From af0e739346bdaef1678df8a0252bef5f26cb303d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Sat, 3 Aug 2024 00:16:12 +0200 Subject: [PATCH] Make OpenSSL engine support optional and disabled openssl-devel-engine is now needed on rawhide to have engine header present. Make it enabled by default, but possible to disable built support for it easy way. https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Resolves: RHEL-22408 --- bind-9.20-openssl-no-engine.patch | 47 +++++++++++++++++++++++++++++++ bind.spec | 21 ++++++++++++-- 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 bind-9.20-openssl-no-engine.patch diff --git a/bind-9.20-openssl-no-engine.patch b/bind-9.20-openssl-no-engine.patch new file mode 100644 index 0000000..adb46aa --- /dev/null +++ b/bind-9.20-openssl-no-engine.patch @@ -0,0 +1,47 @@ +From b487bd340ae1b635ce5cffe76f748ddc97f301f7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Sat, 3 Aug 2024 01:28:36 +0200 +Subject: [PATCH] Remove unused headers from OpenSSL + shims + +The headers were unused and including the + header might cause build failure when OpenSSL +doesn't have Engines support enabled. + +See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +--- + lib/isc/openssl_shim.c | 2 -- + lib/isc/openssl_shim.h | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c +index c39ba8c6827..02d0105eb9e 100644 +--- a/lib/isc/openssl_shim.c ++++ b/lib/isc/openssl_shim.c +@@ -16,9 +16,7 @@ + #include + + #include +-#include + #include +-#include + #include + #include + +diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h +index b2916e20a90..95b2f08e231 100644 +--- a/lib/isc/openssl_shim.h ++++ b/lib/isc/openssl_shim.h +@@ -14,9 +14,7 @@ + #pragma once + + #include +-#include + #include +-#include + #include + #include + +-- +2.46.2 + diff --git a/bind.spec b/bind.spec index f04df10..19e733e 100644 --- a/bind.spec +++ b/bind.spec @@ -26,6 +26,10 @@ %bcond_without DOCPDF %endif %bcond_with TSAN +%if 0%{?fedora} >= 41 && ! 0%{?rhel} +# Make this enabled on recent Fedora, but not in ELN or RHEL + %bcond_without OPENSSL_ENGINE +%endif %{?!bind_uid: %global bind_uid 25} %{?!bind_gid: %global bind_gid 25} @@ -77,7 +81,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0 Version: 9.18.21 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -114,6 +118,9 @@ Patch10: bind-9.5-PIE.patch Patch16: bind-9.16-redhat_doc.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2122010 Patch26: bind-9.18-unittest-netmgr-unstable.patch +# Correct support for building without openssl/engine.h header +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9593 +Patch27: bind-9.20-openssl-no-engine.patch %{?systemd_ordering} Requires: coreutils @@ -128,6 +135,10 @@ Obsoletes: %{name}-pkcs11 < 32:9.18.4-2 BuildRequires: gcc, make BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel +%if %{with OPENSSL_ENGINE} +# Not available in RHEL10+ +BuildRequires: openssl-devel-engine +%endif BuildRequires: libidn2-devel, libxml2-devel BuildRequires: systemd-rpm-macros BuildRequires: selinux-policy @@ -365,8 +376,11 @@ done %define systemtest_prepare_build() \ cp -Tuav bin/tests "%{1}/bin/tests/" \ -CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +%if %{with OPENSSL_ENGINE} CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100" +%else +CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_ENGINE=1" +%endif %if %{with TSAN} CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie" %endif @@ -962,6 +976,9 @@ fi; %endif %changelog +* Tue Oct 08 2024 Petr Menšík - 32:9.18.21-6 +- Make OpenSSL engine support optional and disabled (RHEL-22408) + * Mon Jun 24 2024 Troy Dawson - 32:9.18.21-5 - Bump release for June 2024 mass rebuild