From: Simo Sorce <simo@redhat.com>
Date: Tue, 2 Dec 2025 18:24:41 +0000 (-0500)
Subject: Refactor FIPS self-tests to use ID-based lookup
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66549b5effea96e53581f3adc3f767eab17a713c;p=thirdparty%2Fopenssl.git

Refactor FIPS self-tests to use ID-based lookup

Consolidate separate self-test data arrays into a single `st_all_tests`
array indexed by a new `self_test_id_t` enumeration.

This replaces string-based algorithm lookups with direct array indexing
for running self-tests, simplifying the code and state management. The
`FIPS_DEFERRED_TEST` structure and `self_test_data.h` file are removed,
and the FIPS provider and implementations are updated to use the new
ID-based API.

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29222)
---

diff --git a/include/internal/fips.h b/include/internal/fips.h
index 956a88cdbbf..c2e1d94ace0 100644
--- a/include/internal/fips.h
+++ b/include/internal/fips.h
@@ -16,41 +16,100 @@
 /* Return 1 if the FIPS self tests are running and 0 otherwise */
 int ossl_fips_self_testing(void);
 
-/* Deferred KAT tests categories */
-
 /*
- * The Integrity category is used to run test that are required by the
- * integrity check and are a special category that can therefore never
- * really be deferred. Keep it commented here as a reminder.
- * #  define FIPS_DEFERRED_KAT_INTEGRITY 0
+ * Each enum here corresponds to a test in the st_all_tests array
+ * in self_test_data.c, any change done here requires tests to be
+ * adjusted accordingly.
  */
-#define FIPS_DEFERRED_KAT_CIPHER 1
-#define FIPS_DEFERRED_KAT_ASYM_CIPHER 2
-#define FIPS_DEFERRED_KAT_ASYM_KEYGEN 3
-#define FIPS_DEFERRED_KAT_KEM 4
-#define FIPS_DEFERRED_KAT_DIGEST 5
-#define FIPS_DEFERRED_KAT_SIGNATURE 6
-#define FIPS_DEFERRED_KAT_KDF 7
-#define FIPS_DEFERRED_KAT_KA 8
-/* Currently unused because all MAC tests are satisfied through other tests */
-#define FIPS_DEFERRED_KAT_MAC 9
-#define FIPS_DEFERRED_DRBG 10
-#define FIPS_DEFERRED_MAX 11
-
-struct fips_deferred_test_st {
-    const char *algorithm;
-    int category;
-    int state;
-};
-
-#define FIPS_DEFERRED_TEST_INIT 0
-#define FIPS_DEFERRED_TEST_IN_PROGRESS 1
-#define FIPS_DEFERRED_TEST_PASSED 2
-#define FIPS_DEFERRED_TEST_FAILED 3
-
-typedef struct fips_deferred_test_st FIPS_DEFERRED_TEST;
+typedef enum {
+    ST_ID_DIGEST_SHA1,
+    ST_ID_DIGEST_SHA512,
+    ST_ID_DIGEST_SHA3_256,
+    ST_ID_CIPHER_AES_256_GCM,
+    ST_ID_CIPHER_AES_128_ECB,
+#ifndef OPENSSL_NO_DES
+    ST_ID_CIPHER_DES_EDE3_ECB,
+#endif
+    ST_ID_SIG_RSA_SHA256,
+#ifndef OPENSSL_NO_EC
+    ST_ID_SIG_ECDSA_SHA256,
+#ifndef OPENSSL_NO_HMAC_DRBG_KDF
+    ST_ID_SIG_DET_ECDSA_SHA256,
+#endif
+#ifndef OPENSSL_NO_EC2M
+    ST_ID_SIG_E2CM_ECDSA_SHA256,
+#endif
+#ifndef OPENSSL_NO_ECX
+    ST_ID_SIG_ED448,
+    ST_ID_SIG_ED25519,
+#endif
+#endif
+#ifndef OPENSSL_NO_DSA
+    ST_ID_SIG_DSA_SHA256,
+#endif
+#ifndef OPENSSL_NO_ML_DSA
+    ST_ID_SIG_ML_DSA_65,
+#endif
+#ifndef OPENSSL_NO_SLH_DSA
+    ST_ID_SIG_SLH_DSA_SHA2_128F,
+    ST_ID_SIG_SLH_DSA_SHAKE_128F,
+#endif /* OPENSSL_NO_SLH_DSA */
+#ifndef OPENSSL_NO_LMS
+    ST_ID_SIG_LMS,
+#endif
+    ST_ID_KDF_TLS13_EXTRACT,
+    ST_ID_KDF_TLS13_EXPAND,
+    ST_ID_KDF_TLS12_PRF,
+    ST_ID_KDF_PBKDF2,
+#ifndef OPENSSL_NO_KBKDF
+    ST_ID_KDF_KBKDF,
+    ST_ID_KDF_KBKDF_KMAC,
+#endif
+    ST_ID_KDF_HKDF,
+#ifndef OPENSSL_NO_SNMPKDF
+    ST_ID_KDF_SNMPKDF,
+#endif
+#ifndef OPENSSL_NO_SRTPKDF
+    ST_ID_KDF_SRTPKDF,
+#endif
+#ifndef OPENSSL_NO_SSKDF
+    ST_ID_KDF_SSKDF,
+#endif
+#ifndef OPENSSL_NO_X963KDF
+    ST_ID_KDF_X963KDF,
+#endif
+#ifndef OPENSSL_NO_X942KDF
+    ST_ID_KDF_X942KDF,
+#endif
+    ST_ID_DRBG_HASH,
+    ST_ID_DRBG_CTR,
+    ST_ID_DRBG_HMAC,
+#ifndef OPENSSL_NO_DH
+    ST_ID_KA_DH,
+#endif
+#ifndef OPENSSL_NO_EC
+    ST_ID_KA_ECDH,
+#endif
+#ifndef OPENSSL_NO_ML_KEM
+    ST_ID_ASYM_KEYGEN_ML_KEM,
+#endif
+#ifndef OPENSSL_NO_ML_DSA
+    ST_ID_ASYM_KEYGEN_ML_DSA,
+#endif
+#ifndef OPENSSL_NO_SLH_DSA
+    ST_ID_ASYM_KEYGEN_SLH_DSA,
+#endif
+#ifndef OPENSSL_NO_ML_KEM
+    ST_ID_KEM_ML_KEM,
+#endif
+    ST_ID_ASYM_CIPHER_RSA_ENC,
+    ST_ID_ASYM_CIPHER_RSA_DEC,
+    ST_ID_ASYM_CIPHER_RSA_DEC_CRT,
+    ST_ID_MAX
+} self_test_id_t;
 
-int FIPS_deferred_self_tests(OSSL_LIB_CTX *libctx, FIPS_DEFERRED_TEST tests[]);
+int ossl_deferred_self_test(OSSL_LIB_CTX *libctx, self_test_id_t id);
+int ossl_self_test_in_progress(self_test_id_t id);
 
 #endif /* FIPS_MODULE */
 
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 924cb613a76..933125a9b98 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -126,12 +126,8 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx)
     return fgbl;
 }
 
-static void deferred_deinit(void);
-
 void ossl_fips_prov_ossl_ctx_free(void *fgbl)
 {
-    /* Also free deferred variables when the FIPS Global context is killed */
-    deferred_deinit();
     OPENSSL_free(fgbl);
 }
 
@@ -812,8 +808,12 @@ static const OSSL_ALGORITHM *fips_query_internal(void *provctx, int operation_id
     return fips_query(provctx, operation_id, no_cache);
 }
 
+static void deferred_deinit(void);
+
 static void fips_teardown(void *provctx)
 {
+    /* Also free deferred variables when the FIPS Global context is killed */
+    deferred_deinit();
     OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx));
     ossl_prov_ctx_free(provctx);
 }
@@ -1315,27 +1315,39 @@ static void deferred_deinit(void)
     }
 }
 
-static int FIPS_kat_deferred(OSSL_LIB_CTX *libctx, FIPS_DEFERRED_TEST *test)
+static int FIPS_kat_deferred(OSSL_LIB_CTX *libctx, self_test_id_t id)
 {
-    int ret = FIPS_DEFERRED_TEST_FAILED;
+    int *rt = NULL;
+    int ret = 0;
 
     if (!CRYPTO_THREAD_run_once(&deferred_once, deferred_init))
-        return FIPS_DEFERRED_TEST_FAILED;
+        return 0;
 
     if (deferred_lock == NULL)
-        return FIPS_DEFERRED_TEST_FAILED;
+        return 0;
 
     /*
      * before we do anything, make sure a local test is not already in
      * progress or we'll deadlock
      */
-    if (CRYPTO_THREAD_get_local_ex(CRYPTO_THREAD_LOCAL_FIPS_DEFERRED_KEY,
-            libctx)
-        != NULL)
-        return FIPS_DEFERRED_TEST_IN_PROGRESS;
+    rt = CRYPTO_THREAD_get_local_ex(CRYPTO_THREAD_LOCAL_FIPS_DEFERRED_KEY,
+        libctx);
+    if (rt) {
+        /*
+         * record this test as invoked by the original test, for marking
+         * it later as also satisfied
+         */
+        rt[id] = 1;
+        /*
+         * A self test is in progress for this thread so we let this
+         * thread continue and perform the test while all other
+         * threads wait for it to complete.
+         */
+        return 1;
+    }
 
     if (CRYPTO_THREAD_write_lock(deferred_lock)) {
-        OSSL_SELF_TEST *ev = NULL;
+        OSSL_SELF_TEST *st = NULL;
         bool unset_key = false;
         OSSL_CALLBACK *cb = NULL;
         void *cb_arg = NULL;
@@ -1344,15 +1356,22 @@ static int FIPS_kat_deferred(OSSL_LIB_CTX *libctx, FIPS_DEFERRED_TEST *test)
          * check again as another thread may have just performed this
          * test and marked it as passed
          */
-        if (test->state == FIPS_DEFERRED_TEST_PASSED) {
-            ret = FIPS_DEFERRED_TEST_PASSED;
+        switch (st_all_tests[id].state) {
+        case SELF_TEST_STATE_INIT:
+            break;
+        case SELF_TEST_STATE_PASSED:
+            ret = 1;
+            goto done;
+        default:
+            /* should not happen, something is broken */
+            ret = 0;
             goto done;
         }
 
