[AUTO-CHERRYPICK] symcrypt: upgrade to 103.5.1 - branch 3.0-dev (#10815)

Co-authored-by: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/SymCrypt/0001-add-build-flags-to-prevent-stripping-and-post-proces.patch

@@ -1,8 +1,23 @@
-From a91f9a55e6b8b01511538827005a6e948ccf6e27 Mon Sep 17 00:00:00 2001
-From: Tobias Brick <tobiasb@microsoft.com>
-Date: Sat, 12 Oct 2024 02:06:21 +0000
-Subject: [PATCH] add build flags to prevent stripping and post processing
+From 997c3bdf24749edbdb562af15f9d95be35f062de Mon Sep 17 00:00:00 2001
+From: Tobias Brick <tobiasb@exchange.microsoft.com>
+Date: Tue, 15 Oct 2024 16:21:27 +0000
+Subject: [PATCH] Merged PR 11601893: add build flags to prevent stripping and
+ post processing
 
+## Description:
+Add build flags to prevent stripping and post processing of binary after building. This is useful to fit in to different package build systems.
+
+----
+#### AI description  (iteration 1)
+#### PR Classification
+New feature
+
+#### PR Summary
+This pull request introduces build flags to control binary stripping and FIPS postprocessing.
+- `CMakeLists.txt`: Added options `SYMCRYPT_STRIP_BINARY` and `SYMCRYPT_FIPS_POSTPROCESS` with default values set to `ON`.
+- `scripts/build.py`: Added command-line arguments `--no-strip-binary` and `--no-fips-postprocess` to control the new build options.
+- `BUILD.md`: Updated documentation to include the new build options.
+- `modules/linux/common/ModuleCommon.cmake`: Modified conditions to respect the new build flags for stripping and FIPS postprocessing.
 ---
  BUILD.md                                |  2 ++
  CMakeLists.txt                          | 14 ++++++++++++++
@@ -11,10 +26,10 @@ Subject: [PATCH] add build flags to prevent stripping and post processing
  4 files changed, 26 insertions(+), 2 deletions(-)
 
 diff --git a/BUILD.md b/BUILD.md
-index e7f0618..a4984da 100644
+index f6c781d..e8eaa88 100644
 --- a/BUILD.md
 +++ b/BUILD.md
-@@ -63,6 +63,8 @@ and building the Linux modules with FIPS integrity checks.
+@@ -74,6 +74,8 @@ and building the Linux modules with FIPS integrity checks.
        * To cross-compile for Linux ARM64, you must also use `--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake`
      * `-DSYMCRYPT_USE_ASM=<ON|OFF>` to choose whether to use assembly optimizations. Defaults to `ON`.
      * `-DSYMCRYPT_FIPS_BUILD=<ON|OFF>` to choose whether to enable FIPS self-tests in the SymCrypt shared object module. Defaults to `ON`. Currently only affects Linux builds.
@@ -24,11 +39,11 @@ index e7f0618..a4984da 100644
  1. `cmake --build bin`
      * Optionally, for a release build on Windows, specify `--config Release`
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 6da485d..1533e9d 100644
+index cd9aa15..9e0c599 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
-@@ -54,6 +54,18 @@ if(SYMCRYPT_FIPS_BUILD)
-     add_compile_options(-DSYMCRYPT_DO_FIPS_SELFTESTS=1)
+@@ -56,6 +56,18 @@ if(SYMCRYPT_FIPS_BUILD)
+     add_compile_definitions(SYMCRYPT_DO_FIPS_SELFTESTS=1)
  endif()
 
 +option(
@@ -46,20 +61,20 @@ index 6da485d..1533e9d 100644
  option(
      SYMCRYPT_TEST_LEGACY_IMPL
      "When enabled, the SymCrypt unit tests will be linked against and configured to run compatibility and performance tests on the legacy
-@@ -94,6 +106,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}")
+@@ -104,6 +116,8 @@ message(STATUS "Host: ${CMAKE_HOST_SYSTEM_NAME} ${CMAKE_HOST_SYSTEM_PROCESSOR}")
  message(STATUS "Target: ${CMAKE_SYSTEM_NAME} ${SYMCRYPT_TARGET_ARCH} ${SYMCRYPT_TARGET_ENV}")
  message(STATUS "ASM optimizations: ${SYMCRYPT_USE_ASM}")
  message(STATUS "FIPS build: ${SYMCRYPT_FIPS_BUILD}")
 +message(STATUS "Strip binary: ${SYMCRYPT_STRIP_BINARY}")
 +message(STATUS "FIPS postprocess: ${SYMCRYPT_FIPS_POSTPROCESS}")
 
- # Set output directories binaries
- # Note: we use a generator expression because "Multi-configuration generators [e.g. Visual Studio]
+ # Validate compiler versions
+ if("${CMAKE_CXX_COMPILER_ID}" MATCHES "GNU")
 diff --git a/modules/linux/common/ModuleCommon.cmake b/modules/linux/common/ModuleCommon.cmake
-index ced60ac..7d626c0 100644
+index e6db214..fbe1421 100644
 --- a/modules/linux/common/ModuleCommon.cmake
 +++ b/modules/linux/common/ModuleCommon.cmake
-@@ -57,7 +57,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION})
+@@ -61,7 +61,7 @@ set_target_properties(${TARGET_NAME} PROPERTIES VERSION ${PROJECT_VERSION})
  set_target_properties(${TARGET_NAME} PROPERTIES SOVERSION ${PROJECT_VERSION_MAJOR})
 
 
@@ -68,7 +83,7 @@ index ced60ac..7d626c0 100644
      add_custom_command(
          TARGET ${TARGET_NAME}
          POST_BUILD
-@@ -69,7 +69,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo")
+@@ -73,7 +73,7 @@ if(CMAKE_BUILD_TYPE MATCHES "Release|RelWithDebInfo")
      )
  endif()
 
@@ -78,7 +93,7 @@ index ced60ac..7d626c0 100644
          TARGET ${TARGET_NAME}
          POST_BUILD
 diff --git a/scripts/build.py b/scripts/build.py
-index bbf0c89..48a7146 100755
+index af9b0bc..3a70b84 100755
 --- a/scripts/build.py
 +++ b/scripts/build.py
 @@ -101,6 +101,12 @@ def configure_cmake(args : argparse.Namespace) -> None:
@@ -94,7 +109,7 @@ index bbf0c89..48a7146 100755
      if args.test_legacy_impl:
          cmake_args.append("-DSYMCRYPT_TEST_LEGACY_IMPL=ON")
 
-@@ -215,6 +221,8 @@ def main() -> None:
+@@ -218,6 +224,8 @@ def main() -> None:
      parser_cmake.add_argument("--cxx", type = str, help = "Specify the C++ compiler to use. If not provided, uses platform default.")
      parser_cmake.add_argument("--no-asm", action = "store_false", dest = "asm", help = "Disable handwritten ASM optimizations.", default = True)
      parser_cmake.add_argument("--no-fips", action = "store_false", dest = "fips", help = "Disable FIPS selftests and postprocessing of binary. Currently only affects Linux targets.", default = True)

SPECS/SymCrypt/SymCrypt.signatures.json

@@ -1,7 +1,8 @@
 {
  "Signatures": {
-  "SymCrypt-103.4.2.tar.gz": "7cbcee7625fd1d99286e393a727504189dab4d407c6c3474bd2532d5ee231921",
+  "SymCrypt-103.5.1.tar.gz": "1c4d41972f7683cb2c053ddc58452d6f4b56c1b556b7499f9fedbd7706ccd0fe",
   "find-debuginfo": "356800f19b755879993103c121c83fb4cc97d0e8656ea34d051daa310f54cedf",
-  "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487"
+  "jitterentropy-library-3.3.1.tar.gz": "4a50cb02b4836cd5550016e2fc2263e6982abaa11467a9e1cea260c1c2f7d487",
+  "symcrypt-build-environment-variables-v103.5.1.sh": "6f6e162011e8203de66be6af59c0b4511992b731370a152044b028e8075578a7"
  }
 }

SPECS/SymCrypt/SymCrypt.spec

@@ -1,7 +1,7 @@
 Summary:        A core cryptographic library written by Microsoft
 Name:           SymCrypt
-Version:        103.4.2
-Release:        2%{?dist}
+Version:        103.5.1
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,9 @@ URL:            https://github.com/microsoft/SymCrypt
 Source0:        https://github.com/microsoft/SymCrypt/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        https://github.com/smuellerDD/jitterentropy-library/archive/v3.3.1.tar.gz#/jitterentropy-library-3.3.1.tar.gz
 Source2:        find-debuginfo
+# Use ./generate-env-file.sh --release-tag <git-version-tag> to generate this. For example:
+#   ./generate-env-file.sh --release-tag v103.5.1
+Source3:        symcrypt-build-environment-variables-v%{version}.sh
 Patch1:         0001-add-build-flags-to-prevent-stripping-and-post-proces.patch
 Patch2:         0001-add-parameter-to-process_fips_module-to-specify-the-.patch
 BuildRequires:  cmake
@@ -48,9 +51,7 @@ rm -rf 3rdparty/jitterentropy-library
 ln -s ../jitterentropy-library-3.3.1 3rdparty/jitterentropy-library
 
