From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 12 Feb 2025 14:46:16 +0000 (+0100)
Subject: Make test_ssl_new execute tests with fips provider again
X-Git-Tag: openssl-3.5.0-alpha1~509
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c59f5f121075f94cf131cdc6d02437fa1fdc7151;p=thirdparty%2Fopenssl.git

Make test_ssl_new execute tests with fips provider again

This has regressed with
https://github.com/openssl/openssl/pull/24799

The test configs have to be generated differently based
on the fips provider version.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26715)
---

diff --git a/test/generate_ssl_tests.pl b/test/generate_ssl_tests.pl
index 9ff556c0a93..1de1f3a45c3 100644
--- a/test/generate_ssl_tests.pl
+++ b/test/generate_ssl_tests.pl
@@ -15,7 +15,7 @@ use Cwd qw/abs_path/;
 use File::Basename;
 use File::Spec::Functions;
 
-use OpenSSL::Test qw/srctop_dir srctop_file/;
+use OpenSSL::Test qw/srctop_dir srctop_file run test/;
 use OpenSSL::Test::Utils;
 
 use FindBin;
@@ -136,10 +136,26 @@ sub print_templates {
 sub read_config {
     my $fname = shift;
     my $provider = shift;
-    local $ssltests::fips_mode = $provider eq "fips";
+
+    my $fips_mode = $provider eq "fips";
+    local $ssltests::fips_3_4 = 0;
+    local $ssltests::fips_3_5 = 0;
+
+    if ($fips_mode) {
+        my $provconf = srctop_file("test", "fips-and-base.cnf");
+        my $exit;
+
+        run(test(["fips_version_test", "-config", $provconf, ">=3.4.0"]),
+                 capture => 1, statusvar => \$exit);
+        $ssltests::fips_3_4 = $exit;
+        run(test(["fips_version_test", "-config", $provconf, ">=3.5.0"]),
+                 capture => 1, statusvar => \$exit);
+        $ssltests::fips_3_5 = $exit;
+    }
+
+    local $ssltests::fips_mode = $fips_mode;
     local $ssltests::no_deflt_libctx =
         $provider eq "default" || $provider eq "fips";
-
     open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n";
     local $/ = undef;
     my $content = <INPUT>;
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 5a33a4a327b..c581f34b58a 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -28,7 +28,6 @@ use lib srctop_dir('Configurations');
 use lib bldtop_dir('.');
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
-my $dsaallow = '1';
 
 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
 
@@ -49,12 +48,6 @@ map { s/;.*// } @conf_srcs if $^O eq "VMS";
 my @conf_files = map { basename($_, ".in") } @conf_srcs;
 map { s/\^// } @conf_files if $^O eq "VMS";
 
-unless ($no_fips) {
-    my $provconf = srctop_file("test", "fips-and-base.cnf");
-    run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]),
-              capture => 1, statusvar => \$dsaallow);
-}
-
 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
 my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
@@ -184,7 +177,6 @@ sub test_conf {
       # Test 3. Run the test.
       skip "No tests available; skipping tests", 1 if $skip;
       skip "Stale sources; skipping tests", 1 if !$run_test;
-      skip "Dsa not allowed in FIPS 140-3 provider", 1 if ($provider eq "fips") && ($dsaallow eq '0');
 
