openssl speed fixes (#12992)

With the symcrypt provider installed, openssl speed has a couple problems.

First, there are intermittent (but frequent) segfaults in openssl speed ecdh and openssl speed ffdh. This is fixed by upstream pull openssl/openssl#26976. We fix that by taking that patch.

Second, there are several warnings, the root cause of which also makes certain speed test be skipped. This boils down to a feature gap between symcrypt and default provider. For now, we will patch out the specific tests that are warning/bailing, but as those features come online in symcrypt we'll modify/remove that patch.

Author: tobiasb-ms

SPECS/openssl/Keep-the-provided-peer-EVP_PKEY-in-the-EVP_PKEY_CTX-too.patch

@@ -0,0 +1,34 @@
+From 782912cccc70f8c3fed4e49db2f479d97af0bdf9 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 4 Mar 2025 18:43:18 +0100
+Subject: [PATCH] Keep the provided peer EVP_PKEY in the EVP_PKEY_CTX too
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/26976)
+
+(cherry picked from commit 2656922febfc36f6b44cff1c363917685633b4c5)
+---
+ crypto/evp/exchange.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/exchange.c b/crypto/evp/exchange.c
+index d9eed1cea5be2..70c2f441b9d7a 100644
+--- a/crypto/evp/exchange.c
++++ b/crypto/evp/exchange.c
+@@ -431,7 +431,13 @@ int EVP_PKEY_derive_set_peer_ex(EVP_PKEY_CTX *ctx, EVP_PKEY *peer,
+      */
+     if (provkey == NULL)
+         goto legacy;
+-    return ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
++    ret = ctx->op.kex.exchange->set_peer(ctx->op.kex.algctx, provkey);
++    if (ret <= 0)
++        return ret;
++    EVP_PKEY_free(ctx->peerkey);
++    ctx->peerkey = peer;
++    EVP_PKEY_up_ref(peer);
++    return 1;
+ 
+  legacy:
+ #ifdef FIPS_MODULE

SPECS/openssl/openssl.spec

@@ -9,7 +9,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.3.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz
@@ -62,6 +62,14 @@ Patch52:  0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 # # See notes in the patch for details, but this patch will not be needed if
 # # the openssl issue https://github.com/openssl/openssl/issues/7048 is ever implemented and released.
 Patch80:  0001-Replacing-deprecated-functions-with-NULL-or-highest.patch
+# Fix crashes in openssl speed with providers that don't refcount keys.
+# Upstream: https://github.com/openssl/openssl/pull/26976 has been merged into 3.3, so if we
+# upgrade to 3.3.4 when it comes out, we can remove this patch.
+Patch81:  Keep-the-provided-peer-EVP_PKEY-in-the-EVP_PKEY_CTX-too.patch
+# The Symcrypt provider, which is our default, doesn't support some of the
+# algorithms that are used in the speed tests. This patch skips those tests.
+# If SymCrypt adds support, we should change and eventually remove this patch.
+Patch82:  prevent-unsupported-calls-into-symcrypt-in-speed.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -357,6 +365,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Mon Mar 17 2025 Tobias Brick <tobiasb@microsoft.com> - 3.3.3-2
+- Patch to fix segfaults and errors in openssl speed.
+
 * Wed Feb 26 2025 Tobias Brick <tobiasb@microsoft.com> - 3.3.3-1
 - Auto-upgrade to 3.3.3 - none
 - Initially run through autoupgrader (CBL-Mariner Servicing Account <cblmargh@microsoft.com>)

