Fix issue with hashilb not finding openssl modules

relenv/common.py

@@ -13,7 +13,6 @@
 import textwrap
 import time
 import urllib.error
-import urllib.request
 
 # relenv package version
 __version__ = "0.13.3"
@@ -335,6 +334,9 @@ def check_url(url, timeout=30):
     """
     Check that the url returns a 200.
     """
+    # Late import so we do not import hashlib before runtime.bootstrap is called.
+    import urllib.request
+
     fin = None
     try:
         fin = urllib.request.urlopen(url, timeout=timeout)
@@ -352,6 +354,9 @@ def fetch_url(url, fp, backoff=3, timeout=30):
 
     This method will store the contents in the given file like object.
     """
+    # Late import so we do not import hashlib before runtime.bootstrap is called.
+    import urllib.request
+
     if backoff < 1:
         backoff = 1
     n = 0

relenv/runtime.py

@@ -754,6 +754,8 @@ def setup_openssl():
     """
     Configure openssl certificate locations.
     """
+    if "OPENSSL_MODULES" not in os.environ and sys.platform != "win32":
+        os.environ["OPENSSL_MODULES"] = str(sys.RELENV / "lib" / "ossl-modules")
     # Use system openssl dirs
     # XXX Should we also setup SSL_CERT_FILE, OPENSSL_CONF &
     # OPENSSL_CONF_INCLUDE?
@@ -775,15 +777,17 @@ def setup_openssl():
                     msg += f": {proc.stderr}"
                 debug(msg)
             else:
-                _, directory = proc.stdout.split(":")
+                try:
+                    _, directory = proc.stdout.split(":")
+                except ValueError:
+                    debug(f"Unable to parse openssldir")
+                    return
                 path = pathlib.Path(directory.strip().strip('"'))
                 if not os.environ.get("SSL_CERT_DIR"):
                     os.environ["SSL_CERT_DIR"] = str(path / "certs")
                 cert_file = path / "cert.pem"
                 if cert_file.exists() and not os.environ.get("SSL_CERT_FILE"):
                     os.environ["SSL_CERT_FILE"] = str(cert_file)
-        if "OPENSSL_MODULES" not in os.environ:
-            os.environ["OPENSSL_MODULES"] = str(sys.RELENV / "lib" / "ossl-modules")
 
 
 def setup_crossroot():

tests/test_verify_build.py

@@ -896,6 +896,133 @@ def test_install_with_target_ignore_installed(pipexec, pyexec, build):
     assert "installed cffi" in out
     assert "already satisfied: cffi" not in out
 
+
+@pytest.mark.skip_on_windows
+def test_no_legacy_hashlib(pipexec, pyexec, build):
+    """
+    Verify hashlib can find the legacy openssl provider.
+    """
+    env = {"OPENSSL_CONF": str(build / "openssl.cnf")}
+    with open(env["OPENSSL_CONF"], "w") as fp:
+        fp.write(
+            textwrap.dedent(
+                """
+            HOME			= .
+            openssl_conf = openssl_init
+            [openssl_init]
+            providers = provider_sect
+            [provider_sect]
+            default = default_sect
+            [default_sect]
+            activate = 1
+            """
+            )
+        )
+    proc = subprocess.run(
+        [
+            pyexec,
+            "-c",
+            "import hashlib; print(hashlib.algorithms_available)",
+        ],
+        check=True,
+        stdout=subprocess.PIPE,
+        env=env,
+    )
+    assert b"md4" not in proc.stdout
+
+
+@pytest.mark.skip_on_windows
+def test_legacy_hashlib(pipexec, pyexec, build):
+    """
+    Verify hashlib can find the legacy openssl provider.
+    """
+    env = {"OPENSSL_CONF": str(build / "openssl.cnf")}
+    with open(env["OPENSSL_CONF"], "w") as fp:
+        fp.write(
+            textwrap.dedent(
+                """
+            HOME			= .
+            openssl_conf = openssl_init
+            [openssl_init]
+            providers = provider_sect
+            [provider_sect]
+            default = default_sect
+            legacy = legacy_sect
+            [default_sect]
+            activate = 1
+            [legacy_sect]
+            activate = 1
+            """
+            )
+        )
+    proc = subprocess.run(
+        [
+            pyexec,
+            "-c",
+            "import hashlib; print(hashlib.algorithms_available)",
+        ],
+        check=True,
+        stdout=subprocess.PIPE,
+        env=env,
+    )
+    with open(env["OPENSSL_CONF"], "r") as fp:
+        print(fp.read())
+    assert b"md4" in proc.stdout
+
+
+@pytest.mark.skip_unless_on_linux
+@pytest.mark.skip_if_binaries_missing("openssl")
+def test_hashlib_fips_module(pipexec, pyexec, build):
+    """
+    Verify hashlib works with fips module.
+    """
+    proc = subprocess.run(
+        [
+            "openssl",
+            "fipsinstall",
+            "-out",
+            str(build / "fipsmodule.cnf"),
+            "-module",
+            str(build / "lib" / "ossl-modules" / "fips.so"),
+        ],
+        check=True,
+    )
+    env = {"OPENSSL_CONF": str(build / "openssl.cnf")}
+    with open(env["OPENSSL_CONF"], "w") as fp:
+        fp.write(
+            textwrap.dedent(
+                """
+            HOME			= .
+            openssl_conf = openssl_init
+            [openssl_init]
+            providers = provider_sect
+            alg_section = algorithm_sect
+            .include fipsmodule.cnf
+            [provider_sect]
+            default = default_sect
+            fips = fips_sect
+            [default_sect]
+            activate = 1
+            [legacy_sect]
+            activate = 1
+            [algorithm_sect]
+            default_properties = fips=yes
+            """
+            )
+        )
+    proc = subprocess.run(
+        [
+            pyexec,
+            "-c",
+            "import hashlib; hashlib.md5(b'')",
+        ],
+        check=False,
+        stdout=subprocess.PIPE,
+        env=env,
+    )
+    assert b"ValueError" not in proc.stdout
+
+
 @pytest.mark.skip_unless_on_linux
 def test_install_with_target_scripts(pipexec, build, minor_version):
     env = os.environ.copy()