Use system's openssl modules

We need to default to the systems ssl modules directroy to make sure our
fips modules don't conflict.

relenv/build/linux.py

@@ -358,6 +358,8 @@ def build_python(env, dirs, logfp):
         f"--host={env['RELENV_HOST']}",
         "--disable-test-modules",
         "--with-pydebug",
+        "--with-ssl-default-suites=openssl",
+        "--with-builtin-hashlib-hashes=blake2",
     ]
 
     if env["RELENV_HOST_ARCH"] != env["RELENV_BUILD_ARCH"]:

relenv/runtime.py

@@ -12,7 +12,6 @@
 """
 import contextlib
 import ctypes
-import ctypes.util
 import functools
 import importlib
 import json
@@ -756,8 +755,28 @@ def setup_openssl():
     """
     Configure openssl certificate locations.
     """
-    if "OPENSSL_MODULES" not in os.environ and sys.platform != "win32":
-        set_openssl_search_path(str(sys.RELENV / "lib" / "ossl-modules"))
+    if "OPENSSL_MODULES" not in os.environ:
+        openssl_bin = shutil.which("openssl")
+        proc = subprocess.run(
+            [openssl_bin, "version", "-m"],
+            universal_newlines=True,
+            shell=False,
+            check=False,
+            capture_output=True,
+        )
+        if proc.returncode != 0:
+            msg = "Unable to get the modules directory from openssl"
+            if proc.stderr:
+                msg += f": {proc.stderr}"
+            debug(msg)
+        else:
+            try:
+                _, directory = proc.stdout.split(":")
+            except ValueError:
+                debug("Unable to parse modules dir")
+                return
+            path = directory.strip().strip('"')
+            set_openssl_search_path(path)
     # Use system openssl dirs
     # XXX Should we also setup SSL_CERT_FILE, OPENSSL_CONF &
     # OPENSSL_CONF_INCLUDE?
@@ -766,6 +785,7 @@ def setup_openssl():
         if not openssl_bin:
             debug("Could not find the 'openssl' binary in the path")
         else:
+
             proc = subprocess.run(
                 [openssl_bin, "version", "-d"],
                 universal_newlines=True,
@@ -796,8 +816,12 @@ def set_openssl_search_path(path):
     """
     Set the default search location for openssl modules.
     """
+    if sys.platform == "darwin":
+        cryptopath = str(sys.RELENV / "lib" / "libcrypto.dylib")
+    else:
+        cryptopath = str(sys.RELENV / "lib" / "libcrypto.so")
+    libcrypto = ctypes.CDLL(cryptopath)
     POSSL_LIB_CTX = ctypes.c_void_p
-    libcrypto = ctypes.CDLL(ctypes.util.find_library("crypto"))
     OSSL_PROVIDER_set_default_search_path = (
         libcrypto.OSSL_PROVIDER_set_default_search_path
     )

tests/test_verify_build.py

@@ -912,7 +912,10 @@ def test_no_legacy_hashlib(pipexec, pyexec, build):
     """
     Verify hashlib can find the legacy openssl provider.
     """
-    env = {"OPENSSL_CONF": str(build / "openssl.cnf")}
+    env = {
+        "OPENSSL_CONF": str(build / "openssl.cnf"),
+        "OPENSSL_MODULES": str(build / "lib" / "ossl-modules"),
+    }
     with open(env["OPENSSL_CONF"], "w") as fp:
         fp.write(
             textwrap.dedent(
@@ -946,7 +949,10 @@ def test_legacy_hashlib(pipexec, pyexec, build):
     """
     Verify hashlib can find the legacy openssl provider.
     """
-    env = {"OPENSSL_CONF": str(build / "openssl.cnf")}
+    env = {
+        "OPENSSL_CONF": str(build / "openssl.cnf"),
+        "OPENSSL_MODULES": str(build / "lib" / "ossl-modules"),
+    }
 
     # https://github.com/openssl/openssl/issues/16079
     if sys.platform == "darwin":
@@ -1002,7 +1008,10 @@ def test_hashlib_fips_module(pipexec, pyexec, build):
         ],
         check=True,
     )
-    env = {"OPENSSL_CONF": str(build / "openssl.cnf")}
+    env = {
+        "OPENSSL_CONF": str(build / "openssl.cnf"),
+        "OPENSSL_MODULES": str(build / "lib" / "ossl-modules"),
+    }
     with open(env["OPENSSL_CONF"], "w") as fp:
         fp.write(
             textwrap.dedent(
@@ -1035,7 +1044,7 @@ def test_hashlib_fips_module(pipexec, pyexec, build):
         stdout=subprocess.PIPE,
         env=env,
     )
-    assert b"ValueError" not in proc.stdout
+    assert b"ValueError" in proc.stdout
 
 
 @pytest.mark.skip_unless_on_linux