("dynamic");
++    if (!dynamic)
++        goto err;
++
++    // Add the engines directory to the list of directories to load from and specify that loading
++    // from the directory list is mandatory (via DIR_LOAD = 2). Otherwise OpenSSL will try to load
++    // the engine from the default ld search path, fail, and skip loading from the engines dir.
++    if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_ADD", load_dir, 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "DIR_LOAD", "2", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "SO_PATH", "symcryptengine.so", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "ID", "symcrypt", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "LIST_ADD", "2", 0))
++        goto err;
++    if (!ENGINE_ctrl_cmd_string(dynamic, "LOAD", NULL, 0))
++        goto err;
++
++    symcrypt = ENGINE_by_id("symcrypt");
++    if (!symcrypt)
++        goto err;
++
++    // Make SymCrypt the default engine for all algorithms
++    if (!ENGINE_set_default_string(symcrypt, "ALL"))
++        goto err;
++
++err:
++    ENGINE_free(symcrypt);
++    ENGINE_free(dynamic);
++
++#  ifdef OPENSSL_INIT_DEBUG
++    fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_symcrypt: %d\n",
++        ret);
++#  endif
++
++    return ret;
++}
++# endif
++
+ #ifndef OPENSSL_NO_COMP
+ static CRYPTO_ONCE zlib = CRYPTO_ONCE_STATIC_INIT;
+
+@@ -612,6 +673,72 @@ void OPENSSL_cleanup(void)
      base_inited = 0;
  }
 
@@ -54,8 +122,10 @@ index 1b0d523bea..af171bda16 100644
 +    return enabled;
 +}
 +
-+// Check if fips is enabled
-+int ossl_fips_enabled(){
++// Init fips config
++static CRYPTO_ONCE fips_config = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(ossl_init_fips_conf)
++{
 +    g_fips_mode_enabled = 0;
 +    if (ossl_fips_enabled_by_cmd() > 0){
 +        g_fips_mode_enabled = 1;
@@ -67,26 +137,30 @@ index 1b0d523bea..af171bda16 100644
 +        return 1;
 +    }
 +
-+    return 0;
++    return 1;
 +}
 +
  /*
   * If this function is called with a non NULL settings value then it must be
   * called prior to any threads making calls to any OpenSSL functions,
-@@ -625,6 +689,13 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+@@ -723,9 +850,14 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+             && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
          return 0;
-     }
-
-+    if (g_fips_mode_enabled == -1) {
-+        int fips_enabled = ossl_fips_enabled();
-+        if (fips_enabled) {
-+            setenv("OPENSSL_CONF", FIPS_OPENSSL_CONFIG, 1);
-+        }
+ # endif
+-    if ((opts & OPENSSL_INIT_ENGINE_DYNAMIC)
+-            && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
+-        return 0;
++    if (opts & OPENSSL_INIT_ENGINE_DYNAMIC)
++    {
++        if (!RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
++            return 0;
++        RUN_ONCE(&fips_config, ossl_init_fips_conf);
++        if (g_fips_mode_enabled == 1)
++            RUN_ONCE(&engine_symcrypt, ossl_init_engine_symcrypt);
 +    }
-+
-     /*
-      * When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the
-      * *only* option specified.  With that option we return immediately after
+ # ifndef OPENSSL_NO_STATIC_ENGINE
+ #  if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
+     if ((opts & OPENSSL_INIT_ENGINE_PADLOCK)
 diff --git a/crypto/o_fips.c b/crypto/o_fips.c
 index 050ea9c216..6e9ffdb1d9 100644
 --- a/crypto/o_fips.c

src/openssl.patch/debian.patch/20-support-fips-test.patch

@@ -0,0 +1,72 @@
+diff --git a/test/build.info b/test/build.info
+index bc3dae81f9..0c91cc297b 100644
+--- a/test/build.info
++++ b/test/build.info
+@@ -14,7 +14,7 @@ IF[{- !$disabled{tests} -}]
+           testutil/format_output.c testutil/tap_bio.c \
+           testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \
+           testutil/random.c
+-  INCLUDE[libtestutil.a]=../include
++  INCLUDE[libtestutil.a]=../include ../../SymCrypt-OpenSSL/SymCryptEngine/inc
+   DEPEND[libtestutil.a]=../libcrypto
+
+   # Special hack for descrip.mms to include the MAIN object module
+diff --git a/test/testutil/main.c b/test/testutil/main.c
+index d3ccdda391..82232733c8 100644
+--- a/test/testutil/main.c
++++ b/test/testutil/main.c
+@@ -11,6 +11,7 @@
+ #include "internal/nelem.h"
+ #include "output.h"
+ #include "tu_local.h"
++#include "scossl.h"
+
+ #include <string.h>
+
+@@ -47,6 +48,13 @@ int main(int argc, char *argv[])
+
+     setup_test_framework();
+
++    if (!SCOSSL_ENGINE_Initialize())
++    {
++        test_printf_stderr("SCOSSL init failed - aborting\n");
++        return ret;
++    }
++
++
+     if (setup_tests())
+         ret = run_tests(argv[0]);
+     cleanup_tests();
+diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c
+index 64376247c3..70c8b62a68 100644
+--- a/engines/e_ossltest.c
++++ b/engines/e_ossltest.c
+@@ -319,6 +319,10 @@ static int bind_ossltest(ENGINE *e)
+         return 0;
+     }
+
++    ENGINE* scossl = ENGINE_by_id("symcrypt");
++    ENGINE_unregister_pkey_meths(scossl);
++    ENGINE_free(scossl);
++
+     return 1;
+ }
+
+diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
+index b675ed7892..67240e8a20 100644
+--- a/crypto/engine/eng_all.c
++++ b/crypto/engine/eng_all.c
+@@ -10,6 +10,13 @@
+ #include "internal/cryptlib.h"
+ #include "eng_local.h"
+
++__attribute__((constructor))
++void ENGINE_static_initializer(void)
++{
++    OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL);
++}
++
++
+ void ENGINE_load_builtin_engines(void)
+ {
+     /* Some ENGINEs need this */