-        /*
-         * mark that we are executing a test on the local thread, does not
-         * matter what value, as long as it is not NULL, Cool?
-         */
+        if ((rt = OPENSSL_calloc(ST_ID_MAX, sizeof(int))) == NULL)
+            goto done;
+
+        /* mark that we are executing a test on the local thread */
         if (!CRYPTO_THREAD_set_local_ex(CRYPTO_THREAD_LOCAL_FIPS_DEFERRED_KEY,
                 libctx, (void *)0xC001))
             goto done;
@@ -1362,25 +1381,38 @@ static int FIPS_kat_deferred(OSSL_LIB_CTX *libctx, FIPS_DEFERRED_TEST *test)
         if (c_stcbfn != NULL && c_get_libctx != NULL)
             c_stcbfn(c_get_libctx(FIPS_get_core_handle(libctx)), &cb, &cb_arg);
 
-        if ((ev = OSSL_SELF_TEST_new(cb, cb_arg)) == NULL)
+        if ((st = OSSL_SELF_TEST_new(cb, cb_arg)) == NULL)
             goto done;
 
-        /* Mark test as in progress */
-        test->state = FIPS_DEFERRED_TEST_IN_PROGRESS;
+        /*
+         * Dependency chains may cause a test to be referenced multiple times
+         * immediately return if any state is present
+         */
+        if (st_all_tests[id].state == SELF_TEST_STATE_INIT) {
 
-        /* execute test */
-        if (SELF_TEST_kats_single(ev, libctx, test->category, test->algorithm))
-            ret = FIPS_DEFERRED_TEST_PASSED;
+            /* Mark test as in progress */
+            st_all_tests[id].state = SELF_TEST_STATE_IN_PROGRESS;
 
-    done:
-        /* Mark test as pass or fail */
-        test->state = ret;
+            /* execute test */
+            if (!SELF_TEST_kats_single(st, libctx, id))
+                goto done;
+        }
 
-        if (ev)
-            OSSL_SELF_TEST_free(ev);
+        /*
+         * now mark as passed all the algorithms that have been executed by
+         * this test and that we tracked as RECORDED_TESTS
+         */
+        if (st_all_tests[id].state == SELF_TEST_STATE_PASSED)
+            for (int i = 0; i < ST_ID_MAX; i++)
+                if (rt[i])
+                    st_all_tests[i].state = SELF_TEST_STATE_PASSED;
+
+    done:
+        OSSL_SELF_TEST_free(st);
         if (unset_key)
             CRYPTO_THREAD_set_local_ex(CRYPTO_THREAD_LOCAL_FIPS_DEFERRED_KEY,
                 libctx, NULL);
+        OPENSSL_free(rt);
         CRYPTO_THREAD_unlock(deferred_lock);
     }
     return ret;
@@ -1391,40 +1423,56 @@ static void deferred_test_error(int category)
     const char *category_name = "Unknown Category Test";
 
     switch (category) {
-    case FIPS_DEFERRED_KAT_CIPHER:
+    case SELF_TEST_KAT_CIPHER:
         category_name = OSSL_SELF_TEST_TYPE_KAT_CIPHER;
         break;
-    case FIPS_DEFERRED_KAT_ASYM_CIPHER:
+    case SELF_TEST_KAT_ASYM_CIPHER:
         category_name = OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER;
         break;
-    case FIPS_DEFERRED_KAT_ASYM_KEYGEN:
+    case SELF_TEST_KAT_ASYM_KEYGEN:
         category_name = OSSL_SELF_TEST_TYPE_KAT_ASYM_KEYGEN;
         break;
-    case FIPS_DEFERRED_KAT_KEM:
+    case SELF_TEST_KAT_KEM:
         category_name = OSSL_SELF_TEST_TYPE_KAT_KEM;
         break;
-    case FIPS_DEFERRED_KAT_DIGEST:
+    case SELF_TEST_KAT_DIGEST:
         category_name = OSSL_SELF_TEST_TYPE_KAT_DIGEST;
         break;
-    case FIPS_DEFERRED_KAT_SIGNATURE:
+    case SELF_TEST_KAT_SIGNATURE:
         category_name = OSSL_SELF_TEST_TYPE_KAT_SIGNATURE;
         break;
-    case FIPS_DEFERRED_KAT_KDF:
+    case SELF_TEST_KAT_KDF:
         category_name = OSSL_SELF_TEST_TYPE_KAT_KDF;
         break;
-    case FIPS_DEFERRED_KAT_KA:
+    case SELF_TEST_KAT_KAS:
         category_name = OSSL_SELF_TEST_TYPE_KAT_KA;
         break;
-    case FIPS_DEFERRED_DRBG:
+    case SELF_TEST_DRBG:
         category_name = OSSL_SELF_TEST_TYPE_DRBG;
         break;
     }
     ossl_set_error_state(category_name);
 }
 
-int FIPS_deferred_self_tests(OSSL_LIB_CTX *libctx, FIPS_DEFERRED_TEST tests[])
+int ossl_deferred_self_test(OSSL_LIB_CTX *libctx, self_test_id_t id)
 {
-    int i;
+    int ret;
+
+    if (id >= ST_ID_MAX) {
+        ossl_set_error_state(NULL);
+        return 0;
+    }
+
+    /* return immediately if the test is marked as passed */
+    if (st_all_tests[id].state == SELF_TEST_STATE_PASSED)
+        return 1;
+
+    /*
+     * During the initial selftest we do not try to self-test individual
+     * algorithms, or we end up in loops.
+     */
+    if (ossl_fips_self_testing())
+        return 1;
 
     /*
      * NOTE: that the order in which we check the 'state' here is not important,
@@ -1433,30 +1481,8 @@ int FIPS_deferred_self_tests(OSSL_LIB_CTX *libctx, FIPS_DEFERRED_TEST tests[])
      * concurrent tests runs and saving state from multiple threads is handled
      * in FIPS_kat_deferred() so this race is of no real consequence.
      */
-    for (i = 0; tests[i].algorithm != NULL; i++) {
-        if (tests[i].state != FIPS_DEFERRED_TEST_PASSED) {
-            int state;
-
-            /* any other threads that request a self test will lock and wait */
-            state = FIPS_kat_deferred(libctx, &tests[i]);
-            switch (state) {
-            case FIPS_DEFERRED_TEST_IN_PROGRESS:
-                /*
-                 * A self test is in progress for this thread so we let this
-                 * thread continue and perform the test while all other
-                 * threads wait for it to complete.
-                 */
-                return 1;
-            case FIPS_DEFERRED_TEST_PASSED:
-                /* success, move on to the next */
-                break;
-            default:
-                deferred_test_error(tests[i].category);
-                return 0;
-            }
-        }
-    }
-
-    /* all tests passed */
-    return 1;
+    ret = FIPS_kat_deferred(libctx, id);
+    if (!ret)
+        deferred_test_error(st_all_tests[id].category);
+    return ret;
 }
diff --git a/providers/fips/self_test.h b/providers/fips/self_test.h
index 6ca547e5b2a..2c19653b663 100644
--- a/providers/fips/self_test.h
+++ b/providers/fips/self_test.h
@@ -10,6 +10,7 @@
 #include <openssl/core_dispatch.h>
 #include <openssl/types.h>
 #include <openssl/self_test.h>
+#include "internal/fips.h"
 
 typedef struct self_test_post_params_st {
     /* FIPS module integrity check parameters */
@@ -32,30 +33,30 @@ typedef struct self_test_post_params_st {
 
 int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test);
 int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int do_deferred);
-int SELF_TEST_kats_single(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int type, const char *alg_name);
+int SELF_TEST_kats_single(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int id);
 
 void SELF_TEST_disable_conditional_error_state(void);
 
 /* KAT tests categories */
 enum st_test_category {
     SELF_TEST_INTEGRITY = 0, /* currently unused */
-    SELF_TEST_KAT_CIPHER,
-    SELF_TEST_KAT_ASYM_CIPHER,
-    SELF_TEST_KAT_ASYM_KEYGEN,
-    SELF_TEST_KAT_KEM,
     SELF_TEST_KAT_DIGEST,
+    SELF_TEST_KAT_CIPHER,
     SELF_TEST_KAT_SIGNATURE,
     SELF_TEST_KAT_KDF,
+    SELF_TEST_DRBG,
     SELF_TEST_KAT_KAS,
+    SELF_TEST_KAT_ASYM_KEYGEN,
+    SELF_TEST_KAT_KEM,
+    SELF_TEST_KAT_ASYM_CIPHER,
     SELF_TEST_KAT_MAC, /* currently unused */
-    SELF_TEST_DRBG
 };
 
 enum st_test_state {
     SELF_TEST_STATE_INIT = 0,
     SELF_TEST_STATE_IN_PROGRESS,
     SELF_TEST_STATE_PASSED,
+    SELF_TEST_STATE_FAILED,
 };
 