       my $msg = "running CTLOG_FILE=test/ct/log_list.cnf". # $ENV{CTLOG_FILE}.
           " TEST_CERTS_DIR=test/certs". # $ENV{TEST_CERTS_DIR}.
diff --git a/test/ssl-tests/13-fragmentation.cnf b/test/ssl-tests/13-fragmentation.cnf
index 649387c7b73..e3b532215b8 100644
--- a/test/ssl-tests/13-fragmentation.cnf
+++ b/test/ssl-tests/13-fragmentation.cnf
@@ -12,18 +12,18 @@ test-6 = 6-medium-plus-app-data
 test-7 = 7-large-app-data
 test-8 = 8-large-app-data-large-fragment-size
 test-9 = 9-large-app-data-odd-fragment-size
-test-10 = 10-large-app-data-aes-sha1-multibuffer
-test-11 = 11-large-app-data-aes-sha2-multibuffer
-test-12 = 12-large-app-data-aes-sha1-multibuffer-odd-fragment
-test-13 = 13-large-app-data-aes-sha2-multibuffer-odd-fragment
-test-14 = 14-small-app-data-aes-sha1-multibuffer
-test-15 = 15-small-app-data-aes-sha2-multibuffer
-test-16 = 16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled
-test-17 = 17-Maximum Fragment Len extension equal FragmentSize to 2048
-test-18 = 18-Maximum Fragment Len extension 512 lower than FragmentSize 1024
-test-19 = 19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024
-test-20 = 20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048
-test-21 = 21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024
+test-10 = 10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled
+test-11 = 11-Maximum Fragment Len extension equal FragmentSize to 2048
+test-12 = 12-Maximum Fragment Len extension 512 lower than FragmentSize 1024
+test-13 = 13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024
+test-14 = 14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048
+test-15 = 15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024
+test-16 = 16-large-app-data-aes-sha1-multibuffer
+test-17 = 17-large-app-data-aes-sha2-multibuffer
+test-18 = 18-large-app-data-aes-sha1-multibuffer-odd-fragment
+test-19 = 19-large-app-data-aes-sha2-multibuffer-odd-fragment
+test-20 = 20-small-app-data-aes-sha1-multibuffer
+test-21 = 21-small-app-data-aes-sha2-multibuffer
 # ===========================================================
 
 [0-one-fragment-minus-app-data]
@@ -259,319 +259,319 @@ MaxFragmentSize = 5115
 
 # ===========================================================
 
-[10-large-app-data-aes-sha1-multibuffer]
-ssl_conf = 10-large-app-data-aes-sha1-multibuffer-ssl
+[10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled]
+ssl_conf = 10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-ssl
 
-[10-large-app-data-aes-sha1-multibuffer-ssl]
-server = 10-large-app-data-aes-sha1-multibuffer-server
-client = 10-large-app-data-aes-sha1-multibuffer-client
+[10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-ssl]
+server = 10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-server
+client = 10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client
 
-[10-large-app-data-aes-sha1-multibuffer-server]
+[10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[10-large-app-data-aes-sha1-multibuffer-client]
-CipherString = AES128-SHA
-MaxProtocol = TLSv1.2
+[10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client]
+CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-10]
-ApplicationData = 1048576
-MaxFragmentSize = 4096
+ApplicationData = 3072
+MaxFragmentSize = 16384
+client = 10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client-extra
+
+[10-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client-extra]
+MaxFragmentLenExt = 1024
 
 
 # ===========================================================
 
-[11-large-app-data-aes-sha2-multibuffer]
-ssl_conf = 11-large-app-data-aes-sha2-multibuffer-ssl
+[11-Maximum Fragment Len extension equal FragmentSize to 2048]
+ssl_conf = 11-Maximum Fragment Len extension equal FragmentSize to 2048-ssl
 
-[11-large-app-data-aes-sha2-multibuffer-ssl]
-server = 11-large-app-data-aes-sha2-multibuffer-server
-client = 11-large-app-data-aes-sha2-multibuffer-client
+[11-Maximum Fragment Len extension equal FragmentSize to 2048-ssl]
+server = 11-Maximum Fragment Len extension equal FragmentSize to 2048-server
+client = 11-Maximum Fragment Len extension equal FragmentSize to 2048-client
 
-[11-large-app-data-aes-sha2-multibuffer-server]
+[11-Maximum Fragment Len extension equal FragmentSize to 2048-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[11-large-app-data-aes-sha2-multibuffer-client]
-CipherString = AES128-SHA256
-MaxProtocol = TLSv1.2
+[11-Maximum Fragment Len extension equal FragmentSize to 2048-client]
+CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-11]
-ApplicationData = 1048576
-MaxFragmentSize = 4096
+ApplicationData = 3072
+MaxFragmentSize = 2048
+client = 11-Maximum Fragment Len extension equal FragmentSize to 2048-client-extra
+
+[11-Maximum Fragment Len extension equal FragmentSize to 2048-client-extra]
+MaxFragmentLenExt = 2048
 
