Skip to content

Commit

Permalink
Fix issue with hashilb not finding openssl modules
Browse files Browse the repository at this point in the history 
Makes sure we do not import hashlib before running
relenv.runtime.bootstrap so that hashilb will automatically find the
relenv openssl modules directory.
  • Loading branch information
@dwoz
dwoz committed Aug 11, 2023
1 parent 7eea318 commit 0a1d986
Show file tree
Hide file tree
Showing 2 changed files with 129 additions and 1 deletion.
7 changes: 6 additions & 1 deletion relenv/common.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
import textwrap
import time
import urllib.error
import urllib.request

# relenv package version
__version__ = "0.13.3"
Expand Down Expand Up @@ -335,6 +334,9 @@ def check_url(url, timeout=30):
"""
Check that the url returns a 200.
"""
# Late import so we do not import hashlib before runtime.bootstrap is called.
import urllib.request

fin = None
try:
fin = urllib.request.urlopen(url, timeout=timeout)
Expand All @@ -352,6 +354,9 @@ def fetch_url(url, fp, backoff=3, timeout=30):
This method will store the contents in the given file like object.
"""
# Late import so we do not import hashlib before runtime.bootstrap is called.
import urllib.request

if backoff < 1:
backoff = 1
n = 0
Expand Down
123 changes: 123 additions & 0 deletions tests/test_verify_build.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -895,3 +895,126 @@ def test_install_with_target_ignore_installed(pipexec, pyexec, build):
out = proc.stdout.decode()
assert "installed cffi" in out
assert "already satisfied: cffi" not in out


def test_no_legacy_hashlib(pipexec, pyexec, build):
"""
Verify hashlib can find the legacy openssl provider.
"""
env = {"OPENSSL_CONF": build / "openssl.cnf"}
with open(env["OPENSSL_CONF"], "w") as fp:
fp.write(
textwrap.dedent(
"""
HOME = .
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
[default_sect]
activate = 1
"""
)
)
proc = subprocess.run(
[
pyexec,
"-c",
"import hashlib; print(hashlib.algorithms_available)",
],
check=True,
stdout=subprocess.PIPE,
env=env,
)
assert b"md4" not in proc.stdout


def test_legacy_hashlib(pipexec, pyexec, build):
"""
Verify hashlib can find the legacy openssl provider.
"""
env = {"OPENSSL_CONF": build / "openssl.cnf"}
with open(env["OPENSSL_CONF"], "w") as fp:
fp.write(
textwrap.dedent(
"""
HOME = .
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
"""
)
)
proc = subprocess.run(
[
pyexec,
"-c",
"import hashlib; print(hashlib.algorithms_available)",
],
check=True,
stdout=subprocess.PIPE,
env=env,
)
with open(env["OPENSSL_CONF"], "r") as fp:
print(fp.read())
assert b"md4" in proc.stdout


@pytest.mark.skip_if_binaries_missing("openssl")
def test_hashlib_fips_module(pipexec, pyexec, build):
"""
Verify hashlib works with fips module.
"""
proc = subprocess.run(
[
"openssl",
"fipsinstall",
"-out",
str(build / "fipsmodule.cnf"),
"-module",
str(build / "lib" / "ossl-modules" / "fips.so"),
],
check=True,
)
env = {"OPENSSL_CONF": build / "openssl.cnf"}
with open(env["OPENSSL_CONF"], "w") as fp:
fp.write(
textwrap.dedent(
"""
HOME = .
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
alg_section = algorithm_sect
.include fipsmodule.cnf
[provider_sect]
default = default_sect
fips = fips_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
[algorithm_sect]
default_properties = fips=yes
"""
)
)
proc = subprocess.run(
[
pyexec,
"-c",
"import hashlib; hashlib.md5(b'')",
],
check=False,
stdout=subprocess.PIPE,
env=env,
)
assert b"ValueError" not in proc.stdout

0 comments on commit 0a1d986

Please sign in to comment.