 #define SELF_TEST_ONLOAD 0
@@ -163,3 +164,5 @@ typedef struct self_test_st {
         ST_KAT_DRBG drbg;
     } u;
 } ST_DEFINITION;
+
+extern ST_DEFINITION st_all_tests[ST_ID_MAX];
diff --git a/providers/fips/self_test_data.c b/providers/fips/self_test_data.c
index 8607c8d0bb6..4a5fb3d8c22 100644
--- a/providers/fips/self_test_data.c
+++ b/providers/fips/self_test_data.c
@@ -65,42 +65,6 @@ static const unsigned char sha3_256_digest[] = {
     0x89, 0x77, 0x7f, 0x05, 0x1e, 0x40, 0x46, 0xae
 };
 
-/*
- * Note:
- *  SHA256 is tested by higher level algorithms so a
- *  CAST is not needed.
- */
-const ST_DEFINITION st_kat_digest_tests[] = {
-    {
-        "SHA1",
-        OSSL_SELF_TEST_DESC_MD_SHA1,
-        SELF_TEST_KAT_DIGEST,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF_STR(sha1_pt),
-        ITM_BUF(sha1_digest),
-    },
-    {
-        "SHA512",
-        OSSL_SELF_TEST_DESC_MD_SHA2,
-        SELF_TEST_KAT_DIGEST,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF_STR(sha512_pt),
-        ITM_BUF(sha512_digest),
-    },
-    {
-        "SHA3-256",
-        OSSL_SELF_TEST_DESC_MD_SHA3,
-        SELF_TEST_KAT_DIGEST,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(sha3_256_pt),
-        ITM_BUF(sha3_256_digest),
-    },
-};
-int st_kat_digest_tests_size = OSSL_NELEM(st_kat_digest_tests);
-
 /*- CIPHER TEST DATA */
 
 /* AES-256 GCM test data */
@@ -164,54 +128,6 @@ static const unsigned char tdes_pt[] = {
 };
 #endif
 
-const ST_DEFINITION st_kat_cipher_tests[] = {
-    {
-        "AES-256-GCM",
-        OSSL_SELF_TEST_DESC_CIPHER_AES_GCM,
-        SELF_TEST_KAT_CIPHER,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(aes_256_gcm_pt),
-        ITM_BUF(aes_256_gcm_ct),
-        .u.cipher = {
-            CIPHER_MODE_ENCRYPT | CIPHER_MODE_DECRYPT,
-            ITM_BUF(aes_256_gcm_key),
-            ITM_BUF(aes_256_gcm_iv),
-            ITM_BUF(aes_256_gcm_aad),
-            ITM_BUF(aes_256_gcm_tag),
-        },
-    },
-    {
-        "AES-128-ECB",
-        OSSL_SELF_TEST_DESC_CIPHER_AES_ECB,
-        SELF_TEST_KAT_CIPHER,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(aes_128_ecb_pt),
-        ITM_BUF(aes_128_ecb_ct),
-        .u.cipher = {
-            CIPHER_MODE_DECRYPT,
-            ITM_BUF(aes_128_ecb_key),
-        },
-    },
-#ifndef OPENSSL_NO_DES
-    {
-        "DES-EDE3-ECB",
-        OSSL_SELF_TEST_DESC_CIPHER_TDES,
-        SELF_TEST_KAT_CIPHER,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(tdes_pt),
-        ITM_BUF(tdes_ct),
-        .u.cipher = {
-            CIPHER_MODE_DECRYPT,
-            ITM_BUF(tdes_key),
-        },
-    }
-#endif
-};
-int st_kat_cipher_tests_size = OSSL_NELEM(st_kat_cipher_tests);
-
 #ifndef OPENSSL_NO_LMS
 /*
  * Test vector from
@@ -342,30 +258,6 @@ static const ST_KAT_PARAM lms_key[] = {
     ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, sha256_192_pub),
     ST_KAT_PARAM_END()
 };
-
-/*
- * FIPS 140-3 IG 10.3.A Note 5 mandates a CAST for LMS.
- *
- * It permits this to be omitted if HSS is also implemented and has
- * the relevant self tests.  Once HSS is implemented, this test can be
- * removed.  This IG permits the digest's CAST to be subsumed into this
- * test, however, because this will be removed, the underlying digest
- * test has been retained elsewhere lest it is accidentally omitted.
- */
-const ST_DEFINITION st_kat_lms_test = {
-    "LMS",
-    OSSL_SELF_TEST_DESC_SIGN_LMS,
-    SELF_TEST_KAT_SIGNATURE,
-    SELF_TEST_ONLOAD,
-    SELF_TEST_STATE_INIT,
-    ITM_BUF(sha256_192_msg),
-    ITM_BUF(sha256_192_sig),
-    .u.sig = {
-        "LMS",
-        SIGNATURE_MODE_VERIFY_ONLY,
-        lms_key,
-    }
-};
 #endif /* OPENSSL_NO_LMS */
 
 static const char hkdf_digest[] = "SHA256";
@@ -733,149 +625,6 @@ static const ST_KAT_PARAM tls13_kdf_client_early_secret_params[] = {
  * According to FIPS 140-3 10.3.A Note18: SSH KDF is not required, since it is
  * sufficient to self-test the underlying SHA hash functions.
  */
-const ST_DEFINITION st_kat_kdf_tests[] = {
-    {
-        OSSL_KDF_NAME_TLS1_3_KDF,
-        OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(tls13_kdf_early_secret),
-        .u.kdf = {
-            tls13_kdf_early_secret_params,
-        },
-    },
-    {
-        OSSL_KDF_NAME_TLS1_3_KDF,
-        OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(tls13_kdf_client_early_traffic_secret),
-        .u.kdf = {
-            tls13_kdf_client_early_secret_params,
-        },
-    },
-    {
-        OSSL_KDF_NAME_TLS1_PRF,
-        OSSL_SELF_TEST_DESC_KDF_TLS12_PRF,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(tls12prf_expected),
-        .u.kdf = {
-            tls12prf_params,
-        },
-    },
-    {
-        OSSL_KDF_NAME_PBKDF2,
-        OSSL_SELF_TEST_DESC_KDF_PBKDF2,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(pbkdf2_expected),
-        .u.kdf = {
-            pbkdf2_params,
-        },
-    },
-#ifndef OPENSSL_NO_KBKDF
-    {
-        OSSL_KDF_NAME_KBKDF,
-        OSSL_SELF_TEST_DESC_KDF_KBKDF,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(kbkdf_expected),
-        .u.kdf = {
-            kbkdf_params,
-        },
-    },
-    {
-        OSSL_KDF_NAME_KBKDF,
-        OSSL_SELF_TEST_DESC_KDF_KBKDF_KMAC,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(kbkdf_kmac_expected),
-        .u.kdf = {
-            kbkdf_kmac_params,
-        },
-    },
-#endif
-    {
-        OSSL_KDF_NAME_HKDF,
-        OSSL_SELF_TEST_DESC_KDF_HKDF,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(hkdf_expected),
-        .u.kdf = {
-            hkdf_params,
-        },
-    },
-#ifndef OPENSSL_NO_SNMPKDF
-    {
-        OSSL_KDF_NAME_SNMPKDF,
-        OSSL_SELF_TEST_DESC_KDF_SNMPKDF,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(snmpkdf_expected),
-        .u.kdf = {
-            snmpkdf_params,
-        },
-    },
-#endif
-#ifndef OPENSSL_NO_SRTPKDF
-    {
-        OSSL_SELF_TEST_DESC_KDF_SRTPKDF,
-        OSSL_KDF_NAME_SRTPKDF,
-        0,
-        srtpkdf_params,
-        ITM(srtpkdf_expected)
-    },
-#endif
-#ifndef OPENSSL_NO_SSKDF
-    {
-        OSSL_KDF_NAME_SSKDF,
-        OSSL_SELF_TEST_DESC_KDF_SSKDF,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(sskdf_expected),
-        .u.kdf = {
-            sskdf_params,
-        },
-    },
-#endif
-#ifndef OPENSSL_NO_X963KDF
-    {
-        OSSL_KDF_NAME_X963KDF,
-        OSSL_SELF_TEST_DESC_KDF_X963KDF,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(x963kdf_expected),
-        .u.kdf = {
-            x963kdf_params,
-        },
-    },
-#endif
-#ifndef OPENSSL_NO_X942KDF
-    {
-        OSSL_KDF_NAME_X942KDF_ASN1,
-        OSSL_SELF_TEST_DESC_KDF_X942KDF,
-        SELF_TEST_KAT_KDF,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(x942kdf_expected),
-        .u.kdf = {
-            x942kdf_params,
-        },
-    },
-#endif
-};
-int st_kat_kdf_tests_size = OSSL_NELEM(st_kat_kdf_tests);
 
 /*-
  * DRBG test vectors are a small subset of
@@ -1066,67 +815,6 @@ static const unsigned char drbg_hmac_sha2_pr_expected[] = {
     0x8e, 0x30, 0x05, 0x0e, 0x04, 0x97, 0xfb, 0x0a
 };
 