 %build
-SYMCRYPT_BRANCH=main \
-SYMCRYPT_COMMIT_HASH=a84ffe1 \
-SYMCRYPT_COMMIT_TIMESTAMP=2024-01-26T22:00:47-08:00 \
+source %{SOURCE3}
 cmake   -S . -B bin \
         -DSYMCRYPT_TARGET_ARCH=%{symcrypt_arch} \
         -DSYMCRYPT_STRIP_BINARY=OFF \
@@ -104,6 +105,9 @@ chmod 755 %{buildroot}%{_libdir}/libsymcrypt.so.%{version}
 %{_includedir}/*
 
 %changelog
+* Mon Oct 21 2024 Tobias Brick <tobiasb@microsoft.com> - 103.5.1-1
+- Update 103.5.1
+
 * Mon Oct 14 2024 Tobias Brick <tobiasb@microsoft.com> - 103.4.2-2
 - Add debuginfo package
 

SPECS/SymCrypt/add-parameter-to-version-script-to-print-the-commit-info.patch

@@ -0,0 +1,74 @@
+From 1425f9e27cb1bae39e0b22e25fce50daa47618ca Mon Sep 17 00:00:00 2001
+From: Tobias Brick <tobiasb@exchange.microsoft.com>
+Date: Tue, 15 Oct 2024 22:59:08 +0000
+Subject: [PATCH] Merged PR 11618838: add parameter to version script to print
+ the commit info environment variables
+
+Add parameter to version script to print the commit info environment variables. This makes it easier to get those right for builds based on the source tarball rather than from a git clone.
+
+----
+#### AI description  (iteration 1)
+#### PR Classification
+New feature
+
+#### PR Summary
+Added a new parameter to the version script to print commit information as environment variables.
+- `scripts/version.py`: Introduced `--commit-info` argument to print commit hash and timestamp as environment variables. Added `print_commit_info` function to handle this new feature.
+---
+ scripts/version.py | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/version.py b/scripts/version.py
+index 49edf9b..4ac1862 100644
+--- a/scripts/version.py
++++ b/scripts/version.py
+@@ -180,27 +180,43 @@ def print_devops_vars(version_info: SymCryptVersion) -> None:
+     set_task_variable("VER_MINOR", version_info.minor)
+     set_task_variable("VER_PATCH", version_info.patch)
+ 
++def print_commit_info(version_info: SymCryptVersion) -> None:
++    """
++    Prints the commit information as environment variables that would override the commit hash and timestamp.
++    """
++
++    print("export {}={}".format(ENV_SYMCRYPT_BRANCH, version_info.branch))
++    print("export {}={}".format(ENV_SYMCRYPT_COMMIT_HASH, version_info.commit_hash))
++    print("export {}={}".format(ENV_SYMCRYPT_COMMIT_TIMESTAMP, version_info.commit_timestamp.isoformat(timespec = "seconds")))
++
+ def main() -> None:
+     """
+     Entrypoint
+     """
+ 
+     parser = argparse.ArgumentParser(description = "Versioning helper script for SymCrypt.")
++    parser.add_argument("--no-print-version-number", dest = "print_version_number", help = "Do not print the version number", action = "store_false", default = True)
+     group = parser.add_mutually_exclusive_group()
+     group.add_argument("-b", "--build-info", help = "Generate buildInfo.h", action = "store_true")
+     group.add_argument("--devops", help = "Format output to set Azure DevOps variables", action = "store_true")
++    group.add_argument("--commit-info",
++        help = "Format commit info as environment variables that would override the commit hash and timestamp, which can then be used when building from the source tarball rather than a git clone.",
++        action = "store_true")
+ 
+     args = parser.parse_args()
+ 
+     # Parse the version information from the SymCrypt headers
+     version_info = get_version_info()
+ 
+-    print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch))
++    if args.print_version_number:
++        print("{}.{}.{}".format(version_info.major, version_info.minor, version_info.patch))
+ 
+     if args.build_info:
+         generate_build_info(version_info)
+     elif args.devops:
+         print_devops_vars(version_info)
++    elif args.commit_info:
++        print_commit_info(version_info)
+ 
+ if __name__ == "__main__":
+-    main()
+\ No newline at end of file
++    main()
+-- 
+2.39.4
+

