Make OpenSSL engine support optional and disabled

openssl-devel-engine is now needed on rawhide to have engine header
present. Make it enabled by default, but possible to disable built
support for it easy way.

https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine

Resolves: RHEL-22408
This commit is contained in:
Petr Menšík 2024-08-03 00:16:12 +02:00
parent 1999defc02
commit af0e739346
2 changed files with 66 additions and 2 deletions

View File

@ -0,0 +1,47 @@
From b487bd340ae1b635ce5cffe76f748ddc97f301f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Sat, 3 Aug 2024 01:28:36 +0200
Subject: [PATCH] Remove unused <openssl/{hmac,engine}.h> headers from OpenSSL
shims
The <openssl/{hmac,engine}.h> headers were unused and including the
<openssl/engine.h> header might cause build failure when OpenSSL
doesn't have Engines support enabled.
See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
---
lib/isc/openssl_shim.c | 2 --
lib/isc/openssl_shim.h | 2 --
2 files changed, 4 deletions(-)
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index c39ba8c6827..02d0105eb9e 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -16,9 +16,7 @@
#include <string.h>
#include <openssl/crypto.h>
-#include <openssl/engine.h>
#include <openssl/evp.h>
-#include <openssl/hmac.h>
#include <openssl/opensslv.h>
#include <openssl/ssl.h>
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index b2916e20a90..95b2f08e231 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -14,9 +14,7 @@
#pragma once
#include <openssl/crypto.h>
-#include <openssl/engine.h>
#include <openssl/evp.h>
-#include <openssl/hmac.h>
#include <openssl/opensslv.h>
#include <openssl/ssl.h>
--
2.46.2

View File

@ -26,6 +26,10 @@
%bcond_without DOCPDF %bcond_without DOCPDF
%endif %endif
%bcond_with TSAN %bcond_with TSAN
%if 0%{?fedora} >= 41 && ! 0%{?rhel}
# Make this enabled on recent Fedora, but not in ELN or RHEL
%bcond_without OPENSSL_ENGINE
%endif
%{?!bind_uid: %global bind_uid 25} %{?!bind_uid: %global bind_uid 25}
%{?!bind_gid: %global bind_gid 25} %{?!bind_gid: %global bind_gid 25}
@ -77,7 +81,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
# ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
# ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
Version: 9.18.21 Version: 9.18.21
Release: 5%{?dist} Release: 6%{?dist}
Epoch: 32 Epoch: 32
Url: https://www.isc.org/downloads/bind/ Url: https://www.isc.org/downloads/bind/
# #
@ -114,6 +118,9 @@ Patch10: bind-9.5-PIE.patch
Patch16: bind-9.16-redhat_doc.patch Patch16: bind-9.16-redhat_doc.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2122010 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
Patch26: bind-9.18-unittest-netmgr-unstable.patch Patch26: bind-9.18-unittest-netmgr-unstable.patch
# Correct support for building without openssl/engine.h header
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9593
Patch27: bind-9.20-openssl-no-engine.patch
%{?systemd_ordering} %{?systemd_ordering}
Requires: coreutils Requires: coreutils
@ -128,6 +135,10 @@ Obsoletes: %{name}-pkcs11 < 32:9.18.4-2
BuildRequires: gcc, make BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
%if %{with OPENSSL_ENGINE}
# Not available in RHEL10+
BuildRequires: openssl-devel-engine
%endif
BuildRequires: libidn2-devel, libxml2-devel BuildRequires: libidn2-devel, libxml2-devel
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: selinux-policy BuildRequires: selinux-policy
@ -365,8 +376,11 @@ done
%define systemtest_prepare_build() \ %define systemtest_prepare_build() \
cp -Tuav bin/tests "%{1}/bin/tests/" \ cp -Tuav bin/tests "%{1}/bin/tests/" \
CFLAGS="$CFLAGS $RPM_OPT_FLAGS" %if %{with OPENSSL_ENGINE}
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100" CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100"
%else
CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_ENGINE=1"
%endif
%if %{with TSAN} %if %{with TSAN}
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie" CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
%endif %endif
@ -962,6 +976,9 @@ fi;
%endif %endif
%changelog %changelog
* Tue Oct 08 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.21-6
- Make OpenSSL engine support optional and disabled (RHEL-22408)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 32:9.18.21-5 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 32:9.18.21-5
- Bump release for June 2024 mass rebuild - Bump release for June 2024 mass rebuild