-const ST_DEFINITION st_kat_drbg_tests[] = {
-    {
-        "HASH-DRBG",
-        OSSL_SELF_TEST_DESC_DRBG_HASH,
-        SELF_TEST_DRBG,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(drbg_hash_sha256_pr_expected),
-        .u.drbg = {
-            "digest",
-            "SHA256",
-            ITM_BUF(drbg_hash_sha256_pr_entropyin),
-            ITM_BUF(drbg_hash_sha256_pr_nonce),
-            ITM_BUF(drbg_hash_sha256_pr_persstr),
-            ITM_BUF(drbg_hash_sha256_pr_entropyinpr0),
-            ITM_BUF(drbg_hash_sha256_pr_entropyinpr1),
-            ITM_BUF(drbg_hash_sha256_pr_addin0),
-            ITM_BUF(drbg_hash_sha256_pr_addin1),
-        },
-    },
-    {
-        "CTR-DRBG",
-        OSSL_SELF_TEST_DESC_DRBG_CTR,
-        SELF_TEST_DRBG,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(drbg_ctr_aes128_pr_df_expected),
-        .u.drbg = {
-            "cipher",
-            "AES-128-CTR",
-            ITM_BUF(drbg_ctr_aes128_pr_df_entropyin),
-            ITM_BUF(drbg_ctr_aes128_pr_df_nonce),
-            ITM_BUF(drbg_ctr_aes128_pr_df_persstr),
-            ITM_BUF(drbg_ctr_aes128_pr_df_entropyinpr0),
-            ITM_BUF(drbg_ctr_aes128_pr_df_entropyinpr1),
-            ITM_BUF(drbg_ctr_aes128_pr_df_addin0),
-            ITM_BUF(drbg_ctr_aes128_pr_df_addin1),
-        },
-    },
-    {
-        "HMAC-DRBG",
-        OSSL_SELF_TEST_DESC_DRBG_HMAC,
-        SELF_TEST_DRBG,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(drbg_hmac_sha2_pr_expected),
-        .u.drbg = {
-            "digest",
-            "SHA256",
-            ITM_BUF(drbg_hmac_sha2_pr_entropyin),
-            ITM_BUF(drbg_hmac_sha2_pr_nonce),
-            ITM_BUF(drbg_hmac_sha2_pr_persstr),
-            ITM_BUF(drbg_hmac_sha2_pr_entropyinpr0),
-            ITM_BUF(drbg_hmac_sha2_pr_entropyinpr1),
-            ITM_BUF(drbg_hmac_sha2_pr_addin0),
-            ITM_BUF(drbg_hmac_sha2_pr_addin1),
-        },
-    }
-};
-int st_kat_drbg_tests_size = OSSL_NELEM(st_kat_drbg_tests);
-
 /* KEY EXCHANGE TEST DATA */
 
 #ifndef OPENSSL_NO_DH
@@ -1314,39 +1002,6 @@ static const unsigned char ecdh_secret_expected[] = {
 };
 #endif /* OPENSSL_NO_EC */
 
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
-const ST_DEFINITION st_kat_kas_tests[] = {
-#ifndef OPENSSL_NO_DH
-    { "DH",
-        OSSL_SELF_TEST_DESC_KA_DH,
-        SELF_TEST_KAT_KAS,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(dh_secret_expected),
-        .u.kas = {
-            dh_group,
-            dh_host_key,
-            dh_peer_key } },
-#endif /* OPENSSL_NO_DH */
-#ifndef OPENSSL_NO_EC
-    {
-        "EC",
-        OSSL_SELF_TEST_DESC_KA_ECDH,
-        SELF_TEST_KAT_KAS,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .expected = ITM_BUF(ecdh_secret_expected),
-        .u.kas = {
-            ecdh_group,
-            ecdh_host_key,
-            ecdh_peer_key,
-        },
-    },
-#endif /* OPENSSL_NO_EC */
-};
-int st_kat_kas_tests_size = OSSL_NELEM(st_kat_kas_tests);
-#endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */
-
 /* RSA key data */
 static const unsigned char rsa_n[] = {
     0xDB, 0x10, 0x1A, 0xC2, 0xA3, 0xF1, 0xDC, 0xFF,
@@ -3238,197 +2893,6 @@ static const unsigned char sig_kat_persstr[] = {
     0xac, 0x54, 0x4f, 0xce, 0x57, 0xf1, 0x5e, 0x11
 };
 
-const ST_DEFINITION st_kat_sign_tests[] = {
-    {
-        "RSA-SHA256",
-        OSSL_SELF_TEST_DESC_SIGN_RSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF_STR(rsa_sig_msg),
-        ITM_BUF(rsa_expected_sig),
-        .u.sig = {
-            "RSA",
-            0,
-            rsa_crt_key,
-            ITM_BUF(sig_kat_entropyin),
-            ITM_BUF(sig_kat_nonce),
-            ITM_BUF(sig_kat_persstr),
-        },
-    },
-#ifndef OPENSSL_NO_EC
-    {
-        "ECDSA-SHA256",
-        OSSL_SELF_TEST_DESC_SIGN_ECDSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF_STR(rsa_sig_msg),
-        ITM_BUF(ecdsa_prime_expected_sig),
-        .u.sig = {
-            "EC",
-            0,
-            ecdsa_prime_key,
-            ITM_BUF(sig_kat_entropyin),
-            ITM_BUF(sig_kat_nonce),
-            ITM_BUF(sig_kat_persstr),
-        },
-    },
-#ifndef OPENSSL_NO_HMAC_DRBG_KDF
-    {
-        "ECDSA-SHA256",
-        OSSL_SELF_TEST_DESC_SIGN_DetECDSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF_STR(rsa_sig_msg),
-        ITM_BUF(ecdsa_prime_expected_detsig),
-        .u.sig = {
-            "EC",
-            0,
-            ecdsa_prime_key,
-            .init = ecdsa_sig_params,
-        },
-    },
-#endif
-#ifndef OPENSSL_NO_EC2M
-    {
-        "ECDSA-SHA256",
-        OSSL_SELF_TEST_DESC_SIGN_ECDSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF_STR(rsa_sig_msg),
-        ITM_BUF(ecdsa_bin_expected_sig),
-        .u.sig = {
-            "EC",
-            0,
-            ecdsa_bin_key,
-            ITM_BUF(sig_kat_entropyin),
-            ITM_BUF(sig_kat_nonce),
-            ITM_BUF(sig_kat_persstr),
-        },
-    },
-#endif
-#ifndef OPENSSL_NO_ECX
-    {
-        "ED448",
-        OSSL_SELF_TEST_DESC_SIGN_EDDSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(ecx_sig_msg),
-        ITM_BUF(ed448_expected_sig),
-        .u.sig = {
-            "ED448",
-            0,
-            ed448_key,
-        },
-    },
-    {
-        "ED25519",
-        OSSL_SELF_TEST_DESC_SIGN_EDDSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(ecx_sig_msg),
-        ITM_BUF(ed25519_expected_sig),
-        .u.sig = {
-            "ED25519",
-            0,
-            ed25519_key,
-        },
-    },
-#endif /* OPENSSL_NO_ECX */
-#endif /* OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_DSA
-    {
-        "DSA-SHA256",
-        OSSL_SELF_TEST_DESC_SIGN_DSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF_STR(rsa_sig_msg),
-        ITM_BUF(dsa_expected_sig),
-        .u.sig = {
-            "DSA",
-            SIGNATURE_MODE_VERIFY_ONLY,
-            dsa_key,
-            ITM_BUF(sig_kat_entropyin),
-            ITM_BUF(sig_kat_nonce),
-            ITM_BUF(sig_kat_persstr),
-        },
-    },
-#endif /* OPENSSL_NO_DSA */
-
-#ifndef OPENSSL_NO_ML_DSA
-    {
-        "ML-DSA-65",
-        OSSL_SELF_TEST_DESC_SIGN_ML_DSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(ml_dsa_65_msg),
-        ITM_BUF(ml_dsa_65_sig),
-        .u.sig = {
-            "ML-DSA-65",
-            0,
-            ml_dsa_key,
-            .init = ml_dsa_sig_init,
-            .verify = ml_dsa_sig_init,
-        },
-    },
-#endif /* OPENSSL_NO_ML_DSA */
-#ifndef OPENSSL_NO_SLH_DSA
-    /*
-     * FIPS 140-3 IG 10.3.A.16 Note 29 says:
-     *
-     *  It is recommended (but not required) that if the module implements
-     *   both "s" and "f" algorithms, the module self-test at least one of
-     *   each "s" and "f" algorithm.
-     *
-     * Because the "s" version is so slow, we only test the "f" versions
-     * here.
-     */
-    {
-        "SLH-DSA-SHA2-128f",
-        OSSL_SELF_TEST_DESC_SIGN_SLH_DSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_DEFERRED,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(slh_dsa_sha2_sig_msg),
-        ITM_BUF(slh_dsa_sha2_128f_sig_digest),
-        .u.sig = {
-            "SLH-DSA-SHA2-128f",
-            SIGNATURE_MODE_SIG_DIGESTED,
-            slh_dsa_sha2_128f_key_params,
-            .init = slh_dsa_sig_params,
-            .verify = slh_dsa_sig_params,
-        },
-    },
-    {
-        "SLH-DSA-SHAKE-128f",
-        OSSL_SELF_TEST_DESC_SIGN_SLH_DSA,
-        SELF_TEST_KAT_SIGNATURE,
-        SELF_TEST_DEFERRED,
-        SELF_TEST_STATE_INIT,
-        ITM_BUF(slh_dsa_shake_sig_msg),
-        ITM_BUF(slh_dsa_shake_128f_sig_digest),
-        .u.sig = {
-            "SLH-DSA-SHAKE-128f",
-            SIGNATURE_MODE_SIG_DIGESTED,
-            slh_dsa_shake_128f_key_params,
-            .init = slh_dsa_sig_params,
-            .verify = slh_dsa_sig_params,
-        },
-    },
-#endif /* OPENSSL_NO_SLH_DSA */
-#ifndef OPENSSL_NO_LMS
-    st_kat_lms_test,
-#endif /* OPENSSL_NO_LMS */
-};
-int st_kat_sign_tests_size = OSSL_NELEM(st_kat_sign_tests);
-
 #if !defined(OPENSSL_NO_ML_DSA)
 static const ST_KAT_PARAM ml_dsa_keygen_params[] = {
     ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_ML_DSA_SEED, sig_kat_entropyin),
@@ -3795,45 +3259,538 @@ static const ST_KAT_PARAM ml_kem_key[] = {
     ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PRIV_KEY, ml_kem_512_private_key),
     ST_KAT_PARAM_END()
 };
-
-const ST_DEFINITION st_kat_kem_tests[] = {
-    { "ML-KEM-512",
-        OSSL_SELF_TEST_DESC_KEM,
-        SELF_TEST_KAT_KEM,
-        SELF_TEST_ONLOAD,
-        SELF_TEST_STATE_INIT,
-        .u.kem = {
-            ml_kem_key,
-            ITM_BUF(ml_kem_512_cipher_text),
-            ITM_BUF(ml_kem_512_entropy),
-            ITM_BUF(ml_kem_512_secret),
-            ITM_BUF(ml_kem_512_reject_secret) } },
-};
-int st_kat_kem_tests_size = OSSL_NELEM(st_kat_kem_tests);
 #endif /* OPENSSL_NO_ML_KEM */
 
