Fix --require-hashes trusting link hashes

When a direct URL with hash is provided as a dependency, --require-hash
incorrectly considered the link hash as trusted.

Author: sbidoul

src/pip/_internal/req/req_install.py

@@ -287,7 +287,12 @@ def hashes(self, trust_internet: bool = True) -> Hashes:
 
         """
         good_hashes = self.hash_options.copy()
-        link = self.link if trust_internet else self.original_link
+        if trust_internet:
+            link = self.link
+        elif self.original_link and self.user_supplied:
+            link = self.original_link
+        else:
+            link = None
         if link and link.hash:
             good_hashes.setdefault(link.hash_name, []).append(link.hash)
         return Hashes(good_hashes)