Make OpenSSL engine support optional and disabled

openssl-devel-engine is now needed on rawhide to have engine header present. Make it enabled by default, but possible to disable built support for it easy way. https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Resolves: RHEL-22408
2024-08-03 00:16:12 +02:00 · 2024-08-03 00:16:12 +02:00 · af0e739346
commit af0e739346
parent 1999defc02
2 changed files with 66 additions and 2 deletions
--- a/bind-9.20-openssl-no-engine.patch
+++ b/bind-9.20-openssl-no-engine.patch
@ -0,0 +1,47 @@
+From b487bd340ae1b635ce5cffe76f748ddc97f301f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Sat, 3 Aug 2024 01:28:36 +0200
+Subject: [PATCH] Remove unused <openssl/{hmac,engine}.h> headers from OpenSSL
+ shims
+
+The <openssl/{hmac,engine}.h> headers were unused and including the
+<openssl/engine.h> header might cause build failure when OpenSSL
+doesn't have Engines support enabled.
+
+See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
+---
+ lib/isc/openssl_shim.c | 2 --
+ lib/isc/openssl_shim.h | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
+index c39ba8c6827..02d0105eb9e 100644
+--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
+@@ -16,9 +16,7 @@
+ #include <string.h>
+ 
+ #include <openssl/crypto.h>
+-#include <openssl/engine.h>
+ #include <openssl/evp.h>
+-#include <openssl/hmac.h>
+ #include <openssl/opensslv.h>
+ #include <openssl/ssl.h>
+ 
+diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
+index b2916e20a90..95b2f08e231 100644
+--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
+@@ -14,9 +14,7 @@
+ #pragma once
+ 
+ #include <openssl/crypto.h>
+-#include <openssl/engine.h>
+ #include <openssl/evp.h>
+-#include <openssl/hmac.h>
+ #include <openssl/opensslv.h>
+ #include <openssl/ssl.h>
+ 
+-- 
+2.46.2
+
--- a/bind.spec
+++ b/bind.spec
@ -26,6 +26,10 @@
 %bcond_without DOCPDF
 %endif
 %bcond_with    TSAN
+%if 0%{?fedora} >= 41 && ! 0%{?rhel}
+# Make this enabled on recent Fedora, but not in ELN or RHEL
+  %bcond_without OPENSSL_ENGINE
+%endif

 %{?!bind_uid:  %global bind_uid  25}
 %{?!bind_gid:  %global bind_gid  25}
@ -77,7 +81,7 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
 Version:  9.18.21
-Release:  5%{?dist}
+Release:  6%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -114,6 +118,9 @@ Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
 Patch26: bind-9.18-unittest-netmgr-unstable.patch
+# Correct support for building without openssl/engine.h header
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9593
+Patch27: bind-9.20-openssl-no-engine.patch

 %{?systemd_ordering}
 Requires:       coreutils
@ -128,6 +135,10 @@ Obsoletes:      %{name}-pkcs11 < 32:9.18.4-2

 BuildRequires:  gcc, make
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
+%if %{with OPENSSL_ENGINE}
+# Not available in RHEL10+
+BuildRequires:  openssl-devel-engine
+%endif
 BuildRequires:  libidn2-devel, libxml2-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  selinux-policy
@ -365,8 +376,11 @@ done
 %define systemtest_prepare_build() \
  cp -Tuav bin/tests "%{1}/bin/tests/" \

-CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
+%if %{with OPENSSL_ENGINE}
 CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100"
+%else
+CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_ENGINE=1"
+%endif
 %if %{with TSAN}
  CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
 %endif
@ -962,6 +976,9 @@ fi;
 %endif

 %changelog
+* Tue Oct 08 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.21-6
+- Make OpenSSL engine support optional and disabled (RHEL-22408)
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 32:9.18.21-5
 - Bump release for June 2024 mass rebuild