Bug#1138295: efitools: patch for OpenSSL 4.0 compatibility

[Ravi Kant Sharma]

Package: 1138295
Followup-For: Bug #1138295
X-Debbugs-Cc: ravi.kant.sha...@canonical.com
Control: tags -1 patch

Please find attached a patch that fixes this issue.


-- System Information:
Debian Release: trixie/sid
  APT prefers noble-updates
  APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), 
(100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.0-117-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Description: Fix FTBFS with OpenSSL 4.0 by guarding ENGINE API usage
 OpenSSL 4.0 removes the ENGINE API entirely. Guard the engine.h include
 and the ENGINE-using functions with #ifndef OPENSSL_NO_ENGINE, which is
 defined when OpenSSL is built without ENGINE support (as in 4.0).
 When engine support is unavailable and an engine is requested, emit an
 error message and return NULL.
Forwarded: no
Bug-Ubuntu: https://bugs.launchpad.net/bugs/2154843
Bug-Debian: https://bugs.debian.org/1138295
Last-Update: 2026-06-11

Index: efitools/lib/openssl_sign.c
===================================================================
--- efitools.orig/lib/openssl_sign.c    2026-06-11 15:20:48.163941404 +0200
+++ efitools/lib/openssl_sign.c 2026-06-11 15:24:16.202517855 +0200
@@ -7,7 +7,9 @@
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include <openssl/sha.h>
+#ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
+#endif
 
 #include <openssl_sign.h>
 
@@ -96,6 +98,7 @@
        return pkey;
 }
 
+#ifndef OPENSSL_NO_ENGINE
 static int ui_read(UI *ui, UI_STRING *uis)
 {
        char password[128];
@@ -145,12 +148,19 @@
        ENGINE_free(e);
        return pkey;
 }
+#endif /* OPENSSL_NO_ENGINE */
 
 EVP_PKEY *
 read_private_key(char *engine, char *keyfile)
 {
-       if (engine)
+       if (engine) {
+#ifndef OPENSSL_NO_ENGINE
                return read_engine_private_key(engine, keyfile);
-       else
+#else
+               fprintf(stderr, "OpenSSL ENGINE support not available; cannot 
use engine %s\n", engine);
+               return NULL;
+#endif
+       } else {
                return read_pem_private_key(keyfile);
+       }
 }