-#if !defined(OPENSSL_NO_ML_KEM) || !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA)
-const ST_DEFINITION st_kat_asym_keygen_tests[] = {
-#if !defined(OPENSSL_NO_ML_KEM)
-    /*
-     * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM
-     * key generation.
-     */
+ST_DEFINITION st_all_tests[ST_ID_MAX] = {
+    {
+        "SHA1",
+        OSSL_SELF_TEST_DESC_MD_SHA1,
+        SELF_TEST_KAT_DIGEST,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF_STR(sha1_pt),
+        ITM_BUF(sha1_digest),
+    },
+    {
+        "SHA512",
+        OSSL_SELF_TEST_DESC_MD_SHA2,
+        SELF_TEST_KAT_DIGEST,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF_STR(sha512_pt),
+        ITM_BUF(sha512_digest),
+    },
+    {
+        "SHA3-256",
+        OSSL_SELF_TEST_DESC_MD_SHA3,
+        SELF_TEST_KAT_DIGEST,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(sha3_256_pt),
+        ITM_BUF(sha3_256_digest),
+    },
+    { "AES-256-GCM",
+        OSSL_SELF_TEST_DESC_CIPHER_AES_GCM,
+        SELF_TEST_KAT_CIPHER,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(aes_256_gcm_pt),
+        ITM_BUF(aes_256_gcm_ct),
+        .u.cipher = {
+            CIPHER_MODE_ENCRYPT | CIPHER_MODE_DECRYPT,
+            ITM_BUF(aes_256_gcm_key),
+            ITM_BUF(aes_256_gcm_iv),
+            ITM_BUF(aes_256_gcm_aad),
+            ITM_BUF(aes_256_gcm_tag) } },
+    {
+        "AES-128-ECB",
+        OSSL_SELF_TEST_DESC_CIPHER_AES_ECB,
+        SELF_TEST_KAT_CIPHER,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(aes_128_ecb_pt),
+        ITM_BUF(aes_128_ecb_ct),
+        .u.cipher = {
+            CIPHER_MODE_DECRYPT,
+            ITM_BUF(aes_128_ecb_key),
+        },
+    },
+#ifndef OPENSSL_NO_DES
+    {
+        "DES-EDE3-ECB",
+        OSSL_SELF_TEST_DESC_CIPHER_TDES,
+        SELF_TEST_KAT_CIPHER,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(tdes_pt),
+        ITM_BUF(tdes_ct),
+        .u.cipher = {
+            CIPHER_MODE_DECRYPT,
+            ITM_BUF(tdes_key),
+        },
+    },
+#endif
+    {
+        "RSA-SHA256",
+        OSSL_SELF_TEST_DESC_SIGN_RSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF_STR(rsa_sig_msg),
+        ITM_BUF(rsa_expected_sig),
+        .u.sig = {
+            "RSA",
+            0,
+            rsa_crt_key,
+            ITM_BUF(sig_kat_entropyin),
+            ITM_BUF(sig_kat_nonce),
+            ITM_BUF(sig_kat_persstr),
+        },
+    },
+#ifndef OPENSSL_NO_EC
+    {
+        "ECDSA-SHA256",
+        OSSL_SELF_TEST_DESC_SIGN_ECDSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF_STR(rsa_sig_msg),
+        ITM_BUF(ecdsa_prime_expected_sig),
+        .u.sig = {
+            "EC",
+            0,
+            ecdsa_prime_key,
+            ITM_BUF(sig_kat_entropyin),
+            ITM_BUF(sig_kat_nonce),
+            ITM_BUF(sig_kat_persstr),
+        },
+    },
+#ifndef OPENSSL_NO_HMAC_DRBG_KDF
+    {
+        "ECDSA-SHA256",
+        OSSL_SELF_TEST_DESC_SIGN_DetECDSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF_STR(rsa_sig_msg),
+        ITM_BUF(ecdsa_prime_expected_detsig),
+        .u.sig = {
+            "EC",
+            0,
+            ecdsa_prime_key,
+            .init = ecdsa_sig_params,
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_EC2M
+    {
+        "ECDSA-SHA256",
+        OSSL_SELF_TEST_DESC_SIGN_ECDSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF_STR(rsa_sig_msg),
+        ITM_BUF(ecdsa_bin_expected_sig),
+        .u.sig = {
+            "EC",
+            0,
+            ecdsa_bin_key,
+            ITM_BUF(sig_kat_entropyin),
+            ITM_BUF(sig_kat_nonce),
+            ITM_BUF(sig_kat_persstr),
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_ECX
+    {
+        "ED448",
+        OSSL_SELF_TEST_DESC_SIGN_EDDSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(ecx_sig_msg),
+        ITM_BUF(ed448_expected_sig),
+        .u.sig = {
+            "ED448",
+            0,
+            ed448_key,
+        },
+    },
+    {
+        "ED25519",
+        OSSL_SELF_TEST_DESC_SIGN_EDDSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(ecx_sig_msg),
+        ITM_BUF(ed25519_expected_sig),
+        .u.sig = {
+            "ED25519",
+            0,
+            ed25519_key,
+        },
+    },
+#endif /* OPENSSL_NO_ECX */
+#endif /* OPENSSL_NO_EC */
+#ifndef OPENSSL_NO_DSA
+    {
+        "DSA-SHA256",
+        OSSL_SELF_TEST_DESC_SIGN_DSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF_STR(rsa_sig_msg),
+        ITM_BUF(dsa_expected_sig),
+        .u.sig = {
+            "DSA",
+            SIGNATURE_MODE_VERIFY_ONLY,
+            dsa_key,
+            ITM_BUF(sig_kat_entropyin),
+            ITM_BUF(sig_kat_nonce),
+            ITM_BUF(sig_kat_persstr),
+        },
+    },
+#endif /* OPENSSL_NO_DSA */
+#ifndef OPENSSL_NO_ML_DSA
+    {
+        "ML-DSA-65",
+        OSSL_SELF_TEST_DESC_SIGN_ML_DSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(ml_dsa_65_msg),
+        ITM_BUF(ml_dsa_65_sig),
+        .u.sig = {
+            "ML-DSA-65",
+            0,
+            ml_dsa_key,
+            .init = ml_dsa_sig_init,
+            .verify = ml_dsa_sig_init,
+        },
+    },
+#endif /* OPENSSL_NO_ML_DSA */
+#ifndef OPENSSL_NO_SLH_DSA
+    /*
+     * FIPS 140-3 IG 10.3.A.16 Note 29 says:
+     *
+     *  It is recommended (but not required) that if the module implements
+     *   both "s" and "f" algorithms, the module self-test at least one of
+     *   each "s" and "f" algorithm.
+     *
+     * Because the "s" version is so slow, we only test the "f" versions
+     * here.
+     */
+    {
+        "SLH-DSA-SHA2-128f",
+        OSSL_SELF_TEST_DESC_SIGN_SLH_DSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_DEFERRED,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(slh_dsa_sha2_sig_msg),
+        ITM_BUF(slh_dsa_sha2_128f_sig_digest),
+        .u.sig = {
+            "SLH-DSA-SHA2-128f",
+            SIGNATURE_MODE_SIG_DIGESTED,
+            slh_dsa_sha2_128f_key_params,
+            .init = slh_dsa_sig_params,
+            .verify = slh_dsa_sig_params,
+        },
+    },
+    {
+        "SLH-DSA-SHAKE-128f",
+        OSSL_SELF_TEST_DESC_SIGN_SLH_DSA,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_DEFERRED,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(slh_dsa_shake_sig_msg),
+        ITM_BUF(slh_dsa_shake_128f_sig_digest),
+        .u.sig = {
+            "SLH-DSA-SHAKE-128f",
+            SIGNATURE_MODE_SIG_DIGESTED,
+            slh_dsa_shake_128f_key_params,
+            .init = slh_dsa_sig_params,
+            .verify = slh_dsa_sig_params,
+        },
+    },
+#endif /* OPENSSL_NO_SLH_DSA */
+/*
+ * FIPS 140-3 IG 10.3.A Note 5 mandates a CAST for LMS.
+ *
+ * It permits this to be omitted if HSS is also implemented and has
+ * the relevant self tests.  Once HSS is implemented, this test can be
+ * removed.  This IG permits the digest's CAST to be subsumed into this
+ * test, however, because this will be removed, the underlying digest
+ * test has been retained elsewhere lest it is accidentally omitted.
+ */
+#ifndef OPENSSL_NO_LMS
+    {
+        "LMS",
+        OSSL_SELF_TEST_DESC_SIGN_LMS,
+        SELF_TEST_KAT_SIGNATURE,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        ITM_BUF(sha256_192_msg),
+        ITM_BUF(sha256_192_sig),
+        .u.sig = {
+            "LMS",
+            SIGNATURE_MODE_VERIFY_ONLY,
+            lms_key,
+        },
+    },
+#endif /* OPENSSL_NO_LMS */
+    {
+        OSSL_KDF_NAME_TLS1_3_KDF,
+        OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(tls13_kdf_early_secret),
+        .u.kdf = {
+            tls13_kdf_early_secret_params,
+        },
+    },
+    {
+        OSSL_KDF_NAME_TLS1_3_KDF,
+        OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(tls13_kdf_client_early_traffic_secret),
+        .u.kdf = {
+            tls13_kdf_client_early_secret_params,
+        },
+    },
+    {
+        OSSL_KDF_NAME_TLS1_PRF,
+        OSSL_SELF_TEST_DESC_KDF_TLS12_PRF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(tls12prf_expected),
+        .u.kdf = {
+            tls12prf_params,
+        },
+    },
+    {
+        OSSL_KDF_NAME_PBKDF2,
+        OSSL_SELF_TEST_DESC_KDF_PBKDF2,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(pbkdf2_expected),
+        .u.kdf = {
+            pbkdf2_params,
+        },
+    },
+#ifndef OPENSSL_NO_KBKDF
+    {
+        OSSL_KDF_NAME_KBKDF,
+        OSSL_SELF_TEST_DESC_KDF_KBKDF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(kbkdf_expected),
+        .u.kdf = {
+            kbkdf_params,
+        },
+    },
+    {
+        OSSL_KDF_NAME_KBKDF,
+        OSSL_SELF_TEST_DESC_KDF_KBKDF_KMAC,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(kbkdf_kmac_expected),
+        .u.kdf = {
+            kbkdf_kmac_params,
+        },
+    },
+#endif
+    {
+        OSSL_KDF_NAME_HKDF,
+        OSSL_SELF_TEST_DESC_KDF_HKDF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(hkdf_expected),
+        .u.kdf = {
+            hkdf_params,
+        },
+    },