SPECS/SymCrypt/generate-env-file.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+
+# Fail out if anything fails.
+set -e
+
+SYMCRYPT_REPO='https://github.com/microsoft/SymCrypt.git'
+SYMCRYPT_DIR='./SymCrypt'
+
+CURRENT_DIR=$(pwd)
+RELEASE_TAG=
+
+function show_help() {
+    echo "Usage: $0 [--release-tag <tag>]"
+    echo
+    echo "Options:"
+    echo "  --release-tag <tag>  The release tag to use for the build, e.g.: v103.5.1"
+    echo "  --debug              Enable debug output, which is just 'set -x'"
+    echo "  --help               Display this help message"
+    echo
+    echo "Generates a sourceable script file that sets git-related environment variables for the SymCrypt build."
+    echo "The script file will be named 'symcrypt-build-environment-variables-<release-tag>.sh"
+}
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -h|--help)
+            show_help
+            exit 0
+            ;;
+        -t|--tag|--release-tag)
+            RELEASE_TAG="$2"
+            shift
+            ;;
+        -d|--debug)
+            set -x
+            ;;
+        *)
+            echo "Unknown parameter passed: $1"
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+if [ -z "${RELEASE_TAG}" ]; then
+    echo "release tag is required" >> /dev/stderr
+    show_help
+    exit 1
+fi
+
+echo "generating env file for release tag: '${RELEASE_TAG}'"
+
+# Create a temporary directory to clone the git repo
+TEMP_DIR=$(mktemp -d)
+if [[ ! "$TEMP_DIR" || ! -d "$TEMP_DIR" ]]; then
+    echo "Could not create temp dir to clone git repo" >> /dev/stderr
+    exit 1
+fi
+
+# Clone into the temp directory
+pushd "${TEMP_DIR}" > /dev/null
+echo "Cloning SymCrypt repo '${SYMCRYPT_REPO}' into temp directory '${TEMP_DIR}"
+git clone "${SYMCRYPT_REPO}"
+
+# The version script uses the current git branch, which want to main but at the commit for the release tag.
+echo "Getting to the commit for release tag '${RELEASE_TAG}'"
+cd "${SYMCRYPT_DIR}"
+TAG_COMMIT=$(git rev-parse --verify "${RELEASE_TAG}")
+if [[ ! "$TAG_COMMIT" ]]; then
+    echo "Could not find commit for release tag '${RELEASE_TAG}'"
+    exit 1
+fi
+echo "Tag commit is '${TAG_COMMIT}'"
+git reset --hard "${TAG_COMMIT}"
+
+# Patching the version script; will be unneeded as of v103.5.2
+git apply "${CURRENT_DIR}/add-parameter-to-version-script-to-print-the-commit-info.patch"
+
+# Call the version script to get the properly formmatted git info
+ENV_SCRIPT_FILE_NAME="symcrypt-build-environment-variables-${RELEASE_TAG}.sh"
+echo "#!/bin/bash" > "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}"
+echo "# Generated by 'generate-env-file.sh'" >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}"
+echo "Running version script"
+python3 scripts/version.py --no-print-version-number --commit-info >> "${CURRENT_DIR}/${ENV_SCRIPT_FILE_NAME}"
+echo "Generated '${ENV_SCRIPT_FILE_NAME}'"
+
+# Clean up the temp directory
+popd > /dev/null
+rm -rf "${TEMP_DIR}"

SPECS/SymCrypt/symcrypt-build-environment-variables-v103.5.1.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# Generated by 'generate-env-file.sh'
+export SYMCRYPT_BRANCH=main
+export SYMCRYPT_COMMIT_HASH=907622c
+export SYMCRYPT_COMMIT_TIMESTAMP=2024-09-18T20:38:10+00:00

cgmanifest.json

@@ -28226,8 +28226,8 @@
         "type": "other",
         "other": {
           "name": "SymCrypt",
-          "version": "103.4.2",
-          "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.4.2.tar.gz"
+          "version": "103.5.1",
+          "downloadUrl": "https://github.com/microsoft/SymCrypt/archive/v103.5.1.tar.gz"
         }
       }
     },