From 2e7ff4d683c4f4d7d3e6eacdd05f84b8668dd4ba Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Wed, 13 Mar 2024 10:23:42 +0100
Subject: [PATCH] Conditionally enable SSL engine APIs

---
 librabbitmq.spec                              |   7 +-
 ...conditionally_enable_ssl_engine_apis.patch | 152 ++++++++++++++++++
 2 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 rabbitmq-c-conditionally_enable_ssl_engine_apis.patch

diff --git a/librabbitmq.spec b/librabbitmq.spec
index b7c1bf2..c45cb22 100644
--- a/librabbitmq.spec
+++ b/librabbitmq.spec
@@ -19,7 +19,7 @@
 Name:      %{libname}
 Summary:   Client library for AMQP
 Version:   0.13.0
-Release:   5%{?dist}
+Release:   6%{?dist}
 License:   MIT
 URL:       https://github.com/alanxz/rabbitmq-c
 
@@ -27,6 +27,7 @@ Source0:   https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{g
 
 # CVE-2023-35789, https://github.com/alanxz/rabbitmq-c/pull/781
 Patch0:    rabbitmq-c-CVE-2023-35789.patch
+Patch1:    rabbitmq-c-conditionally_enable_ssl_engine_apis.patch
 
 BuildRequires: gcc
 BuildRequires: cmake > 3.12
@@ -70,6 +71,7 @@ amqp-publish        Publish a message on an AMQP server
 %prep
 %setup -q -n %{gh_project}-%{gh_commit}
 %patch -P0 -p1
+%patch -P1 -p1
 