+#ifndef OPENSSL_NO_SNMPKDF
+    {
+        OSSL_KDF_NAME_SNMPKDF,
+        OSSL_SELF_TEST_DESC_KDF_SNMPKDF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(snmpkdf_expected),
+        .u.kdf = {
+            snmpkdf_params,
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_SRTPKDF
+    {
+        OSSL_KDF_NAME_SRTPKDF,
+        OSSL_SELF_TEST_DESC_KDF_SRTPKDF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(srtpkdf_expected),
+        .u.kdf = {
+            srtpkdf_params,
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_SSKDF
+    {
+        OSSL_KDF_NAME_SSKDF,
+        OSSL_SELF_TEST_DESC_KDF_SSKDF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(sskdf_expected),
+        .u.kdf = {
+            sskdf_params,
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_X963KDF
+    {
+        OSSL_KDF_NAME_X963KDF,
+        OSSL_SELF_TEST_DESC_KDF_X963KDF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(x963kdf_expected),
+        .u.kdf = {
+            x963kdf_params,
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_X942KDF
+    {
+        OSSL_KDF_NAME_X942KDF_ASN1,
+        OSSL_SELF_TEST_DESC_KDF_X942KDF,
+        SELF_TEST_KAT_KDF,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(x942kdf_expected),
+        .u.kdf = {
+            x942kdf_params,
+        },
+    },
+#endif
+    {
+        "HASH-DRBG",
+        OSSL_SELF_TEST_DESC_DRBG_HASH,
+        SELF_TEST_DRBG,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(drbg_hash_sha256_pr_expected),
+        .u.drbg = {
+            "digest",
+            "SHA256",
+            ITM_BUF(drbg_hash_sha256_pr_entropyin),
+            ITM_BUF(drbg_hash_sha256_pr_nonce),
+            ITM_BUF(drbg_hash_sha256_pr_persstr),
+            ITM_BUF(drbg_hash_sha256_pr_entropyinpr0),
+            ITM_BUF(drbg_hash_sha256_pr_entropyinpr1),
+            ITM_BUF(drbg_hash_sha256_pr_addin0),
+            ITM_BUF(drbg_hash_sha256_pr_addin1),
+        },
+    },
+    {
+        "CTR-DRBG",
+        OSSL_SELF_TEST_DESC_DRBG_CTR,
+        SELF_TEST_DRBG,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(drbg_ctr_aes128_pr_df_expected),
+        .u.drbg = {
+            "cipher",
+            "AES-128-CTR",
+            ITM_BUF(drbg_ctr_aes128_pr_df_entropyin),
+            ITM_BUF(drbg_ctr_aes128_pr_df_nonce),
+            ITM_BUF(drbg_ctr_aes128_pr_df_persstr),
+            ITM_BUF(drbg_ctr_aes128_pr_df_entropyinpr0),
+            ITM_BUF(drbg_ctr_aes128_pr_df_entropyinpr1),
+            ITM_BUF(drbg_ctr_aes128_pr_df_addin0),
+            ITM_BUF(drbg_ctr_aes128_pr_df_addin1),
+        },
+    },
+    {
+        "HMAC-DRBG",
+        OSSL_SELF_TEST_DESC_DRBG_HMAC,
+        SELF_TEST_DRBG,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(drbg_hmac_sha2_pr_expected),
+        .u.drbg = {
+            "digest",
+            "SHA256",
+            ITM_BUF(drbg_hmac_sha2_pr_entropyin),
+            ITM_BUF(drbg_hmac_sha2_pr_nonce),
+            ITM_BUF(drbg_hmac_sha2_pr_persstr),
+            ITM_BUF(drbg_hmac_sha2_pr_entropyinpr0),
+            ITM_BUF(drbg_hmac_sha2_pr_entropyinpr1),
+            ITM_BUF(drbg_hmac_sha2_pr_addin0),
+            ITM_BUF(drbg_hmac_sha2_pr_addin1),
+        },
+    },
+#ifndef OPENSSL_NO_DH
+    {
+        "DH",
+        OSSL_SELF_TEST_DESC_KA_DH,
+        SELF_TEST_KAT_KAS,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(dh_secret_expected),
+        .u.kas = {
+            dh_group,
+            dh_host_key,
+            dh_peer_key,
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_EC
+    {
+        "EC",
+        OSSL_SELF_TEST_DESC_KA_ECDH,
+        SELF_TEST_KAT_KAS,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .expected = ITM_BUF(ecdh_secret_expected),
+        .u.kas = {
+            ecdh_group,
+            ecdh_host_key,
+            ecdh_peer_key,
+        },
+    },
+#endif
+#ifndef OPENSSL_NO_ML_KEM
+    /*
+     * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM
+     * key generation.
+     */
     {
         "ML-KEM-512",
         OSSL_SELF_TEST_DESC_KEYGEN_ML_KEM,
-        SELF_TEST_KAT_ASYM_CIPHER,
+        SELF_TEST_KAT_ASYM_KEYGEN,
         SELF_TEST_ONLOAD,
         SELF_TEST_STATE_INIT,
         .u.akgen = {
             ml_kem_keygen_params,
-            ml_kem_key } },
+            ml_kem_key,
+        },
+    },
 #endif
-#if !defined(OPENSSL_NO_ML_DSA)
+#ifndef OPENSSL_NO_ML_DSA
     {
         "ML-DSA-65",
         OSSL_SELF_TEST_DESC_KEYGEN_ML_DSA,
-        SELF_TEST_KAT_ASYM_CIPHER,
+        SELF_TEST_KAT_ASYM_KEYGEN,
         SELF_TEST_ONLOAD,
         SELF_TEST_STATE_INIT,
         .u.akgen = {
@@ -3842,11 +3799,11 @@ const ST_DEFINITION st_kat_asym_keygen_tests[] = {
         },
     },
 #endif
-#if !defined(OPENSSL_NO_SLH_DSA)
+#ifndef OPENSSL_NO_SLH_DSA
     {
         "SLH-DSA-SHA2-128f",
         OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA,
-        SELF_TEST_KAT_ASYM_CIPHER,
+        SELF_TEST_KAT_ASYM_KEYGEN,
         SELF_TEST_DEFERRED,
         SELF_TEST_STATE_INIT,
         .u.akgen = {
@@ -3855,12 +3812,24 @@ const ST_DEFINITION st_kat_asym_keygen_tests[] = {
         },
     },
 #endif
-};
-int st_kat_asym_keygen_tests_size = OSSL_NELEM(st_kat_asym_keygen_tests);
-#endif /* !OPENSSL_NO_ML_DSA || !OPENSSL_NO_SLH_DSA */
-
-const ST_DEFINITION st_kat_asym_cipher_tests[] = {
-    { "RSA",
+#ifndef OPENSSL_NO_ML_KEM
+    {
+        "ML-KEM-512",
+        OSSL_SELF_TEST_DESC_KEM,
+        SELF_TEST_KAT_KEM,
+        SELF_TEST_ONLOAD,
+        SELF_TEST_STATE_INIT,
+        .u.kem = {
+            ml_kem_key,
+            ITM_BUF(ml_kem_512_cipher_text),
+            ITM_BUF(ml_kem_512_entropy),
+            ITM_BUF(ml_kem_512_secret),
+            ITM_BUF(ml_kem_512_reject_secret),
+        },
+    },
+#endif
+    {
+        "RSA",
         OSSL_SELF_TEST_DESC_ASYM_RSA_ENC,
         SELF_TEST_KAT_ASYM_CIPHER,
         SELF_TEST_ONLOAD,
@@ -3871,15 +3840,16 @@ const ST_DEFINITION st_kat_asym_cipher_tests[] = {
             1,
             rsa_pub_key,
             rsa_enc_params,
-        } },
+        },
+    },
     {
         "RSA",
         OSSL_SELF_TEST_DESC_ASYM_RSA_DEC,
         SELF_TEST_KAT_ASYM_CIPHER,
         SELF_TEST_ONLOAD,
         SELF_TEST_STATE_INIT,
-        ITM(rsa_asym_expected_encrypt),
-        ITM(rsa_asym_plaintext_encrypt),
+        ITM_BUF(rsa_asym_expected_encrypt),
+        ITM_BUF(rsa_asym_plaintext_encrypt),
         .u.ac = {
             0,
             rsa_priv_key,
@@ -3892,8 +3862,8 @@ const ST_DEFINITION st_kat_asym_cipher_tests[] = {
         SELF_TEST_KAT_ASYM_CIPHER,
         SELF_TEST_ONLOAD,
         SELF_TEST_STATE_INIT,
-        ITM(rsa_asym_expected_encrypt),
-        ITM(rsa_asym_plaintext_encrypt),
+        ITM_BUF(rsa_asym_expected_encrypt),
+        ITM_BUF(rsa_asym_plaintext_encrypt),
         .u.ac = {
             0,
             rsa_crt_key,
@@ -3901,4 +3871,3 @@ const ST_DEFINITION st_kat_asym_cipher_tests[] = {
         },
     },
 };
-int st_kat_asym_cipher_tests_size = OSSL_NELEM(st_kat_asym_cipher_tests);
diff --git a/providers/fips/self_test_data.h b/providers/fips/self_test_data.h
deleted file mode 100644
index bfa3d54ae5d..00000000000
--- a/providers/fips/self_test_data.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * This file contains self test data required by FIPS 140-3 IG
- * 10.3.A Cryptographic Algorithm Self test Requirements
- *
- * Note that in the 'General CAST requirements': Note33 Allows individual
- * self tests for low level algorithms (such as digests) to be omitted, if
- * they are tested as part of a higher level algorithm (such as HMAC).
- */
-
-extern const ST_DEFINITION st_kat_digest_tests[];
-extern int st_kat_digest_tests_size;
-extern const ST_DEFINITION st_kat_cipher_tests[];
-extern int st_kat_cipher_tests_size;
-#ifndef OPENSSL_NO_LMS
-extern const ST_DEFINITION st_kat_lms_test;
-#endif
-extern const ST_DEFINITION st_kat_kdf_tests[];
-extern int st_kat_kdf_tests_size;
-extern const ST_DEFINITION st_kat_drbg_tests[];
-extern int st_kat_drbg_tests_size;
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
-extern const ST_DEFINITION st_kat_kas_tests[];
-extern int st_kat_kas_tests_size;
-#endif
-extern const ST_DEFINITION st_kat_sign_tests[];
-extern int st_kat_sign_tests_size;
-#ifndef OPENSSL_NO_ML_KEM
-extern const ST_DEFINITION st_kat_kem_tests[];
-extern int st_kat_kem_tests_size;
-#endif
-#if !defined(OPENSSL_NO_ML_KEM) || !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA)
-extern const ST_DEFINITION st_kat_asym_keygen_tests[];
-extern int st_kat_asym_keygen_tests_size;
-#endif
-extern const ST_DEFINITION st_kat_asym_cipher_tests[];
-extern int st_kat_asym_cipher_tests_size;
diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
index f4cda15d8df..1750c99609d 100644
--- a/providers/fips/self_test_kats.c
+++ b/providers/fips/self_test_kats.c
@@ -17,8 +17,6 @@
 #include "crypto/rand.h"
 #include "internal/cryptlib.h"
 #include "self_test.h"
-#include "self_test_data.h"
-#include "internal/fips.h"
 
