diff options
Diffstat (limited to 'configure.ac')
-rw-r--r-- | configure.ac | 138 |
1 files changed, 98 insertions, 40 deletions
diff --git a/configure.ac b/configure.ac index 0008e8a..92afdf3 100644 --- a/configure.ac +++ b/configure.ac @@ -5891,6 +5891,12 @@ ac_includes_default="$save_includes_default" AX_CHECK_OPENSSL([have_openssl=yes],[have_openssl=no]) # rpath to libssl and libcrypto +AS_VAR_IF([GNULD], [yes], [ + rpath_arg="-Wl,--enable-new-dtags,-rpath=" +], [ + rpath_arg="-Wl,-rpath=" +]) + AC_MSG_CHECKING(for --with-openssl-rpath) AC_ARG_WITH(openssl-rpath, AS_HELP_STRING([--with-openssl-rpath=@<:@DIR|auto|no@:>@], @@ -5903,58 +5909,104 @@ AC_ARG_WITH(openssl-rpath, [with_openssl_rpath=no] ) AS_CASE($with_openssl_rpath, - [auto|yes],[OPENSSL_RPATH=auto], - [no],[OPENSSL_RPATH=], + [auto|yes], [ + OPENSSL_RPATH=auto + dnl look for linker directories + for arg in "$OPENSSL_LDFLAGS"; do + AS_CASE([$arg], + [-L*], [OPENSSL_LDFLAGS_RPATH="$OPENSSL_LDFLAGS_RPATH ${rpath_arg}$(echo $arg | cut -c3-)"] + ) + done + ], + [no], [OPENSSL_RPATH=], [AS_IF( [test -d "$with_openssl_rpath"], - [OPENSSL_RPATH="$with_openssl_rpath"], + [ + OPENSSL_RPATH="$with_openssl_rpath" + OPENSSL_LDFLAGS_RPATH="${rpath_arg}$with_openssl_rpath" + ], AC_MSG_ERROR([--with-openssl-rpath "$with_openssl_rpath" is not a directory])) ] ) AC_MSG_RESULT($OPENSSL_RPATH) AC_SUBST([OPENSSL_RPATH]) +# This static linking is NOT OFFICIALLY SUPPORTED and not advertised. +# Requires static OpenSSL build with position-independent code. Some features +# like DSO engines or external OSSL providers don't work. Only tested with GCC +# and clang on X86_64. +AS_VAR_IF([PY_UNSUPPORTED_OPENSSL_BUILD], [static], [ + AC_MSG_CHECKING([for unsupported static openssl build]) + new_OPENSSL_LIBS= + for arg in $OPENSSL_LIBS; do + AS_CASE([$arg], + [-l*], [ + libname=$(echo $arg | cut -c3-) + new_OPENSSL_LIBS="$new_OPENSSL_LIBS -l:lib${libname}.a -Wl,--exclude-libs,lib${libname}.a" + ], + [new_OPENSSL_LIBS="$new_OPENSSL_LIBS $arg"] + ) + done + dnl include libz for OpenSSL build flavors with compression support + OPENSSL_LIBS="$new_OPENSSL_LIBS $ZLIB_LIBS" + AC_MSG_RESULT([$OPENSSL_LIBS]) +]) + +dnl AX_CHECK_OPENSSL does not export libcrypto-only libs +LIBCRYPTO_LIBS= +for arg in $OPENSSL_LIBS; do + AS_CASE([$arg], + [-l*ssl*|-Wl*ssl*], [], + [LIBCRYPTO_LIBS="$LIBCRYPTO_LIBS $arg"] + ) +done + # check if OpenSSL libraries work as expected -AC_CACHE_CHECK([whether OpenSSL provides required APIs], [ac_cv_working_openssl], [ -save_LIBS="$LIBS" -save_CFLAGS="$CFLAGS" -save_LDFLAGS="$LDFLAGS" -LIBS="$LIBS $OPENSSL_LIBS" -CFLAGS="$CFLAGS_NODIST $OPENSSL_INCLUDES" -LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" +WITH_SAVE_ENV([ + LIBS="$LIBS $OPENSSL_LIBS" + CFLAGS="$CFLAGS $OPENSSL_INCLUDES" + LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH" -AC_LINK_IFELSE([AC_LANG_PROGRAM([[ -#include <openssl/opensslv.h> -#include <openssl/evp.h> -#include <openssl/ssl.h> + AC_CACHE_CHECK([whether OpenSSL provides required ssl module APIs], [ac_cv_working_openssl_ssl], [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([ + #include <openssl/opensslv.h> + #include <openssl/ssl.h> + #if OPENSSL_VERSION_NUMBER < 0x10101000L + #error "OpenSSL >= 1.1.1 is required" + #endif + static void keylog_cb(const SSL *ssl, const char *line) {} + ], [ + SSL_CTX *ctx = SSL_CTX_new(TLS_client_method()); + SSL_CTX_set_keylog_callback(ctx, keylog_cb); + SSL *ssl = SSL_new(ctx); + X509_VERIFY_PARAM *param = SSL_get0_param(ssl); + X509_VERIFY_PARAM_set1_host(param, "python.org", 0); + SSL_free(ssl); + SSL_CTX_free(ctx); + ])], [ac_cv_working_openssl_ssl=yes], [ac_cv_working_openssl_ssl=no]) + ]) +]) -#if OPENSSL_VERSION_NUMBER < 0x10101000L -#error "OpenSSL >= 1.1.1 is required" -#endif +WITH_SAVE_ENV([ + LIBS="$LIBS $LIBCRYPTO_LIBS" + CFLAGS="$CFLAGS $OPENSSL_INCLUDES" + LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH" -static void keylog_cb(const SSL *ssl, const char *line) {} -]], [[ -/* SSL APIs */ -SSL_CTX *ctx = SSL_CTX_new(TLS_client_method()); -SSL_CTX_set_keylog_callback(ctx, keylog_cb); -SSL *ssl = SSL_new(ctx); -X509_VERIFY_PARAM *param = SSL_get0_param(ssl); -X509_VERIFY_PARAM_set1_host(param, "python.org", 0); -SSL_free(ssl); -SSL_CTX_free(ctx); - -/* hashlib APIs */ -OBJ_nid2sn(NID_md5); -OBJ_nid2sn(NID_sha1); -OBJ_nid2sn(NID_sha3_512); -OBJ_nid2sn(NID_blake2b512); -EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0); -]])], - [ac_cv_working_openssl=yes], - [ac_cv_working_openssl=no]) -LIBS="$save_LIBS" -CFLAGS="$save_CFLAGS" -LDFLAGS="$save_LDFLAGS" + AC_CACHE_CHECK([whether OpenSSL provides required hashlib module APIs], [ac_cv_working_openssl_hashlib], [ + AC_LINK_IFELSE([AC_LANG_PROGRAM([ + #include <openssl/opensslv.h> + #include <openssl/evp.h> + #if OPENSSL_VERSION_NUMBER < 0x10101000L + #error "OpenSSL >= 1.1.1 is required" + #endif + ], [ + OBJ_nid2sn(NID_md5); + OBJ_nid2sn(NID_sha1); + OBJ_nid2sn(NID_sha3_512); + OBJ_nid2sn(NID_blake2b512); + EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0); + ])], [ac_cv_working_openssl_hashlib=yes], [ac_cv_working_openssl_hashlib=no]) + ]) ]) # ssl module default cipher suite string @@ -6245,6 +6297,12 @@ PY_STDLIB_MOD([_bz2], [], [test "$have_bzip2" = yes], PY_STDLIB_MOD([_lzma], [], [test "$have_liblzma" = yes], [$LIBLZMA_CFLAGS], [$LIBLZMA_LIBS]) +dnl OpenSSL bindings +PY_STDLIB_MOD([_ssl], [], [test "$ac_cv_working_openssl_ssl" = yes], + [$OPENSSL_INCLUDES], [$OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH $OPENSSL_LIBS]) +PY_STDLIB_MOD([_hashlib], [], [test "$ac_cv_working_openssl_hashlib" = yes], + [$OPENSSL_INCLUDES], [$OPENSSL_LDFLAGS $OPENSSL_LDFLAGS_RPATH $LIBCRYPTO_LIBS]) + dnl test modules PY_STDLIB_MOD([_testcapi], [test "$TEST_MODULES" = yes]) PY_STDLIB_MOD([_testinternalcapi], [test "$TEST_MODULES" = yes]) |