1 files changed, 68 insertions, 41 deletions

diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index dac3e4d8..a09d6d8e 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -6,66 +6,83 @@ from __future__ import absolute_import, division, print_function
 
 import os
 import sys
+from distutils import dist
+from distutils.ccompiler import get_default_compiler
+from distutils.command.config import config
 
-from _cffi_src.utils import build_ffi_for_binding, extra_link_args
+from _cffi_src.utils import (
+    build_ffi_for_binding, compiler_type, extra_link_args
+)
 
 
 def _get_openssl_libraries(platform):
+    if os.environ.get("CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS", None):
+        return []
     # OpenSSL goes by a different library name on different operating systems.
-    if platform != "win32":
+    if platform == "win32" and compiler_type() == "msvc":
+        windows_link_legacy_openssl = os.environ.get(
+            "CRYPTOGRAPHY_WINDOWS_LINK_LEGACY_OPENSSL", None
+        )
+        if windows_link_legacy_openssl is None:
+            # Link against the 1.1.0 names
+            # CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
+            libs = ["libssl", "libcrypto"]
+        else:
+            # Link against the 1.0.2 and lower names
+            libs = ["libeay32", "ssleay32"]
+        return libs + ["advapi32", "crypt32", "gdi32", "user32", "ws2_32"]
+    else:
+        # darwin, linux, mingw all use this path
         # In some circumstances, the order in which these libs are
         # specified on the linker command-line is significant;
         # libssl must come before libcrypto
-        # (http://marc.info/?l=openssl-users&m=135361825921871)
-        return ["ssl", "crypto"]
-    else:
-        link_type = os.environ.get("PYCA_WINDOWS_LINK_TYPE", "static")
-        return _get_openssl_windows_libraries(link_type)
+        # (https://marc.info/?l=openssl-users&m=135361825921871)
+        # -lpthread required due to usage of pthread an potential
+        # existance of a static part containing e.g. pthread_atfork
+        # (https://github.com/pyca/cryptography/issues/5084)
+        return ["ssl", "crypto", "pthread"]
 
 
-def _get_openssl_windows_libraries(link_type):
-    if link_type == "dynamic":
-        return ["libeay32", "ssleay32", "advapi32"]
-    elif link_type == "static" or link_type == "":
-        return ["libeay32mt", "ssleay32mt", "advapi32",
-                "crypt32", "gdi32", "user32", "ws2_32"]
+def _extra_compile_args(platform):
+    """
+    We set -Wconversion args here so that we only do Wconversion checks on the
+    code we're compiling and not on cffi itself (as passing -Wconversion in
+    CFLAGS would do). We set no error on sign conversion because some
+    function signatures in OpenSSL have changed from long -> unsigned long
+    in the past. Since that isn't a precision issue we don't care.
+    When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 we can
+    revisit this.
+    """
+    # make sure the compiler used supports the flags to be added
+    is_gcc = False
+    if get_default_compiler() == "unix":
+        d = dist.Distribution()
+        cmd = config(d)
+        cmd._check_compiler()
+        is_gcc = ("gcc" in cmd.compiler.compiler[0] or
+                  "clang" in cmd.compiler.compiler[0])
+    if is_gcc or not (platform in ["win32", "hp-ux11", "sunos5"] or
+                      platform.startswith("aix")):
+        return ["-Wconversion", "-Wno-error=sign-conversion"]
     else:
-        raise ValueError(
-            "PYCA_WINDOWS_LINK_TYPE must be 'static' or 'dynamic'"
-        )
-
-
-_OSX_PRE_INCLUDE = """
-#ifdef __APPLE__
-#include <AvailabilityMacros.h>
-#define __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
-    DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#endif
-"""
-
-_OSX_POST_INCLUDE = """
-#ifdef __APPLE__
-#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
-    __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#endif
-"""
+        return []
 
 
 ffi = build_ffi_for_binding(
     module_name="_openssl",
     module_prefix="_cffi_src.openssl.",
     modules=[
+        # This goes first so we can define some cryptography-wide symbols.
+        "cryptography",
+
         "aes",
         "asn1",
         "bignum",
         "bio",
         "cmac",
-        "cms",
         "conf",
         "crypto",
+        "ct",
         "dh",
         "dsa",
         "ec",
@@ -74,12 +91,14 @@ ffi = build_ffi_for_binding(
         "engine",
         "err",
         "evp",
+        "fips",
         "hmac",
         "nid",
         "objects",
+        "ocsp",
         "opensslv",
+        "osrandom_engine",
         "pem",
-        "pkcs7",
         "pkcs12",
         "rand",
         "rsa",
@@ -87,10 +106,18 @@ ffi = build_ffi_for_binding(
         "x509",
         "x509name",
         "x509v3",
-        "x509_vfy"
+        "x509_vfy",
+        "pkcs7",
+        "callbacks",
     ],
-    pre_include=_OSX_PRE_INCLUDE,
-    post_include=_OSX_POST_INCLUDE,
     libraries=_get_openssl_libraries(sys.platform),
-    extra_link_args=extra_link_args(sys.platform),
+    # These args are passed here so that we only do Wconversion checks on the
+    # code we're compiling and not on cffi itself (as passing -Wconversion in
+    # CFLAGS would do). We set no error on sign convesrion because some
+    # function signatures in OpenSSL have changed from long -> unsigned long
+    # in the past. Since that isn't a precision issue we don't care.
+    # When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 we can
+    # revisit this.
+    extra_compile_args=_extra_compile_args(sys.platform),
+    extra_link_args=extra_link_args(compiler_type()),
 )