 static int set_kat_drbg(OSSL_LIB_CTX *ctx,
     const unsigned char *entropy, size_t entropy_len,
@@ -901,125 +899,6 @@ err:
     return ret;
 }
 
-#define RUN_TEST(test) \
-    ((test.deferred != SELF_TEST_DEFERRED) || do_deferred)
-
-/*
- * Test a data driven list of KAT's for digest algorithms.
- * All tests are run regardless of if they fail or not.
- * Return 0 if any test fails.
- */
-static int self_test_digests(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int i, ret = 1;
-
-    for (i = 0; i < st_kat_digest_tests_size; ++i) {
-        if (RUN_TEST(st_kat_digest_tests[i]))
-            if (!self_test_digest(&st_kat_digest_tests[i], st, libctx))
-                ret = 0;
-    }
-    return ret;
-}
-
-static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int i, ret = 1;
-
-    for (i = 0; i < st_kat_cipher_tests_size; ++i) {
-        if (RUN_TEST(st_kat_cipher_tests[i]))
-            if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx))
-                ret = 0;
-    }
-    return ret;
-}
-
-static int self_test_kems(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int ret = 1;
-#ifndef OPENSSL_NO_ML_KEM
-    int i;
-
-    for (i = 0; i < st_kat_kem_tests_size; ++i) {
-        if (RUN_TEST(st_kat_kem_tests[i]))
-            if (!self_test_kem(&st_kat_kem_tests[i], st, libctx))
-                ret = 0;
-    }
-#endif
-    return ret;
-}
-
-static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int i, ret = 1;
-
-    for (i = 0; i < st_kat_asym_cipher_tests_size; ++i) {
-        if (RUN_TEST(st_kat_asym_cipher_tests[i]))
-            if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx))
-                ret = 0;
-    }
-    return ret;
-}
-
-static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int i, ret = 1;
-
-    for (i = 0; i < st_kat_kdf_tests_size; ++i) {
-        if (RUN_TEST(st_kat_kdf_tests[i]))
-            if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx))
-                ret = 0;
-    }
-    return ret;
-}
-
-static int self_test_drbgs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int i, ret = 1;
-
-    for (i = 0; i < st_kat_drbg_tests_size; ++i) {
-        if (RUN_TEST(st_kat_drbg_tests[i]))
-            if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx))
-                ret = 0;
-    }
-    return ret;
-}
-
-static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int ret = 1;
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
-    int i;
-
-    for (i = 0; i < st_kat_kas_tests_size; ++i) {
-        if (RUN_TEST(st_kat_kas_tests[i]))
-            if (!self_test_ka(&st_kat_kas_tests[i], st, libctx))
-                ret = 0;
-    }
-#endif
-
-    return ret;
-}
-
-static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-    int i, ret = 1;
-
-    for (i = 0; i < st_kat_sign_tests_size; ++i) {
-        if (RUN_TEST(st_kat_sign_tests[i]))
-            if (!self_test_digest_sign(&st_kat_sign_tests[i], st, libctx))
-                ret = 0;
-    }
-    return ret;
-}
-
 /*
  * Swap the library context DRBG for KAT testing
  *
@@ -1160,24 +1039,6 @@ err:
     return 0;
 }
 
-static int self_test_asym_keygens(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int do_deferred)
-{
-#if !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA)
-    int i, ret = 1;
-
-    for (i = 0; i < st_kat_asym_keygen_tests_size; ++i) {
-        if (RUN_TEST(st_kat_asym_keygen_tests[i]))
-            continue;
-        if (!self_test_asym_keygen(&st_kat_asym_keygen_tests[i], st, libctx))
-            ret = 0;
-    }
-    return ret;
-#else
-    return 1;
-#endif /* OPENSSL_NO_ML_DSA */
-}
-
 /*
  * Run the algorithm KAT's.
  * Return 1 is successful, otherwise return 0.
@@ -1187,7 +1048,7 @@ static int self_test_asym_keygens(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
 int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int do_deferred)
 {
     EVP_RAND_CTX *saved_rand = ossl_rand_get0_private_noncreating(libctx);
-    int ret = 1;
+    int i, ret = 1;
 
     if (saved_rand != NULL && !EVP_RAND_CTX_up_ref(saved_rand))
         return 0;
@@ -1201,24 +1062,49 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int do_deferred)
         return 0;
     }
 
-    if (!self_test_digests(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_ciphers(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_signatures(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_kdfs(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_drbgs(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_kas(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_asym_keygens(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_kems(st, libctx, do_deferred))
-        ret = 0;
-    if (!self_test_asym_ciphers(st, libctx, do_deferred))
-        ret = 0;
+    for (i = 0; i < ST_ID_MAX; i++) {
+        int res;
+
+        if (!do_deferred && (st_all_tests[i].deferred == SELF_TEST_DEFERRED))
+            continue;
+
+        switch (st_all_tests[i].category) {
+        case SELF_TEST_KAT_DIGEST:
+            res = self_test_digest(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_KAT_CIPHER:
+            res = self_test_cipher(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_KAT_SIGNATURE:
+            res = self_test_digest_sign(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_KAT_KDF:
+            res = self_test_kdf(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_DRBG:
+            res = self_test_drbg(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_KAT_KAS:
+            res = self_test_ka(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_KAT_ASYM_KEYGEN:
+            res = self_test_asym_keygen(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_KAT_KEM:
+            res = self_test_kem(&st_all_tests[i], st, libctx);
+            break;
+        case SELF_TEST_KAT_ASYM_CIPHER:
+            res = self_test_asym_cipher(&st_all_tests[i], st, libctx);
+            break;
+        default:
+            res = 0;
+            break;
+        }
+        if (res)
+            st_all_tests[i].state = SELF_TEST_STATE_PASSED;
+        else
+            ret = 0;
+    }
 
