From e454e420690a728dde1b2fb99459408fb21b3505 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Sun, 29 Dec 2024 06:05:51 +0000
Subject: [PATCH] move the _hashlib get_fips_mode logic check into
 test.support.

---
 Lib/test/support/__init__.py |  8 ++++++++
 Lib/test/test_urllib2.py     | 17 +++++++++--------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/Lib/test/support/__init__.py b/Lib/test/support/__init__.py
index cf3077f2a4a409..42e7b876594fa7 100644
--- a/Lib/test/support/__init__.py
+++ b/Lib/test/support/__init__.py
@@ -2969,3 +2969,11 @@ def run_yielding_async_fn(async_fn, /, *args, **kwargs):
                 return e.value
     finally:
         coro.close()
+
+
+def is_libssl_fips_mode():
+    try:
+        from _hashlib import get_fips_mode  # ask _hashopenssl.c
+    except ImportError:
+        return False  # more of a maybe, unless we add this to the _ssl module.
+    return get_fips_mode() != 0
diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
index 739bf4a73fc33a..085b24c25b2daa 100644
--- a/Lib/test/test_urllib2.py
+++ b/Lib/test/test_urllib2.py
@@ -27,11 +27,6 @@
 import urllib.error
 import http.client
 
-try:
-    from _hashlib import get_fips_mode
-except ImportError:
-    def get_fips_mode():
-        return 0
 
 support.requires_working_socket(module=True)
 
@@ -1969,23 +1964,29 @@ def test_parse_proxy(self):
         self.assertRaises(ValueError, _parse_proxy, 'file:/ftp.example.com'),
 
 
+skip_libssl_fips_mode = unittest.skipIf(
+    support.is_libssl_fips_mode(),
+    "conservative skip due to OpenSSL FIPS mode possible algorithm nerfing",
+)
+
+
 class TestDigestAuthAlgorithms(unittest.TestCase):
     def setUp(self):
         self.handler = AbstractDigestAuthHandler()
 
-    @unittest.skipIf(get_fips_mode(), "fips mode; requires hashlib.md5")
+    @skip_libssl_fips_mode
     def test_md5_algorithm(self):
         H, KD = self.handler.get_algorithm_impls('MD5')
         self.assertEqual(H("foo"), "acbd18db4cc2f85cedef654fccc4a4d8")
         self.assertEqual(KD("foo", "bar"), "4e99e8c12de7e01535248d2bac85e732")
 
-    @unittest.skipIf(get_fips_mode(), "fips mode; requires hashlib.sha1")
+    @skip_libssl_fips_mode
     def test_sha_algorithm(self):
         H, KD = self.handler.get_algorithm_impls('SHA')
         self.assertEqual(H("foo"), "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33")
         self.assertEqual(KD("foo", "bar"), "54dcbe67d21d5eb39493d46d89ae1f412d3bd6de")
 
-    @unittest.skipIf(get_fips_mode(), "fips mode; requires hashlib.sha256")
+    @skip_libssl_fips_mode
     def test_sha256_algorithm(self):
         H, KD = self.handler.get_algorithm_impls('SHA-256')
         self.assertEqual(H("foo"), "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae")