From 8b20f8b3cf1db12ccdf8e84db191a374ad7ec039 Mon Sep 17 00:00:00 2001 From: Francisco Trivino Date: Thu, 11 Jul 2024 16:29:26 +0200 Subject: [PATCH] Do not build OpenSSL ENGINE support on RHEL >= 10 OpenSSL ENGINEs are deprecated upstream, have subtle bugs, and (as all deprecated functionality) are not supposed to be used in FIPS mode. There is now a good alternative in pkcs11-provider, so remove support for ENGINEs from python-cryptography. Also, the OpenSSL engine headers were moved to a separate package on Fedora 41, so add the necessary dependency on the new subpackage if engine support is enabled on Fedora >= 41. Fixes: RHEL-33747 Signed-off-by: Francisco Trivino --- python-cryptography.spec | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 722047a..98c9280 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -4,6 +4,12 @@ %global srcname cryptography +%if 0%{?rhel} >= 10 +%bcond openssl_engine 0 +%else +%bcond openssl_engine 1 +%endif + Name: python-%{srcname} Version: 42.0.8 Release: %autorelease @@ -24,7 +30,9 @@ Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel +%if %{with openssl_engine} && 0%{fedora} >= 41 BuildRequires: openssl-devel-engine +%endif BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} @@ -98,6 +106,11 @@ cd ../.. %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 + +%if !%{with openssl_engine} +export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1" +%endif + # Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can # be dropped when a cryptography release bumps to pyo3 >= 0.22 %if 0%{?rhel}