 
 # ===========================================================
 
-[12-large-app-data-aes-sha1-multibuffer-odd-fragment]
-ssl_conf = 12-large-app-data-aes-sha1-multibuffer-odd-fragment-ssl
+[12-Maximum Fragment Len extension 512 lower than FragmentSize 1024]
+ssl_conf = 12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-ssl
 
-[12-large-app-data-aes-sha1-multibuffer-odd-fragment-ssl]
-server = 12-large-app-data-aes-sha1-multibuffer-odd-fragment-server
-client = 12-large-app-data-aes-sha1-multibuffer-odd-fragment-client
+[12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-ssl]
+server = 12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-server
+client = 12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client
 
-[12-large-app-data-aes-sha1-multibuffer-odd-fragment-server]
+[12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[12-large-app-data-aes-sha1-multibuffer-odd-fragment-client]
-CipherString = AES128-SHA
-MaxProtocol = TLSv1.2
+[12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client]
+CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-12]
-ApplicationData = 1048579
-MaxFragmentSize = 5115
+ApplicationData = 3072
+MaxFragmentSize = 1024
+client = 12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client-extra
+
+[12-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client-extra]
+MaxFragmentLenExt = 512
 
 
 # ===========================================================
 
-[13-large-app-data-aes-sha2-multibuffer-odd-fragment]
-ssl_conf = 13-large-app-data-aes-sha2-multibuffer-odd-fragment-ssl
+[13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024]
+ssl_conf = 13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-ssl
 
-[13-large-app-data-aes-sha2-multibuffer-odd-fragment-ssl]
-server = 13-large-app-data-aes-sha2-multibuffer-odd-fragment-server
-client = 13-large-app-data-aes-sha2-multibuffer-odd-fragment-client
+[13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-ssl]
+server = 13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-server
+client = 13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client
 
-[13-large-app-data-aes-sha2-multibuffer-odd-fragment-server]
+[13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[13-large-app-data-aes-sha2-multibuffer-odd-fragment-client]
-CipherString = AES128-SHA256
-MaxProtocol = TLSv1.2
+[13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client]
+CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-13]
-ApplicationData = 1048573
-MaxFragmentSize = 5125
+ApplicationData = 3072
+MaxFragmentSize = 1024
+client = 13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client-extra
+
+[13-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client-extra]
+MaxFragmentLenExt = 2048
 
 
 # ===========================================================
 
-[14-small-app-data-aes-sha1-multibuffer]
-ssl_conf = 14-small-app-data-aes-sha1-multibuffer-ssl
+[14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048]
+ssl_conf = 14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-ssl
 
-[14-small-app-data-aes-sha1-multibuffer-ssl]
-server = 14-small-app-data-aes-sha1-multibuffer-server
-client = 14-small-app-data-aes-sha1-multibuffer-client
+[14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-ssl]
+server = 14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-server
+client = 14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client
 
-[14-small-app-data-aes-sha1-multibuffer-server]
+[14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[14-small-app-data-aes-sha1-multibuffer-client]
-CipherString = AES128-SHA
-MaxProtocol = TLSv1.2
+[14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client]
+CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-14]
-ApplicationData = 4096
-MaxFragmentSize = 4096
+ApplicationData = 8196
+MaxFragmentSize = 2048
+client = 14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client-extra
+
+[14-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client-extra]
+MaxFragmentLenExt = 4096
 
 
 # ===========================================================
 
-[15-small-app-data-aes-sha2-multibuffer]
-ssl_conf = 15-small-app-data-aes-sha2-multibuffer-ssl
+[15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024]
+ssl_conf = 15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-ssl
 