SPECS/openssl/prevent-unsupported-calls-into-symcrypt-in-speed.patch

@@ -0,0 +1,163 @@
+From 4576a24fbe145ea200b9f9eb7e1854c61932e8b6 Mon Sep 17 00:00:00 2001
+From: Tobias Brick <tobiasb@microsoft.com>
+Date: Tue, 25 Feb 2025 21:52:41 +0000
+Subject: [PATCH] prevent unsupported calls into symcrypt in speed
+
+---
+ apps/speed.c | 46 ++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 44 insertions(+), 2 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index 8c3342e..b4e966d 100644
+--- a/apps/speed.c
++++ b/apps/speed.c
+@@ -27,6 +27,9 @@
+ /* We need to use some deprecated APIs */
+ #define OPENSSL_SUPPRESS_DEPRECATED
+ 
++/* AZL3-Specific: Only run tests that work with the SymCrypt provider. */
++#define AZL3_SYMCRYPT_PROVIDER
++
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -383,15 +386,24 @@ static double rsa_results[RSA_NUM][4];  /* 4 ops: sign, verify, encrypt, decrypt
+ 
+ #ifndef OPENSSL_NO_DH
+ enum ff_params_t {
+-    R_FFDH_2048, R_FFDH_3072, R_FFDH_4096, R_FFDH_6144, R_FFDH_8192, FFDH_NUM
++    R_FFDH_2048,
++    R_FFDH_3072,
++    R_FFDH_4096,
++#ifndef AZL3_SYMCRYPT_PROVIDER
++    R_FFDH_6144,
++    R_FFDH_8192,
++#endif /* AZL3_SYMCRYPT_PROVIDER */
++    FFDH_NUM,
+ };
+ 
+ static const OPT_PAIR ffdh_choices[FFDH_NUM] = {
+     {"ffdh2048", R_FFDH_2048},
+     {"ffdh3072", R_FFDH_3072},
+     {"ffdh4096", R_FFDH_4096},
++#ifndef AZL3_SYMCRYPT_PROVIDER
+     {"ffdh6144", R_FFDH_6144},
+     {"ffdh8192", R_FFDH_8192},
++#endif /* AZL3_SYMCRYPT_PROVIDER */
+ };
+ 
+ static double ffdh_results[FFDH_NUM][1];  /* 1 op: derivation */
+@@ -403,8 +415,11 @@ enum ec_curves_t {
+     R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571,
+     R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571,
+ #endif
++#ifndef AZL3_SYMCRYPT_PROVIDER
+     R_EC_BRP256R1, R_EC_BRP256T1, R_EC_BRP384R1, R_EC_BRP384T1,
+-    R_EC_BRP512R1, R_EC_BRP512T1, ECDSA_NUM
++    R_EC_BRP512R1, R_EC_BRP512T1,
++#endif /* AZL3_SYMCRYPT_PROVIDER */
++    ECDSA_NUM
+ };
+ /* list of ecdsa curves */
+ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
+@@ -424,12 +439,14 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = {
+     {"ecdsab409", R_EC_B409},
+     {"ecdsab571", R_EC_B571},
+ #endif
++#ifndef AZL3_SYMCRYPT_PROVIDER
+     {"ecdsabrp256r1", R_EC_BRP256R1},
+     {"ecdsabrp256t1", R_EC_BRP256T1},
+     {"ecdsabrp384r1", R_EC_BRP384R1},
+     {"ecdsabrp384t1", R_EC_BRP384T1},
+     {"ecdsabrp512r1", R_EC_BRP512R1},
+     {"ecdsabrp512t1", R_EC_BRP512T1}
++#endif /* AZL3_SYMCRYPT_PROVIDER */
+ };
+ enum {
+ #ifndef OPENSSL_NO_ECX
+@@ -456,12 +473,14 @@ static const OPT_PAIR ecdh_choices[EC_NUM] = {
+     {"ecdhb409", R_EC_B409},
+     {"ecdhb571", R_EC_B571},
+ #endif
++#ifndef AZL3_SYMCRYPT_PROVIDER
+     {"ecdhbrp256r1", R_EC_BRP256R1},
+     {"ecdhbrp256t1", R_EC_BRP256T1},
+     {"ecdhbrp384r1", R_EC_BRP384R1},
+     {"ecdhbrp384t1", R_EC_BRP384T1},
+     {"ecdhbrp512r1", R_EC_BRP512R1},
+     {"ecdhbrp512t1", R_EC_BRP512T1},
