From 982a1dba7ed16ed44342fcd178e6fc28131ab0ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 2 Jul 2024 20:21:17 +0200 Subject: [PATCH] Resolves: RHEL-33742 - Disable ENGINE support by default - disable ENGINE support by default - add engine bcond --- 0004-Disable-ENGINE-support.patch | 96 +++++++++++++++++++++++++++++++ nginx.spec | 12 ++++ 2 files changed, 108 insertions(+) create mode 100644 0004-Disable-ENGINE-support.patch diff --git a/0004-Disable-ENGINE-support.patch b/0004-Disable-ENGINE-support.patch new file mode 100644 index 0000000..6094b3e --- /dev/null +++ b/0004-Disable-ENGINE-support.patch @@ -0,0 +1,96 @@ +From 5dd0765607135a418289bc4a20060f31eeaede73 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Tue, 2 Jul 2024 18:29:18 +0200 +Subject: [PATCH] Disable ENGINE support + +--- + auto/options | 3 +++ + configure | 4 ++++ + src/event/ngx_event_openssl.c | 7 +++---- + src/event/ngx_event_openssl.h | 2 +- + 4 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/auto/options b/auto/options +index 6a6e990..3cc983d 100644 +--- a/auto/options ++++ b/auto/options +@@ -45,6 +45,8 @@ USE_THREADS=NO + + NGX_FILE_AIO=NO + ++NGX_SSL_NO_ENGINE=NO ++ + QUIC_BPF=NO + + HTTP=YES +@@ -373,6 +375,7 @@ use the \"--with-mail_ssl_module\" option instead" + + --with-openssl=*) OPENSSL="$value" ;; + --with-openssl-opt=*) OPENSSL_OPT="$value" ;; ++ --without-engine) NGX_SSL_NO_ENGINE=YES ;; + + --with-md5=*) + NGX_POST_CONF_MSG="$NGX_POST_CONF_MSG +diff --git a/configure b/configure +index 5b88ebb..3a2129e 100755 +--- a/configure ++++ b/configure +@@ -104,6 +104,10 @@ have=NGX_HTTP_UWSGI_TEMP_PATH value="\"$NGX_HTTP_UWSGI_TEMP_PATH\"" + have=NGX_HTTP_SCGI_TEMP_PATH value="\"$NGX_HTTP_SCGI_TEMP_PATH\"" + . auto/define + ++if [ $NGX_SSL_NO_ENGINE = YES ]; then ++ have=NGX_SSL_NO_ENGINE . auto/have ++fi ++ + . auto/make + . auto/lib/make + . auto/install +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 6f7f2a2..f939706 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -842,7 +842,7 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, + + if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { + +-#ifndef OPENSSL_NO_ENGINE ++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE) + + u_char *p, *last; + ENGINE *engine; +@@ -6119,8 +6119,7 @@ ngx_openssl_create_conf(ngx_cycle_t *cycle) + static char * + ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) + { +-#ifndef OPENSSL_NO_ENGINE +- ++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE) + ngx_openssl_conf_t *oscf = conf; + + ENGINE *engine; +@@ -6170,7 +6169,7 @@ ngx_openssl_exit(ngx_cycle_t *cycle) + #if OPENSSL_VERSION_NUMBER < 0x10100003L + + EVP_cleanup(); +-#ifndef OPENSSL_NO_ENGINE ++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE) + ENGINE_cleanup(); + #endif + +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index 761f48d..c60b16d 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -20,7 +20,7 @@ + #include + #include + #include +-#ifndef OPENSSL_NO_ENGINE ++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE) + #include + #endif + #include +-- +2.44.0 + diff --git a/nginx.spec b/nginx.spec index 22297c0..32eba4a 100644 --- a/nginx.spec +++ b/nginx.spec @@ -22,6 +22,12 @@ %global with_aio 1 +%if 0%{?fedora} > 40 || 0%{?rhel} > 9 +%bcond_with engine +%else +%bcond_without engine +%endif + %if 0%{?fedora} > 22 %global with_mailcap_mimetypes 1 %endif @@ -94,6 +100,9 @@ Patch1: 0002-fix-PIDFile-handling.patch # encrypted private keys with pass phrase decryption Patch2: 0003-Add-SSL-passphrase-dialog.patch +# downstream patch - Disable ENGINE support by default for F41+ +Patch3: 0004-Disable-ENGINE-support.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -334,6 +343,9 @@ if ! ./configure \ --with-mail_ssl_module \ %if 0%{?with_ktls} --with-openssl-opt=enable-ktls \ +%endif +%if %{without engine} + --without-engine \ %endif --with-pcre \ --with-pcre-jit \