-[15-small-app-data-aes-sha2-multibuffer-ssl]
-server = 15-small-app-data-aes-sha2-multibuffer-server
-client = 15-small-app-data-aes-sha2-multibuffer-client
+[15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-ssl]
+server = 15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-server
+client = 15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client
 
-[15-small-app-data-aes-sha2-multibuffer-server]
+[15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[15-small-app-data-aes-sha2-multibuffer-client]
-CipherString = AES128-SHA256
-MaxProtocol = TLSv1.2
+[15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client]
+CipherString = DEFAULT
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-15]
-ApplicationData = 4096
-MaxFragmentSize = 4096
+ApplicationData = 3072
+MaxFragmentSize = 1024
+client = 15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client-extra
+
+[15-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client-extra]
+MaxFragmentLenExt = 2048
 
 
 # ===========================================================
 
-[16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled]
-ssl_conf = 16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-ssl
+[16-large-app-data-aes-sha1-multibuffer]
+ssl_conf = 16-large-app-data-aes-sha1-multibuffer-ssl
 
-[16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-ssl]
-server = 16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-server
-client = 16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client
+[16-large-app-data-aes-sha1-multibuffer-ssl]
+server = 16-large-app-data-aes-sha1-multibuffer-server
+client = 16-large-app-data-aes-sha1-multibuffer-client
 
-[16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-server]
+[16-large-app-data-aes-sha1-multibuffer-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client]
-CipherString = DEFAULT
+[16-large-app-data-aes-sha1-multibuffer-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-16]
-ApplicationData = 3072
-MaxFragmentSize = 16384
-client = 16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client-extra
-
-[16-Maximum Fragment Len extension set to 1024 w. FragmentSize disabled-client-extra]
-MaxFragmentLenExt = 1024
+ApplicationData = 1048576
+MaxFragmentSize = 4096
 
 
 # ===========================================================
 
-[17-Maximum Fragment Len extension equal FragmentSize to 2048]
-ssl_conf = 17-Maximum Fragment Len extension equal FragmentSize to 2048-ssl
+[17-large-app-data-aes-sha2-multibuffer]
+ssl_conf = 17-large-app-data-aes-sha2-multibuffer-ssl
 
-[17-Maximum Fragment Len extension equal FragmentSize to 2048-ssl]
-server = 17-Maximum Fragment Len extension equal FragmentSize to 2048-server
-client = 17-Maximum Fragment Len extension equal FragmentSize to 2048-client
+[17-large-app-data-aes-sha2-multibuffer-ssl]
+server = 17-large-app-data-aes-sha2-multibuffer-server
+client = 17-large-app-data-aes-sha2-multibuffer-client
 
-[17-Maximum Fragment Len extension equal FragmentSize to 2048-server]
+[17-large-app-data-aes-sha2-multibuffer-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[17-Maximum Fragment Len extension equal FragmentSize to 2048-client]
-CipherString = DEFAULT
+[17-large-app-data-aes-sha2-multibuffer-client]
+CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-17]
-ApplicationData = 3072
-MaxFragmentSize = 2048
-client = 17-Maximum Fragment Len extension equal FragmentSize to 2048-client-extra
-
-[17-Maximum Fragment Len extension equal FragmentSize to 2048-client-extra]
-MaxFragmentLenExt = 2048
+ApplicationData = 1048576
+MaxFragmentSize = 4096
 
 
 # ===========================================================
 
-[18-Maximum Fragment Len extension 512 lower than FragmentSize 1024]
-ssl_conf = 18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-ssl
+[18-large-app-data-aes-sha1-multibuffer-odd-fragment]
+ssl_conf = 18-large-app-data-aes-sha1-multibuffer-odd-fragment-ssl
 
-[18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-ssl]
-server = 18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-server
-client = 18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client
+[18-large-app-data-aes-sha1-multibuffer-odd-fragment-ssl]
+server = 18-large-app-data-aes-sha1-multibuffer-odd-fragment-server
+client = 18-large-app-data-aes-sha1-multibuffer-odd-fragment-client
 