     RAND_set0_private(libctx, saved_rand);
     /* The above call will cause main_rand to be freed */
@@ -1237,14 +1123,12 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int do_deferred)
  * NOTE: currently tests that require the TEST RNG will not work, as we can't
  * replace the working DRBG with the TEST DRB after initialization.
  */
-int SELF_TEST_kats_single(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
-    int type, const char *alg_name)
+int SELF_TEST_kats_single(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx, int id)
 {
     EVP_RAND_CTX *saved_rand = ossl_rand_get0_private_noncreating(libctx);
-    int ret = 1;
-    int i, found = 0;
+    int ret;
 
-    if (alg_name == NULL)
+    if (id >= ST_ID_MAX)
         return 0;
 
     if (saved_rand != NULL && !EVP_RAND_CTX_up_ref(saved_rand))
@@ -1257,129 +1141,53 @@ int SELF_TEST_kats_single(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx,
         return 0;
     }
 
-    switch (type) {
-    case FIPS_DEFERRED_KAT_DIGEST:
-        for (i = 0; i < st_kat_digest_tests_size; ++i) {
-            if (strcmp(st_kat_digest_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_digest(&st_kat_digest_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    switch (st_all_tests[id].category) {
+    case SELF_TEST_KAT_DIGEST:
+        ret = self_test_digest(&st_all_tests[id], st, libctx);
         break;
-
-    case FIPS_DEFERRED_KAT_CIPHER:
-        for (i = 0; i < st_kat_cipher_tests_size; ++i) {
-            if (strcmp(st_kat_cipher_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_cipher(&st_kat_cipher_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_KAT_CIPHER:
+        ret = self_test_cipher(&st_all_tests[id], st, libctx);
         break;
-
-    case FIPS_DEFERRED_KAT_SIGNATURE:
-        for (i = 0; i < st_kat_sign_tests_size; ++i) {
-            if (strcmp(st_kat_sign_tests[i].algorithm, alg_name) == 0
-                || strcmp(st_kat_sign_tests[i].u.sig.keytype, alg_name) == 0) {
-                found = 1;
-                if (!self_test_digest_sign(&st_kat_sign_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_KAT_SIGNATURE:
+        ret = self_test_digest_sign(&st_all_tests[id], st, libctx);
         break;
-
-    case FIPS_DEFERRED_KAT_KDF:
-        for (i = 0; i < st_kat_kdf_tests_size; ++i) {
-            if (strcmp(st_kat_kdf_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_kdf(&st_kat_kdf_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_KAT_KDF:
+        ret = self_test_kdf(&st_all_tests[id], st, libctx);
         break;
-
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
-    case FIPS_DEFERRED_KAT_KA:
-        for (i = 0; i < st_kat_kas_tests_size; ++i) {
-            if (strcmp(st_kat_kas_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_ka(&st_kat_kas_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_DRBG:
+        ret = self_test_drbg(&st_all_tests[id], st, libctx);
         break;
-#endif
-
-#if !defined(OPENSSL_NO_ML_DSA) || !defined(OPENSSL_NO_SLH_DSA)
-    case FIPS_DEFERRED_KAT_ASYM_KEYGEN:
-        for (i = 0; i < st_kat_asym_keygen_tests_size; ++i) {
-            if (strcmp(st_kat_asym_keygen_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_asym_keygen(&st_kat_asym_keygen_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_KAT_KAS:
+        ret = self_test_ka(&st_all_tests[id], st, libctx);
         break;
-#endif /* OPENSSL_NO_ML_DSA */
-
-#ifndef OPENSSL_NO_ML_KEM
-    case FIPS_DEFERRED_KAT_KEM:
-        for (i = 0; i < st_kat_kem_tests_size; ++i) {
-            if (strcmp(st_kat_kem_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_kem(&st_kat_kem_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_KAT_ASYM_KEYGEN:
+        ret = self_test_asym_keygen(&st_all_tests[id], st, libctx);
         break;
-#endif
-
-    case FIPS_DEFERRED_KAT_ASYM_CIPHER:
-        for (i = 0; i < st_kat_asym_cipher_tests_size; ++i) {
-            if (strcmp(st_kat_asym_cipher_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_KAT_KEM:
+        ret = self_test_kem(&st_all_tests[id], st, libctx);
         break;
-
-    case FIPS_DEFERRED_DRBG:
-        for (i = 0; i < st_kat_drbg_tests_size; ++i) {
-            if (strcmp(st_kat_drbg_tests[i].algorithm, alg_name) == 0) {
-                found = 1;
-                if (!self_test_drbg(&st_kat_drbg_tests[i], st, libctx)) {
-                    ret = 0;
-                    goto done;
-                }
-            }
-        }
+    case SELF_TEST_KAT_ASYM_CIPHER:
+        ret = self_test_asym_cipher(&st_all_tests[id], st, libctx);
         break;
-
     default:
-        /* not tests yet, or bad type */
+        ret = 0;
         break;
     }
+    if (ret)
+        st_all_tests[id].state = SELF_TEST_STATE_PASSED;
+    else
+        st_all_tests[id].state = SELF_TEST_STATE_FAILED;
 
-done:
     RAND_set0_private(libctx, saved_rand);
-    /* If no test was found for alg_name, it is considered a failure */
-    return ret && found;
+    return ret;
+}
+
+int ossl_self_test_in_progress(self_test_id_t id)
+{
+    if (id >= ST_ID_MAX)
+        return 0;
+
+    if (st_all_tests[id].state == SELF_TEST_STATE_IN_PROGRESS)
+        return 1;
+    return 0;
 }
diff --git a/providers/implementations/keymgmt/slh_dsa_kmgmt.c b/providers/implementations/keymgmt/slh_dsa_kmgmt.c
index c1c4ce5383b..292ce22e9f0 100644
--- a/providers/implementations/keymgmt/slh_dsa_kmgmt.c
+++ b/providers/implementations/keymgmt/slh_dsa_kmgmt.c
@@ -45,22 +45,13 @@ static OSSL_FUNC_keymgmt_dup_fn slh_dsa_dup_key;
 
 #define SLH_DSA_POSSIBLE_SELECTIONS (OSSL_KEYMGMT_SELECT_KEYPAIR)
 
-#ifdef FIPS_MODULE
-static FIPS_DEFERRED_TEST slh_key_gen_deferred_tests[] = {
-    { "SLH-DSA-SHA2-128f",
-        FIPS_DEFERRED_KAT_ASYM_KEYGEN,
-        FIPS_DEFERRED_TEST_INIT },
-    { NULL, 0, 0 },
-};
-#endif
-
 static int slh_dsa_self_check(OSSL_LIB_CTX *libctx)
 {
     if (!ossl_prov_is_running())
         return 0;
 
 #ifdef FIPS_MODULE
-    return FIPS_deferred_self_tests(libctx, slh_key_gen_deferred_tests);
+    return ossl_deferred_self_test(libctx, ST_ID_ASYM_KEYGEN_SLH_DSA);
 #else
     return 1;
 #endif
@@ -318,7 +309,7 @@ static int slh_dsa_fips140_pairwise_test(const SLH_DSA_KEY *key,
 
     /* During self test, it is a waste to do this test */
     if (ossl_fips_self_testing()
-        || slh_key_gen_deferred_tests[0].state == FIPS_DEFERRED_TEST_IN_PROGRESS)
+        || ossl_self_test_in_progress(ST_ID_ASYM_KEYGEN_SLH_DSA))
         return 1;
 
     if (ctx == NULL) {
diff --git a/providers/implementations/signature/slh_dsa_sig.c b/providers/implementations/signature/slh_dsa_sig.c
index 65796b03f94..600cf7f19e9 100644
--- a/providers/implementations/signature/slh_dsa_sig.c
+++ b/providers/implementations/signature/slh_dsa_sig.c
@@ -39,25 +39,16 @@ static OSSL_FUNC_signature_dupctx_fn slh_dsa_dupctx;
 static OSSL_FUNC_signature_set_ctx_params_fn slh_dsa_set_ctx_params;
 static OSSL_FUNC_signature_settable_ctx_params_fn slh_dsa_settable_ctx_params;
 
-#ifdef FIPS_MODULE
-static FIPS_DEFERRED_TEST slh_sig_deferred_tests[] = {
-    { "SLH-DSA-SHA2-128f",
-        FIPS_DEFERRED_KAT_SIGNATURE,
-        FIPS_DEFERRED_TEST_INIT },
-    { "SLH-DSA-SHAKE-128f",
-        FIPS_DEFERRED_KAT_SIGNATURE,
-        FIPS_DEFERRED_TEST_INIT },
-    { NULL, 0, 0 },
-};
-#endif
-
-static int slh_dsa_self_check(OSSL_LIB_CTX *libctx)
+static int slh_dsa_self_check(OSSL_LIB_CTX *libctx, const char *alg)
 {
     if (!ossl_prov_is_running())
         return 0;
 
 #ifdef FIPS_MODULE
-    return FIPS_deferred_self_tests(libctx, slh_sig_deferred_tests);
+    if (strstr(alg, "SLH-DSA-SHAKE"))
+        return ossl_deferred_self_test(libctx, ST_ID_SIG_SLH_DSA_SHAKE_128F);
+    else
+        return ossl_deferred_self_test(libctx, ST_ID_SIG_SLH_DSA_SHA2_128F);
 #else
     return 1;
 #endif
@@ -97,7 +88,7 @@ static void *slh_dsa_newctx(void *provctx, const char *alg, const char *propq)
 {
     PROV_SLH_DSA_CTX *ctx;
 
-    if (!slh_dsa_self_check(PROV_LIBCTX_OF(provctx)))
+    if (!slh_dsa_self_check(PROV_LIBCTX_OF(provctx), alg))
         return NULL;
 
     ctx = OPENSSL_zalloc(sizeof(PROV_SLH_DSA_CTX));