bpo-43466: Add --with-openssl-rpath configure option

Signed-off-by: Christian Heimes <christian@python.org>

Makefile.pre.in

@@ -202,6 +202,7 @@ ENSUREPIP=      @ENSUREPIP@
 OPENSSL_INCLUDES=@OPENSSL_INCLUDES@
 OPENSSL_LIBS=@OPENSSL_LIBS@
 OPENSSL_LDFLAGS=@OPENSSL_LDFLAGS@
+OPENSSL_RPATH=@OPENSSL_RPATH@
 
 # Default zoneinfo.TZPATH. Added here to expose it in sysconfig.get_config_var
 TZPATH=@TZPATH@

Misc/NEWS.d/next/Build/2021-03-11-00-14-47.bpo-43466.N861Z5.rst

@@ -0,0 +1 @@
+Add ``--with-openssl-rpath`` configure option.

configure.ac

@@ -5808,6 +5808,30 @@ if test "$have_openssl" = yes; then
     LIBS="$save_LIBS"
 fi
 
+# rpath to libssl and libcrypto
+AC_MSG_CHECKING(for --with-openssl-rpath)
+AC_ARG_WITH(openssl-rpath,
+    AS_HELP_STRING([--with-openssl-rpath=@<:@DIR|auto|no@:>@],
+                   [Set runtime library directory (rpath) for OpenSSL libraries,
+                    no (default): don't set rpath,
+                    auto: auto-detect rpath from --with-openssl and pkg-config,
+                    DIR: set an explicit rpath
+                   ]),
+    [],
+    [with_openssl_rpath=no]
+)
+AS_CASE($with_openssl_rpath,
+    [auto|yes],[OPENSSL_RPATH=auto],
+    [no],[OPENSSL_RPATH=],
+    [AS_IF(
+        [test -d "$with_openssl_rpath"],
+        [OPENSSL_RPATH="$with_openssl_rpath"],
+        AC_MSG_ERROR([--with-openssl-rpath "$with_openssl_rpath" is not a directory]))
+    ]
+)
+AC_MSG_RESULT($OPENSSL_RPATH)
+AC_SUBST([OPENSSL_RPATH])
+
 # ssl module default cipher suite string
 AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS,
   [Default cipher suites list for ssl module.

setup.py

@@ -549,6 +549,8 @@ def print_three_column(lst):
                   "libssl with X509_VERIFY_PARAM_set1_host().")
             print("LibreSSL 2.6.4 and earlier do not provide the necessary "
                   "APIs, https://github.com/libressl-portable/portable/issues/381")
+            if sysconfig.get_config_var("OPENSSL_LDFLAGS"):
+                print("Custom linker flags may require --with-openssl-rpath=auto")
             print()
 
     def build_extension(self, ext):
@@ -2421,6 +2423,7 @@ def split_var(name, sep):
         openssl_includes = split_var('OPENSSL_INCLUDES', '-I')
         openssl_libdirs = split_var('OPENSSL_LDFLAGS', '-L')
         openssl_libs = split_var('OPENSSL_LIBS', '-l')
+        openssl_rpath = config_vars.get('OPENSSL_RPATH')
         if not openssl_libs:
             # libssl and libcrypto not found
             self.missing.extend(['_ssl', '_hashlib'])
@@ -2442,12 +2445,20 @@ def split_var(name, sep):
         if krb5_h:
             ssl_incs.extend(krb5_h)
 
+        if openssl_rpath == 'auto':
+            runtime_library_dirs = openssl_libdirs[:]
+        elif not openssl_rpath:
+            runtime_library_dirs = []
+        else:
+            runtime_library_dirs = [openssl_rpath]
+
         if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"):
             self.add(Extension(
                 '_ssl', ['_ssl.c'],
                 include_dirs=openssl_includes,
                 library_dirs=openssl_libdirs,
                 libraries=openssl_libs,
+                runtime_library_dirs=runtime_library_dirs,
                 depends=['socketmodule.h', '_ssl/debughelpers.c'])
             )
         else:
@@ -2457,6 +2468,7 @@ def split_var(name, sep):
                            depends=['hashlib.h'],
                            include_dirs=openssl_includes,
                            library_dirs=openssl_libdirs,
+                           runtime_library_dirs=runtime_library_dirs,
                            libraries=openssl_libs))
 
     def detect_hash_builtins(self):