-[18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-server]
+[18-large-app-data-aes-sha1-multibuffer-odd-fragment-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client]
-CipherString = DEFAULT
+[18-large-app-data-aes-sha1-multibuffer-odd-fragment-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-18]
-ApplicationData = 3072
-MaxFragmentSize = 1024
-client = 18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client-extra
-
-[18-Maximum Fragment Len extension 512 lower than FragmentSize 1024-client-extra]
-MaxFragmentLenExt = 512
+ApplicationData = 1048579
+MaxFragmentSize = 5115
 
 
 # ===========================================================
 
-[19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024]
-ssl_conf = 19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-ssl
+[19-large-app-data-aes-sha2-multibuffer-odd-fragment]
+ssl_conf = 19-large-app-data-aes-sha2-multibuffer-odd-fragment-ssl
 
-[19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-ssl]
-server = 19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-server
-client = 19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client
+[19-large-app-data-aes-sha2-multibuffer-odd-fragment-ssl]
+server = 19-large-app-data-aes-sha2-multibuffer-odd-fragment-server
+client = 19-large-app-data-aes-sha2-multibuffer-odd-fragment-client
 
-[19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-server]
+[19-large-app-data-aes-sha2-multibuffer-odd-fragment-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client]
-CipherString = DEFAULT
+[19-large-app-data-aes-sha2-multibuffer-odd-fragment-client]
+CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-19]
-ApplicationData = 3072
-MaxFragmentSize = 1024
-client = 19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client-extra
-
-[19-Maximum Fragment Len extension 1024 lower than FragmentSize 1024-client-extra]
-MaxFragmentLenExt = 2048
+ApplicationData = 1048573
+MaxFragmentSize = 5125
 
 
 # ===========================================================
 
-[20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048]
-ssl_conf = 20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-ssl
+[20-small-app-data-aes-sha1-multibuffer]
+ssl_conf = 20-small-app-data-aes-sha1-multibuffer-ssl
 
-[20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-ssl]
-server = 20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-server
-client = 20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client
+[20-small-app-data-aes-sha1-multibuffer-ssl]
+server = 20-small-app-data-aes-sha1-multibuffer-server
+client = 20-small-app-data-aes-sha1-multibuffer-client
 
-[20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-server]
+[20-small-app-data-aes-sha1-multibuffer-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client]
-CipherString = DEFAULT
+[20-small-app-data-aes-sha1-multibuffer-client]
+CipherString = AES128-SHA
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-20]
-ApplicationData = 8196
-MaxFragmentSize = 2048
-client = 20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client-extra
-
-[20-Maximum Fragment Len extension 4096 greater than FragmentSize 2048-client-extra]
-MaxFragmentLenExt = 4096
+ApplicationData = 4096
+MaxFragmentSize = 4096
 
 
 # ===========================================================
 
-[21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024]
-ssl_conf = 21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-ssl
+[21-small-app-data-aes-sha2-multibuffer]
+ssl_conf = 21-small-app-data-aes-sha2-multibuffer-ssl
 
-[21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-ssl]
-server = 21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-server
-client = 21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client
+[21-small-app-data-aes-sha2-multibuffer-ssl]
+server = 21-small-app-data-aes-sha2-multibuffer-server
+client = 21-small-app-data-aes-sha2-multibuffer-client
 
-[21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-server]
+[21-small-app-data-aes-sha2-multibuffer-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
 CipherString = DEFAULT
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
-[21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client]
-CipherString = DEFAULT
+[21-small-app-data-aes-sha2-multibuffer-client]
+CipherString = AES128-SHA256
+MaxProtocol = TLSv1.2
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-21]
-ApplicationData = 3072
-MaxFragmentSize = 1024
-client = 21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client-extra
-
-[21-Maximum Fragment Len extension 2048 greater than FragmentSize 1024-client-extra]
-MaxFragmentLenExt = 2048
+ApplicationData = 4096
+MaxFragmentSize = 4096
 
 
diff --git a/test/ssl-tests/13-fragmentation.cnf.in b/test/ssl-tests/13-fragmentation.cnf.in
index 5e3b0c6633d..b9e9f41c033 100644
--- a/test/ssl-tests/13-fragmentation.cnf.in
+++ b/test/ssl-tests/13-fragmentation.cnf.in
@@ -14,6 +14,7 @@ use warnings;
 
 package ssltests;
 