++#endif /* AZL3_SYMCRYPT_PROVIDER */
+ #ifndef OPENSSL_NO_ECX
+     {"ecdhx25519", R_EC_X25519},
+     {"ecdhx448", R_EC_X448}
+@@ -1806,8 +1825,10 @@ int speed_main(int argc, char **argv)
+         {"ffdh2048", NID_ffdhe2048, 2048},
+         {"ffdh3072", NID_ffdhe3072, 3072},
+         {"ffdh4096", NID_ffdhe4096, 4096},
++#ifndef AZL3_SYMCRYPT_PROVIDER
+         {"ffdh6144", NID_ffdhe6144, 6144},
+         {"ffdh8192", NID_ffdhe8192, 8192}
++#endif /* AZL3_SYMCRYPT_PROVIDER */
+     };
+     uint8_t ffdh_doit[FFDH_NUM] = { 0 };
+ 
+@@ -1839,12 +1860,14 @@ int speed_main(int argc, char **argv)
+         {"nistb409", NID_sect409r1, 409},
+         {"nistb571", NID_sect571r1, 571},
+ #endif
++#ifndef AZL3_SYMCRYPT_PROVIDER
+         {"brainpoolP256r1", NID_brainpoolP256r1, 256},
+         {"brainpoolP256t1", NID_brainpoolP256t1, 256},
+         {"brainpoolP384r1", NID_brainpoolP384r1, 384},
+         {"brainpoolP384t1", NID_brainpoolP384t1, 384},
+         {"brainpoolP512r1", NID_brainpoolP512r1, 512},
+         {"brainpoolP512t1", NID_brainpoolP512t1, 512},
++#endif /* AZL3_SYMCRYPT_PROVIDER */
+ #ifndef OPENSSL_NO_ECX
+         /* Other and ECDH only ones */
+         {"X25519", NID_X25519, 253},
+@@ -1885,8 +1908,13 @@ int speed_main(int argc, char **argv)
+     OPENSSL_assert(ec_curves[EC_NUM - 1].nid == NID_X448);
+     OPENSSL_assert(strcmp(ecdh_choices[EC_NUM - 1].name, "ecdhx448") == 0);
+ 
++#ifdef AZL3_SYMCRYPT_PROVIDER
++    OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_secp521r1);
++    OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsap521") == 0);
++#else
+     OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1);
+     OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0);
++#endif /* AZL3_SYMCRYPT_PROVIDER */
+ #endif /* OPENSSL_NO_ECX */
+ 
+ #ifndef OPENSSL_NO_SM2
+@@ -2066,6 +2094,13 @@ int speed_main(int argc, char **argv)
+                 goto end;
+             }
+             for (i = 0; i < OSSL_NELEM(rsa_choices); i++) {
++#ifdef AZL3_SYMCRYPT_PROVIDER
++                /* SymCrypt only supports 1024 and above */
++                if (strcmp(rsa_choices[i].name, "rsa512") == 0) {
++                    continue;
++                }
++#endif /* AZL3_SYMCRYPT_PROVIDER */
++
+                 kems_doit[kems_algs_len] = 1;
+                 kems_algname[kems_algs_len++] = OPENSSL_strdup(rsa_choices[i].name);
+             }
+@@ -2111,6 +2146,13 @@ int speed_main(int argc, char **argv)
+                 goto end;
+             }
+             for (i = 0; i < OSSL_NELEM(rsa_choices); i++) {
++#ifdef AZL3_SYMCRYPT_PROVIDER
++                /* SymCrypt only supports 1024 and above */
++                if (strcmp(rsa_choices[i].name, "rsa512") == 0) {
++                    continue;
++                }
++#endif /* AZL3_SYMCRYPT_PROVIDER */
++
+                 sigs_doit[sigs_algs_len] = 1;
+                 sigs_algname[sigs_algs_len++] = OPENSSL_strdup(rsa_choices[i].name);
+             }
+-- 
+2.45.3
+

