Make OpenSSL engine support optional and disabled

openssl-devel-engine is now needed on rawhide to have engine header present. Make it enabled by default, but possible to disable built support for it easy way. https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Resolves: RHEL-22408
2024-08-03 00:16:12 +02:00 · 2024-08-03 00:16:12 +02:00 · af0e739346
commit af0e739346
parent 1999defc02
2 changed files with 66 additions and 2 deletions
--- a/bind-9.20-openssl-no-engine.patch
+++ b/bind-9.20-openssl-no-engine.patch
@ -0,0 +1,47 @@
 From b487bd340ae1b635ce5cffe76f748ddc97f301f7 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Sat, 3 Aug 2024 01:28:36 +0200
 Subject: [PATCH] Remove unused <openssl/{hmac,engine}.h> headers from OpenSSL
 shims
 The <openssl/{hmac,engine}.h> headers were unused and including the
 <openssl/engine.h> header might cause build failure when OpenSSL
 doesn't have Engines support enabled.
 See https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
 ---
 lib/isc/openssl_shim.c | 2 --
 lib/isc/openssl_shim.h | 2 --
 2 files changed, 4 deletions(-)
 diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
 index c39ba8c6827..02d0105eb9e 100644
 --- a/lib/isc/openssl_shim.c
 +++ b/lib/isc/openssl_shim.c
@@ -16,9 +16,7 @@
 #include <string.h>
 #include <openssl/crypto.h>
 -#include <openssl/engine.h>
 #include <openssl/evp.h>
 -#include <openssl/hmac.h>
 #include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
 index b2916e20a90..95b2f08e231 100644
 --- a/lib/isc/openssl_shim.h
 +++ b/lib/isc/openssl_shim.h
@@ -14,9 +14,7 @@
 #pragma once
 #include <openssl/crypto.h>
 -#include <openssl/engine.h>
 #include <openssl/evp.h>
 -#include <openssl/hmac.h>
 #include <openssl/opensslv.h>
 #include <openssl/ssl.h>
 -- 
 2.46.2
--- a/bind.spec
+++ b/bind.spec
@ -26,6 +26,10 @@
 %bcond_without DOCPDF
 %endif
 %bcond_with    TSAN
 %if 0%{?fedora} >= 41 && ! 0%{?rhel}
 # Make this enabled on recent Fedora, but not in ELN or RHEL
  %bcond_without OPENSSL_ENGINE
 %endif
 %{?!bind_uid:  %global bind_uid  25}
 %{?!bind_gid:  %global bind_gid  25}
@ -77,7 +81,7 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # ./lib/isc/tm.c BSD-2-clause and/or MPL-2.0
 # ./lib/isccfg/parser.c BSD-2-clause and/or MPL-2.0
 Version:  9.18.21
-Release:  5%{?dist}
+Release:  6%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@ -114,6 +118,9 @@ Patch10: bind-9.5-PIE.patch
 Patch16: bind-9.16-redhat_doc.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2122010
 Patch26: bind-9.18-unittest-netmgr-unstable.patch
 # Correct support for building without openssl/engine.h header
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9593
 Patch27: bind-9.20-openssl-no-engine.patch
 %{?systemd_ordering}
 Requires:       coreutils
@ -128,6 +135,10 @@ Obsoletes:      %{name}-pkcs11 < 32:9.18.4-2
 BuildRequires:  gcc, make
 BuildRequires:  openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
 %if %{with OPENSSL_ENGINE}
 # Not available in RHEL10+
 BuildRequires:  openssl-devel-engine
 %endif
 BuildRequires:  libidn2-devel, libxml2-devel
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  selinux-policy
@ -365,8 +376,11 @@ done
 %define systemtest_prepare_build() \
  cp -Tuav bin/tests "%{1}/bin/tests/" \
-CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
+%if %{with OPENSSL_ENGINE}
 CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100"
 %else
 CPPFLAGS="$CPPFLAGS -DOPENSSL_NO_ENGINE=1"
 %endif
 %if %{with TSAN}
  CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
 %endif
@ -962,6 +976,9 @@ fi;
 %endif
 %changelog
 * Tue Oct 08 2024 Petr Menšík <pemensik@redhat.com> - 32:9.18.21-6
 - Make OpenSSL engine support optional and disabled (RHEL-22408)
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 32:9.18.21-5
 - Bump release for June 2024 mass rebuild