+our $fips_3_4;
 
 our @tests = (
     # Default fragment size is 512.
@@ -101,6 +102,91 @@ our @tests = (
             MaxFragmentSize => 5 * 1024 - 5,
         }
     },
+    ############################################
+    # Default (Max) Fragment Size is 512.
+    # Default Application data size is 256.
+    {
+        name => "Maximum Fragment Len extension set to 1024 w. FragmentSize disabled",
+        server => { },
+        client => {
+            extra => {
+                MaxFragmentLenExt => 1024,
+            },
+        },
+        test => {
+            ApplicationData => 3072,
+            MaxFragmentSize => 16384,
+        }
+    },
+    {
+        name => "Maximum Fragment Len extension equal FragmentSize to 2048",
+        server => { },
+        client => {
+            extra => {
+                MaxFragmentLenExt => 2048,
+            },
+        },
+        test => {
+            ApplicationData => 3072,
+            MaxFragmentSize => 2048,
+        }
+    },
+    {
+        name => "Maximum Fragment Len extension 512 lower than FragmentSize 1024",
+        server => { },
+        client => {
+            extra => {
+                MaxFragmentLenExt => 512,
+            },
+        },
+        test => {
+            ApplicationData => 3072,
+            MaxFragmentSize => 1024,
+        }
+    },
+    {
+        name => "Maximum Fragment Len extension 1024 lower than FragmentSize 1024",
+        server => { },
+        client => {
+            extra => {
+                MaxFragmentLenExt => 2048,
+            },
+        },
+        test => {
+            ApplicationData => 3072,
+            MaxFragmentSize => 1024,
+        }
+    },
+    {
+        name => "Maximum Fragment Len extension 4096 greater than FragmentSize 2048",
+        server => { },
+        client => {
+            extra => {
+                MaxFragmentLenExt => 4096,
+            },
+        },
+        test => {
+            ApplicationData => 8196,
+            MaxFragmentSize => 2048,
+        }
+    },
+    {
+        name => "Maximum Fragment Len extension 2048 greater than FragmentSize 1024",
+        server => { },
+        client => {
+            extra => {
+                MaxFragmentLenExt => 2048,
+            },
+        },
+        test => {
+            ApplicationData => 3072,
+            MaxFragmentSize => 1024,
+        }
+    },
+);
+
+# Tests using RSA key exchange
+my @tests_rsa = (
     # When the buffer / fragment size ratio is sufficiently large,
     # multi-buffer code kicks in on some platforms for AES-SHA.  The
     # exact minimum ratio depends on the platform, and is usually
@@ -183,86 +269,8 @@ our @tests = (
             ApplicationData => 4 * 1024,
             MaxFragmentSize => 4 * 1024,
         }
-    },
-    ############################################
-    # Default (Max) Fragment Size is 512.
-    # Default Application data size is 256.
-    {
-        name => "Maximum Fragment Len extension set to 1024 w. FragmentSize disabled",
-        server => { },
-        client => {
-            extra => {
-                MaxFragmentLenExt => 1024,
-            },
-        },
-        test => {
-            ApplicationData => 3072,
-            MaxFragmentSize => 16384,
-        }
-    },
-    {
-        name => "Maximum Fragment Len extension equal FragmentSize to 2048",
-        server => { },
-        client => {
-            extra => {
-                MaxFragmentLenExt => 2048,
-            },
-        },
-        test => {
-            ApplicationData => 3072,
-            MaxFragmentSize => 2048,
-        }
-    },
-    {
-        name => "Maximum Fragment Len extension 512 lower than FragmentSize 1024",
-        server => { },
-        client => {
-            extra => {
-                MaxFragmentLenExt => 512,
-            },
-        },
-        test => {
-            ApplicationData => 3072,
-            MaxFragmentSize => 1024,
-        }
-    },
-    {
-        name => "Maximum Fragment Len extension 1024 lower than FragmentSize 1024",
-        server => { },
-        client => {
-            extra => {
-                MaxFragmentLenExt => 2048,
-            },
-        },
-        test => {
-            ApplicationData => 3072,
-            MaxFragmentSize => 1024,
-        }
-    },
-    {
-        name => "Maximum Fragment Len extension 4096 greater than FragmentSize 2048",
-        server => { },
-        client => {
-            extra => {
-                MaxFragmentLenExt => 4096,
-            },
-        },
-        test => {
-            ApplicationData => 8196,
-            MaxFragmentSize => 2048,
-        }
-    },
-    {
-        name => "Maximum Fragment Len extension 2048 greater than FragmentSize 1024",
-        server => { },
-        client => {
-            extra => {
-                MaxFragmentLenExt => 2048,
-            },
-        },
-        test => {
-            ApplicationData => 3072,
-            MaxFragmentSize => 1024,
-        }
-    },
+    }
 );
+
+push @tests, @tests_rsa
+    unless $fips_3_4;
diff --git a/test/ssl-tests/14-curves.cnf.in b/test/ssl-tests/14-curves.cnf.in
index e6c048e8dda..f8eb7572ad6 100644
--- a/test/ssl-tests/14-curves.cnf.in
+++ b/test/ssl-tests/14-curves.cnf.in
@@ -11,6 +11,7 @@ use OpenSSL::Test;
 use OpenSSL::Test::Utils qw(anydisabled);
 
 our $fips_mode;
+our $fips_3_4;
 
 my @curves = ("prime256v1", "secp384r1", "secp521r1");
 
@@ -27,9 +28,11 @@ my @curves_tls_1_3_no_fips = ("brainpoolP256r1tls13", "brainpoolP384r1tls13",
 push @curves_tls_1_3, @curves_tls_1_3_no_fips if !$fips_mode;
 push @curves, @curves_tls_1_3;
 
-my @curves_tls_1_2 = ("sect233k1", "sect233r1",
+my @curves_tls_1_2 = ();
+
+@curves_tls_1_2 = ("sect233k1", "sect233r1",
               "sect283k1", "sect283r1", "sect409k1", "sect409r1",
-              "sect571k1", "sect571r1", "secp224r1");
+              "sect571k1", "sect571r1", "secp224r1") unless $fips_3_4;
 
 my @curves_non_fips = ("sect163k1", "sect163r2", "prime192v1",
                        "sect163r1", "sect193r1", "sect193r2", "sect239k1",
@@ -140,7 +143,8 @@ sub generate_tests() {
             },
         };
     }
-    foreach (0..$#curves_tls_1_3) {
+    if (!$fips_3_4) {
+      foreach (0..$#curves_tls_1_3) {
         my $curve = $curves_tls_1_3[$_];
         push @tests, {
             name => "curve-${curve}-tls13-in-tls12",
@@ -162,24 +166,25 @@ sub generate_tests() {
             },
         };
         push @tests, {
-            name => "curve-${curve}-tls13-in-tls12-2",
-            server => {
-                "Curves" => $curve,
-                "CipherString" => 'DEFAULT@SECLEVEL=1',
-                "MaxProtocol" => "TLSv1.2"
-            },
-            client => {
-                "CipherString" => 'DEFAULT@SECLEVEL=1',
-                "MaxProtocol" => "TLSv1.3",
-                "Curves" => $curve
-            },
-            test   => {
-                #These curves are only suitable for TLSv1.3. We expect TLSv1.2
-                #negotiation to succeed because we fall back to some other
-                #ciphersuite
-                "ExpectedResult" => "Success"
-            },
-        };
+                name => "curve-${curve}-tls13-in-tls12-2",
+                server => {
+                    "Curves" => $curve,
+                    "CipherString" => 'DEFAULT@SECLEVEL=1',
+                    "MaxProtocol" => "TLSv1.2"
+                },
+                client => {
+                    "CipherString" => 'DEFAULT@SECLEVEL=1',
+                    "MaxProtocol" => "TLSv1.3",
+                    "Curves" => $curve
+                },
+                test   => {
+                    #These curves are only suitable for TLSv1.3. We expect TLSv1.2
+                    #negotiation to succeed because we fall back to some other
+                    #ciphersuite
+                    "ExpectedResult" => "Success"
+                  },
+            };
+        }
     }
 }
 