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-1.azl3.aarch64.rpm
-openssl-devel-3.3.3-1.azl3.aarch64.rpm
-openssl-libs-3.3.3-1.azl3.aarch64.rpm
-openssl-perl-3.3.3-1.azl3.aarch64.rpm
-openssl-static-3.3.3-1.azl3.aarch64.rpm
+openssl-3.3.3-2.azl3.aarch64.rpm
+openssl-devel-3.3.3-2.azl3.aarch64.rpm
+openssl-libs-3.3.3-2.azl3.aarch64.rpm
+openssl-perl-3.3.3-2.azl3.aarch64.rpm
+openssl-static-3.3.3-2.azl3.aarch64.rpm
 libcap-2.69-3.azl3.aarch64.rpm
 libcap-devel-2.69-3.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-1.azl3.x86_64.rpm
-openssl-devel-3.3.3-1.azl3.x86_64.rpm
-openssl-libs-3.3.3-1.azl3.x86_64.rpm
-openssl-perl-3.3.3-1.azl3.x86_64.rpm
-openssl-static-3.3.3-1.azl3.x86_64.rpm
+openssl-3.3.3-2.azl3.x86_64.rpm
+openssl-devel-3.3.3-2.azl3.x86_64.rpm
+openssl-libs-3.3.3-2.azl3.x86_64.rpm
+openssl-perl-3.3.3-2.azl3.x86_64.rpm
+openssl-static-3.3.3-2.azl3.x86_64.rpm
 libcap-2.69-3.azl3.x86_64.rpm
 libcap-devel-2.69-3.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -287,12 +287,12 @@ npth-debuginfo-1.6-4.azl3.aarch64.rpm
 npth-devel-1.6-4.azl3.aarch64.rpm
 ntsysv-1.25-1.azl3.aarch64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-1.azl3.aarch64.rpm
-openssl-debuginfo-3.3.3-1.azl3.aarch64.rpm
-openssl-devel-3.3.3-1.azl3.aarch64.rpm
-openssl-libs-3.3.3-1.azl3.aarch64.rpm
-openssl-perl-3.3.3-1.azl3.aarch64.rpm
-openssl-static-3.3.3-1.azl3.aarch64.rpm
+openssl-3.3.3-2.azl3.aarch64.rpm
+openssl-debuginfo-3.3.3-2.azl3.aarch64.rpm
+openssl-devel-3.3.3-2.azl3.aarch64.rpm
+openssl-libs-3.3.3-2.azl3.aarch64.rpm
+openssl-perl-3.3.3-2.azl3.aarch64.rpm
+openssl-static-3.3.3-2.azl3.aarch64.rpm
 p11-kit-0.25.0-1.azl3.aarch64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm
 p11-kit-devel-0.25.0-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -295,12 +295,12 @@ npth-debuginfo-1.6-4.azl3.x86_64.rpm
 npth-devel-1.6-4.azl3.x86_64.rpm
 ntsysv-1.25-1.azl3.x86_64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.3-1.azl3.x86_64.rpm
-openssl-debuginfo-3.3.3-1.azl3.x86_64.rpm
-openssl-devel-3.3.3-1.azl3.x86_64.rpm
-openssl-libs-3.3.3-1.azl3.x86_64.rpm
-openssl-perl-3.3.3-1.azl3.x86_64.rpm
-openssl-static-3.3.3-1.azl3.x86_64.rpm
+openssl-3.3.3-2.azl3.x86_64.rpm
+openssl-debuginfo-3.3.3-2.azl3.x86_64.rpm
+openssl-devel-3.3.3-2.azl3.x86_64.rpm
+openssl-libs-3.3.3-2.azl3.x86_64.rpm
+openssl-perl-3.3.3-2.azl3.x86_64.rpm
+openssl-static-3.3.3-2.azl3.x86_64.rpm
 p11-kit-0.25.0-1.azl3.x86_64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm
 p11-kit-devel-0.25.0-1.azl3.x86_64.rpm