 # Copy sources to be included in -devel docs.
 cp -pr examples Examples
@@ -148,6 +150,9 @@ make test
 
 
 %changelog
+* Wed Mar 13 2024 Than Ngo <than@redhat.com> - 0.13.0-6
+- Conditionally enable SSL engine APIs
+
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.13.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
diff --git a/rabbitmq-c-conditionally_enable_ssl_engine_apis.patch b/rabbitmq-c-conditionally_enable_ssl_engine_apis.patch
new file mode 100644
index 0000000..6f40a46
--- /dev/null
+++ b/rabbitmq-c-conditionally_enable_ssl_engine_apis.patch
@@ -0,0 +1,152 @@
+diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in
+--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in.orig	2023-02-06 01:31:11.000000000 +0100
++++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/cmake/config.h.in	2024-03-05 15:42:21.611143615 +0100
+@@ -7,4 +7,6 @@
+ 
+ #define AMQ_PLATFORM "@CMAKE_SYSTEM_NAME@"
+ 
++#cmakedefine ENABLE_SSL_ENGINE_API
++
+ #endif /* CONFIG_H */
+diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt
+--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt.orig	2023-02-06 01:31:11.000000000 +0100
++++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/CMakeLists.txt	2024-03-05 15:42:21.610143596 +0100
+@@ -42,6 +42,7 @@ endif()
+ 
+ include(CheckSymbolExists)
+ include(CheckLibraryExists)
++include(CMakeDependentOption)
+ include(CMakePushCheckState)
+ include(GNUInstallDirs)
+ 
+@@ -119,14 +120,19 @@ if (ENABLE_SSL_SUPPORT)
+   set(THREADS_PREFER_PTHREAD_FLAG ON)
+   find_package(Threads REQUIRED)
+   cmake_pop_check_state()
++
++  cmake_push_check_state()
++  set(CMAKE_REQUIRED_LIBRARIES OpenSSL::SSL)
++  check_symbol_exists(ENGINE_new openssl/engine.h HAS_OPENSSL_ENGINE)
++  cmake_pop_check_state()
++
++  cmake_dependent_option(ENABLE_SSL_ENGINE_API "Enable support for deprecated OpenSSL ENGINE feature" ON "HAS_OPENSSL_ENGINE" OFF)
+ endif()
+ 
+ if(CMAKE_PROJECT_NAME STREQUAL PROJECT_NAME)
+   include(CTest)
+ endif()
+ 
+-include(CMakeDependentOption)
+-
+ option(BUILD_SHARED_LIBS "Build rabbitmq-c as a shared library" ON)
+ option(BUILD_STATIC_LIBS "Build rabbitmq-c as a static library" ON)
+ option(INSTALL_STATIC_LIBS "Install rabbitmq-c static library" ON)
+diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h
+--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h.orig	2023-02-06 01:31:11.000000000 +0100
++++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/amqp.h	2024-03-05 15:42:21.612143634 +0100
+@@ -670,7 +670,8 @@ typedef enum amqp_status_enum_ {
+                                                          certificate failed. */
+   AMQP_STATUS_SSL_CONNECTION_FAILED = -0x0203, /**< SSL handshake failed. */
+   AMQP_STATUS_SSL_SET_ENGINE_FAILED = -0x0204, /**< SSL setting engine failed */
+-  _AMQP_STATUS_SSL_NEXT_VALUE = -0x0205        /**< Internal value */
++  AMQP_STATUS_SSL_UNIMPLEMENTED = -0x0205, /**< SSL API is not implemented. */
++  _AMQP_STATUS_SSL_NEXT_VALUE = -0x0206        /**< Internal value */
+ } amqp_status_enum;
+ 
+ /**
+diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h
+--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h.orig	2023-02-06 01:31:11.000000000 +0100
++++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/include/rabbitmq-c/ssl_socket.h	2024-03-05 15:42:21.612143634 +0100
+@@ -102,7 +102,8 @@ int AMQP_CALL amqp_ssl_socket_set_key(am
+  * \param [in] the key ID.
+  *
+  * \return \ref AMQP_STATUS_OK on success an \ref amqp_status_enum value on
+- *  failure.
++ *  failure. May return \ref AMQP_STATUS_SSL_UNIMPLEMENTED if OpenSSL does 
++ *  not support the ENGINE API.
+  *
+  * \since v0.11.0
+  */
+@@ -262,7 +263,8 @@ int AMQP_CALL amqp_initialize_ssl_librar
+  * has been called.
+  *
+  * \param [in] engine the engine ID
+- * \return AMQP_STATUS_OK on success.
++ * \return AMQP_STATUS_OK on success. May return \ref AMQP_STATUS_SSL_UNIMPLEMENTED
++ *   if OpenSSL does not support the ENGINE API.
+  *
+  * \since v0.11.0
+  */
+diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c
+--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c.orig	2023-02-06 01:31:11.000000000 +0100
++++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_api.c	2024-03-05 15:42:21.612143634 +0100
+@@ -85,7 +85,9 @@ static const char *ssl_error_strings[] =
+     /* AMQP_STATUS_SSL_CONNECTION_FAILED      -0x0203 */
+     "SSL handshake failed",
+     /* AMQP_STATUS_SSL_SET_ENGINE_FAILED      -0x0204 */
+-    "SSL setting engine failed"};
++    "SSL setting engine failed",
++    /* AMQP_STATUS_SSL_UNIMPLEMENTED          -0x0204 */
++    "SSL API is not implemented"};
+ 
+ static const char *unknown_error_string = "(unknown error)";
+ 
+diff -up rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c.orig rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c
+--- rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c.orig	2023-02-06 01:31:11.000000000 +0100
++++ rabbitmq-c-974d71adceae6d742ae20a4c880d99c131f1460a/librabbitmq/amqp_openssl.c	2024-03-05 15:42:21.613143653 +0100
+@@ -23,7 +23,9 @@
+ #include <limits.h>
+ #include <openssl/bio.h>
+ #include <openssl/conf.h>
++#ifdef ENABLE_SSL_ENGINE_API
+ #include <openssl/engine.h>
++#endif
+ #include <openssl/err.h>
+ #include <openssl/ssl.h>
+ #include <openssl/x509v3.h>
+@@ -36,7 +38,9 @@ static int decrement_ssl_connections(voi
+ static pthread_mutex_t openssl_init_mutex = PTHREAD_MUTEX_INITIALIZER;
+ static amqp_boolean_t openssl_bio_initialized = 0;
+ static int openssl_connections = 0;
++#ifdef ENABLE_SSL_ENGINE_API
+ static ENGINE *openssl_engine = NULL;
++#endif
+ 
+ #define CHECK_SUCCESS(condition)                                            \
+   do {                                                                      \
+@@ -391,6 +395,7 @@ int amqp_ssl_socket_set_key(amqp_socket_
+ 
+ int amqp_ssl_socket_set_key_engine(amqp_socket_t *base, const char *cert,
+                                    const char *key) {
++#ifdef ENABLE_SSL_ENGINE_API
+   int status;
+   struct amqp_ssl_socket_t *self;
+   EVP_PKEY *pkey = NULL;
+@@ -415,6 +420,9 @@ int amqp_ssl_socket_set_key_engine(amqp_
+     return AMQP_STATUS_SSL_ERROR;
+   }
+   return AMQP_STATUS_OK;
++#else
++  return AMQP_STATUS_SSL_UNIMPLEMENTED;
++#endif
+ }
+ 
+ static int password_cb(AMQP_UNUSED char *buffer, AMQP_UNUSED int length,
+@@ -580,6 +588,7 @@ void amqp_set_initialize_ssl_library(amq
+ int amqp_initialize_ssl_library(void) { return AMQP_STATUS_OK; }
+ 
+ int amqp_set_ssl_engine(const char *engine) {
++#ifdef ENABLE_SSL_ENGINE_API
+   int status = AMQP_STATUS_OK;
+   CHECK_SUCCESS(pthread_mutex_lock(&openssl_init_mutex));
+ 
+@@ -609,6 +618,9 @@ int amqp_set_ssl_engine(const char *engi
+ out:
+   CHECK_SUCCESS(pthread_mutex_unlock(&openssl_init_mutex));
+   return status;
++#else
++  return AMQP_STATUS_SSL_UNIMPLEMENTED;
++#endif
+ }
+ 
+ static int initialize_ssl_and_increment_connections() {