commit eb6338431533566a52ddc48584f1668b767d3499
author Paul Kehrer <paul.l.kehrer@gmail.com> Thu Oct 06 11:22:01 2016 +0200
committer Hynek Schlawack <hs@ox.cx> Thu Oct 06 11:22:01 2016 +0200
tree 38355294c84133409cfe85ad1b8afb04e580114d
parent b20257bee5771afef061fdc1c3abe180c748d7c3

move our cryptography backend import (#552)

sad trombone

src/OpenSSL/crypto.py

diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 797dfdc..61bddb6 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -10,7 +10,6 @@
     text_type as _text_type,
     PY3 as _PY3)
 
-from cryptography.hazmat.backends.openssl.backend import backend
 from cryptography.hazmat.primitives.asymmetric import dsa, rsa
 
 from OpenSSL._util import (
@@ -44,6 +43,18 @@
 _openssl_assert = _make_assert(Error)
 
 
+def _get_backend():
+    """
+    Importing the backend from cryptography has the side effect of activating
+    the osrandom engine. This mutates the global state of OpenSSL in the
+    process and causes issues for various programs that use subinterpreters or
+    embed Python. By putting the import in this function we can avoid
+    triggering this side effect unless _get_backend is called.
+    """
+    from cryptography.hazmat.backends.openssl.backend import backend
+    return backend
+
+
 def _untested_error(where):
     """
     An OpenSSL API failed somehow.  Additionally, the failure which was
@@ -181,6 +192,7 @@
 
         .. versionadded:: 16.1.0
         """
+        backend = _get_backend()
         if self._only_public:
             return backend._evp_pkey_to_public_key(self._pkey)
         else: