Resolves: RHEL-33742 - Disable ENGINE support by default

- disable ENGINE support by default
- add engine bcond

0004-Disable-ENGINE-support.patch

@@ -0,0 +1,96 @@
+From 5dd0765607135a418289bc4a20060f31eeaede73 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Tue, 2 Jul 2024 18:29:18 +0200
+Subject: [PATCH] Disable ENGINE support
+
+---
+ auto/options                  | 3 +++
+ configure                     | 4 ++++
+ src/event/ngx_event_openssl.c | 7 +++----
+ src/event/ngx_event_openssl.h | 2 +-
+ 4 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/auto/options b/auto/options
+index 6a6e990..3cc983d 100644
+--- a/auto/options
++++ b/auto/options
+@@ -45,6 +45,8 @@ USE_THREADS=NO
+ 
+ NGX_FILE_AIO=NO
+ 
++NGX_SSL_NO_ENGINE=NO
++
+ QUIC_BPF=NO
+ 
+ HTTP=YES
+@@ -373,6 +375,7 @@ use the \"--with-mail_ssl_module\" option instead"
+ 
+         --with-openssl=*)                OPENSSL="$value"           ;;
+         --with-openssl-opt=*)            OPENSSL_OPT="$value"       ;;
++        --without-engine)                NGX_SSL_NO_ENGINE=YES      ;;
+ 
+         --with-md5=*)
+             NGX_POST_CONF_MSG="$NGX_POST_CONF_MSG
+diff --git a/configure b/configure
+index 5b88ebb..3a2129e 100755
+--- a/configure
++++ b/configure
+@@ -104,6 +104,10 @@ have=NGX_HTTP_UWSGI_TEMP_PATH value="\"$NGX_HTTP_UWSGI_TEMP_PATH\""
+ have=NGX_HTTP_SCGI_TEMP_PATH value="\"$NGX_HTTP_SCGI_TEMP_PATH\""
+ . auto/define
+ 
++if [ $NGX_SSL_NO_ENGINE = YES ]; then
++    have=NGX_SSL_NO_ENGINE . auto/have
++fi
++
+ . auto/make
+ . auto/lib/make
+ . auto/install
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 6f7f2a2..f939706 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -842,7 +842,7 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
+ 
+     if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+ 
+-#ifndef OPENSSL_NO_ENGINE
++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE)
+ 
+         u_char  *p, *last;
+         ENGINE  *engine;
+@@ -6119,8 +6119,7 @@ ngx_openssl_create_conf(ngx_cycle_t *cycle)
+ static char *
+ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+ {
+-#ifndef OPENSSL_NO_ENGINE
+-
++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE)
+     ngx_openssl_conf_t *oscf = conf;
+ 
+     ENGINE     *engine;
+@@ -6170,7 +6169,7 @@ ngx_openssl_exit(ngx_cycle_t *cycle)
+ #if OPENSSL_VERSION_NUMBER < 0x10100003L
+ 
+     EVP_cleanup();
+-#ifndef OPENSSL_NO_ENGINE
++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE)
+     ENGINE_cleanup();
+ #endif
+ 
+diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
+index 761f48d..c60b16d 100644
+--- a/src/event/ngx_event_openssl.h
++++ b/src/event/ngx_event_openssl.h
+@@ -20,7 +20,7 @@
+ #include <openssl/conf.h>
+ #include <openssl/crypto.h>
+ #include <openssl/dh.h>
+-#ifndef OPENSSL_NO_ENGINE
++#if !defined(OPENSSL_NO_ENGINE) && !defined(NGX_SSL_NO_ENGINE)
+ #include <openssl/engine.h>
+ #endif
+ #include <openssl/evp.h>
+-- 
+2.44.0
+

nginx.spec

@@ -22,6 +22,12 @@
 
 %global with_aio 1
 
+%if 0%{?fedora} > 40 || 0%{?rhel} > 9
+%bcond_with engine
+%else
+%bcond_without engine
+%endif
+
 %if 0%{?fedora} > 22
 %global with_mailcap_mimetypes 1
 %endif
@@ -94,6 +100,9 @@ Patch1:            0002-fix-PIDFile-handling.patch
 # encrypted private keys with pass phrase decryption
 Patch2:            0003-Add-SSL-passphrase-dialog.patch
 
+# downstream patch - Disable ENGINE support by default for F41+
+Patch3:            0004-Disable-ENGINE-support.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -334,6 +343,9 @@ if ! ./configure \
     --with-mail_ssl_module \
 %if 0%{?with_ktls}
     --with-openssl-opt=enable-ktls \
+%endif
+%if %{without engine}
+    --without-engine \
 %endif
     --with-pcre \
     --with-pcre-jit \