bpo-45847: Port _ssl and _hashlib to PY_STDLIB_MOD (GH-29727)

author: Christian Heimes <christian@python.org> 2021-11-23 21:58:13 (GMT)
committer: GitHub <noreply@github.com> 2021-11-23 21:58:13 (GMT)
commit: b9e9292d75fdea621e05e39b8629e6935d282d0d (patch)
tree: a6bfd78173b8e8ddb9c4e7b09aae9401ae38fd74 /configure.ac
parent: 095bc8f0d6845dded8f67fbc6eca20dfac8b3929 (diff)
download: cpython-b9e9292d75fdea621e05e39b8629e6935d282d0d.zip
cpython-b9e9292d75fdea621e05e39b8629e6935d282d0d.tar.gz
cpython-b9e9292d75fdea621e05e39b8629e6935d282d0d.tar.bz2
1 files changed, 98 insertions, 40 deletions
diff --git a/configure.ac b/configure.ac
index 0008e8a..92afdf3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5891,6 +5891,12 @@ ac_includes_default="$save_includes_default"
 AX_CHECK_OPENSSL([have_openssl=yes],[have_openssl=no])
 
 # rpath to libssl and libcrypto
+AS_VAR_IF([GNULD], [yes], [
+  rpath_arg="-Wl,--enable-new-dtags,-rpath="
+], [
+  rpath_arg="-Wl,-rpath="
+])
+
 AC_MSG_CHECKING(for --with-openssl-rpath)
 AC_ARG_WITH(openssl-rpath,
     AS_HELP_STRING([--with-openssl-rpath=@<:@DIR|auto|no@:>@],
@@ -5903,58 +5909,104 @@ AC_ARG_WITH(openssl-rpath,
     [with_openssl_rpath=no]
 )
 AS_CASE($with_openssl_rpath,
-    [auto|yes],[OPENSSL_RPATH=auto],
-    [no],[OPENSSL_RPATH=],
+    [auto|yes], [
+      OPENSSL_RPATH=auto
+      dnl look for linker directories
+      for arg in "$OPENSSL_LDFLAGS"; do
+        AS_CASE([$arg],
+          [-L*], [OPENSSL_LDFLAGS_RPATH="$OPENSSL_LDFLAGS_RPATH ${rpath_arg}$(echo $arg | cut -c3-)"]
+        )
+      done
+    ],
+    [no], [OPENSSL_RPATH=],
     [AS_IF(
         [test -d "$with_openssl_rpath"],
-        [OPENSSL_RPATH="$with_openssl_rpath"],
+        [
+          OPENSSL_RPATH="$with_openssl_rpath"
+          OPENSSL_LDFLAGS_RPATH="${rpath_arg}$with_openssl_rpath"
+        ],
         AC_MSG_ERROR([--with-openssl-rpath "$with_openssl_rpath" is not a directory]))
     ]
 )
 AC_MSG_RESULT($OPENSSL_RPATH)
 AC_SUBST([OPENSSL_RPATH])
 
+# This static linking is NOT OFFICIALLY SUPPORTED and not advertised.
+# Requires static OpenSSL build with position-independent code. Some features
+# like DSO engines or external OSSL providers don't work. Only tested with GCC
+# and clang on X86_64.
+AS_VAR_IF([PY_UNSUPPORTED_OPENSSL_BUILD], [static], [
+  AC_MSG_CHECKING([for unsupported static openssl build])
+  new_OPENSSL_LIBS=
+  for arg in $OPENSSL_LIBS; do
+    AS_CASE([$arg],
+      [-l*], [
+        libname=$(echo $arg | cut -c3-)
+        new_OPENSSL_LIBS="$new_OPENSSL_LIBS -l:lib${libname}.a -Wl,--exclude-libs,lib${libname}.a"
+      ],
+      [new_OPENSSL_LIBS="$new_OPENSSL_LIBS $arg"]
+    )
+  done
+  dnl include libz for OpenSSL build flavors with compression support
+  OPENSSL_LIBS="$new_OPENSSL_LIBS $ZLIB_LIBS"
+  AC_MSG_RESULT([$OPENSSL_LIBS])
+])
+
+dnl AX_CHECK_OPENSSL does not export libcrypto-only libs
+LIBCRYPTO_LIBS=
+for arg in $OPENSSL_LIBS; do
+  AS_CASE([$arg],
+    [-l*ssl*|-Wl*ssl*], [],
+    [LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS $arg"]
+  )
+done
+
 # check if OpenSSL libraries work as expected
-AC_CACHE_CHECK([whether OpenSSL provides required APIs], [ac_cv_working_openssl], [
-save_LIBS="$LIBS"
-save_CFLAGS="$CFLAGS"
-save_LDFLAGS="$LDFLAGS"
-LIBS="$LIBS $OPENSSL_LIBS"
-CFLAGS="$CFLAGS_NODIST $OPENSSL_INCLUDES"
-LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
+WITH_SAVE_ENV([
+  LIBS="$LIBS $OPENSSL_LIBS"
+  CFLAGS="$CFLAGS $OPENSSL_INCLUDES"
+  LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH"
 
-AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <openssl/opensslv.h>
-#include <openssl/evp.h>
-#include <openssl/ssl.h>
+  AC_CACHE_CHECK([whether OpenSSL provides required ssl module APIs], [ac_cv_working_openssl_ssl], [
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([
+      #include <openssl/opensslv.h>
+      #include <openssl/ssl.h>
+      #if OPENSSL_VERSION_NUMBER < 0x10101000L
+        #error "OpenSSL >= 1.1.1 is required"
+      #endif
+      static void keylog_cb(const SSL *ssl, const char *line) {}
+    ], [
+      SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
+      SSL_CTX_set_keylog_callback(ctx, keylog_cb);
+      SSL *ssl = SSL_new(ctx);
+      X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
+      X509_VERIFY_PARAM_set1_host(param, "python.org", 0);
+      SSL_free(ssl);
+      SSL_CTX_free(ctx);
+    ])], [ac_cv_working_openssl_ssl=yes], [ac_cv_working_openssl_ssl=no])
+  ])
+])
 
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
-#error "OpenSSL >= 1.1.1 is required"
-#endif
+WITH_SAVE_ENV([
+  LIBS="$LIBS $LIBCRYPTO_LIBS"
+  CFLAGS="$CFLAGS $OPENSSL_INCLUDES"
+  LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH"
 
-static void keylog_cb(const SSL *ssl, const char *line) {}
-]], [[
-/* SSL APIs */
-SSL_CTX *ctx = SSL_CTX_new(TLS_client_method());
-SSL_CTX_set_keylog_callback(ctx, keylog_cb);
-SSL *ssl = SSL_new(ctx);
-X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
-X509_VERIFY_PARAM_set1_host(param, "python.org", 0);
-SSL_free(ssl);
-SSL_CTX_free(ctx);
-
-/* hashlib APIs */
-OBJ_nid2sn(NID_md5);
-OBJ_nid2sn(NID_sha1);
-OBJ_nid2sn(NID_sha3_512);
-OBJ_nid2sn(NID_blake2b512);
-EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
-]])],
-  [ac_cv_working_openssl=yes],
-  [ac_cv_working_openssl=no])
-LIBS="$save_LIBS"
-CFLAGS="$save_CFLAGS"
-LDFLAGS="$save_LDFLAGS"
+  AC_CACHE_CHECK([whether OpenSSL provides required hashlib module APIs], [ac_cv_working_openssl_hashlib], [
+    AC_LINK_IFELSE([AC_LANG_PROGRAM([
+      #include <openssl/opensslv.h>
+      #include <openssl/evp.h>
+      #if OPENSSL_VERSION_NUMBER < 0x10101000L
+        #error "OpenSSL >= 1.1.1 is required"
+      #endif
+    ], [
+      OBJ_nid2sn(NID_md5);
+      OBJ_nid2sn(NID_sha1);
+      OBJ_nid2sn(NID_sha3_512);
+      OBJ_nid2sn(NID_blake2b512);
+      EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0);
+    ])], [ac_cv_working_openssl_hashlib=yes], [ac_cv_working_openssl_hashlib=no])
+  ])
 ])
 
 # ssl module default cipher suite string
@@ -6245,6 +6297,12 @@ PY_STDLIB_MOD([_bz2], [], [test "$have_bzip2" = yes],
 PY_STDLIB_MOD([_lzma], [], [test "$have_liblzma" = yes],
   [$LIBLZMA_CFLAGS], [$LIBLZMA_LIBS])
 
+dnl OpenSSL bindings
+PY_STDLIB_MOD([_ssl], [], [test "$ac_cv_working_openssl_ssl" = yes],
+  [$OPENSSL_INCLUDES], [$OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH $OPENSSL_LIBS])
+PY_STDLIB_MOD([_hashlib], [], [test "$ac_cv_working_openssl_hashlib" = yes],
+  [$OPENSSL_INCLUDES], [$OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH $LIBCRYPTO_LIBS])
+
 dnl test modules
 PY_STDLIB_MOD([_testcapi], [test "$TEST_MODULES" = yes])
 PY_STDLIB_MOD([_testinternalcapi], [test "$TEST_MODULES" = yes])
author	Christian Heimes <christian@python.org>	2021-11-23 21:58:13 (GMT)
committer	GitHub <noreply@github.com>	2021-11-23 21:58:13 (GMT)
commit	b9e9292d75fdea621e05e39b8629e6935d282d0d (patch)
tree	a6bfd78173b8e8ddb9c4e7b09aae9401ae38fd74 /configure.ac
parent	095bc8f0d6845dded8f67fbc6eca20dfac8b3929 (diff)
download	cpython-b9e9292d75fdea621e05e39b8629e6935d282d0d.zip cpython-b9e9292d75fdea621e05e39b8629e6935d282d0d.tar.gz cpython-b9e9292d75fdea621e05e39b8629e6935d282d0d.tar.bz2