bpo-43466: Unsupported static build hack (GH-25002)

Add undocumented hack to statically link ssl and hashlib modules with
OpenSSL.

Signed-off-by: Christian Heimes <christian@python.org>

1 files changed, 37 insertions, 13 deletions

diff --git a/setup.py b/setup.py
index 80deacc..a7d0084 100644
--- a/setup.py
+++ b/setup.py
@@ -2447,24 +2447,48 @@ class PyBuildExt(build_ext):
         else:
             runtime_library_dirs = [openssl_rpath]
 
+        openssl_extension_kwargs = dict(
+            include_dirs=openssl_includes,
+            library_dirs=openssl_libdirs,
+            libraries=openssl_libs,
+            runtime_library_dirs=runtime_library_dirs,
+        )
+
+        # This static linking is NOT OFFICIALLY SUPPORTED.
+        # Requires static OpenSSL build with position-independent code. Some
+        # features like DSO engines or external OSSL providers don't work.
+        # Only tested on GCC and clang on X86_64.
+        if os.environ.get("PY_UNSUPPORTED_OPENSSL_BUILD") == "static":
+            extra_linker_args = []
+            for lib in openssl_extension_kwargs["libraries"]:
+                # link statically
+                extra_linker_args.append(f"-l:lib{lib}.a")
+                # don't export symbols
+                extra_linker_args.append(f"-Wl,--exclude-libs,lib{lib}.a")
+            openssl_extension_kwargs["extra_link_args"] = extra_linker_args
+            # don't link OpenSSL shared libraries.
+            openssl_extension_kwargs["libraries"] = []
+
         if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"):
-            self.add(Extension(
-                '_ssl', ['_ssl.c'],
-                include_dirs=openssl_includes,
-                library_dirs=openssl_libdirs,
-                libraries=openssl_libs,
-                runtime_library_dirs=runtime_library_dirs,
-                depends=['socketmodule.h', '_ssl/debughelpers.c'])
+            self.add(
+                Extension(
+                    '_ssl',
+                    ['_ssl.c'],
+                    depends=['socketmodule.h', '_ssl/debughelpers.c'],
+                    **openssl_extension_kwargs
+                )
             )
         else:
             self.missing.append('_ssl')
 
-        self.add(Extension('_hashlib', ['_hashopenssl.c'],
-                           depends=['hashlib.h'],
-                           include_dirs=openssl_includes,
-                           library_dirs=openssl_libdirs,
-                           runtime_library_dirs=runtime_library_dirs,
-                           libraries=openssl_libs))
+        self.add(
+            Extension(
+                '_hashlib',
+                ['_hashopenssl.c'],
+                depends=['hashlib.h'],
+                **openssl_extension_kwargs,
+            )
+        )
 
     def detect_hash_builtins(self):
         # By default we always compile these even when OpenSSL is available