diff --git a/test/ssl-tests/17-renegotiate.cnf.in b/test/ssl-tests/17-renegotiate.cnf.in
index 73f967ff646..353967311c2 100644
--- a/test/ssl-tests/17-renegotiate.cnf.in
+++ b/test/ssl-tests/17-renegotiate.cnf.in
@@ -15,6 +15,8 @@ use warnings;
 package ssltests;
 use OpenSSL::Test::Utils;
 
+our $fips_3_4;
+
 our @tests = (
     {
         name => "renegotiate-client-no-resume",
@@ -126,7 +128,7 @@ our @tests = (
         }
     },
 );
-our @tests_tls1_2 = (
+our @tests_tls1_2_rsa = (
     {
         name => "renegotiate-aead-to-non-aead",
         server => {
@@ -202,7 +204,10 @@ our @tests_tls1_2 = (
             "ResumptionExpected" => "No",
             "ExpectedResult" => "Success"
         }
-    },
+    }
+);
+
+our @tests_tls1_2 = (
     {
         name => "no-renegotiation-server-by-client",
         server => {
@@ -313,4 +318,5 @@ our @tests_tls1_2 = (
     }
 );
 
+push @tests, @tests_tls1_2_rsa unless disabled("tls1_2") or $fips_3_4;
 push @tests, @tests_tls1_2 unless disabled("tls1_2");
diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in
index 954c5fe582f..e924bf27028 100644
--- a/test/ssl-tests/18-dtls-renegotiate.cnf.in
+++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in
@@ -16,6 +16,7 @@ package ssltests;
 use OpenSSL::Test::Utils;
 
 our $fips_mode;
+our $fips_3_4;
 
 our @tests = ();
 
@@ -132,7 +133,7 @@ foreach my $sctp ("No", "Yes")
     );
     push @tests, @tests_basic;
 
-    next if disabled("dtls1_2");
+    next if disabled("dtls1_2") || $fips_3_4;
     our @tests_dtls1_2 = (
         {
             name => "renegotiate-aead-to-non-aead".$suffix,
diff --git a/test/ssl-tests/19-mac-then-encrypt.cnf.in b/test/ssl-tests/19-mac-then-encrypt.cnf.in
index 074b1d1380a..5d7f8a9ec2e 100644
--- a/test/ssl-tests/19-mac-then-encrypt.cnf.in
+++ b/test/ssl-tests/19-mac-then-encrypt.cnf.in
@@ -14,6 +14,10 @@ package ssltests;
 use OpenSSL::Test::Utils;
 
 our $fips_mode;
+our $fips_3_4;
+
+# Nothing to test with newer fips providers
+return if $fips_3_4;
 
 our @tests = (
     {
diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in
index 7e565615784..bcb54293658 100644
--- a/test/ssl-tests/20-cert-select.cnf.in
+++ b/test/ssl-tests/20-cert-select.cnf.in
@@ -10,6 +10,8 @@ package ssltests;
 use OpenSSL::Test::Utils;
 
 our $fips_mode;
+our $fips_3_4;
+our $fips_3_5;
 our $no_deflt_libctx;
 
 my $server = {
@@ -252,7 +254,7 @@ our @tests = (
         },
         test   => {
             "ExpectedServerCertType" =>, "RSA",
-            "ExpectedResult" => "Success"
+            "ExpectedResult" => $fips_3_4 ? "ClientFail" : "Success"
         },
     },
     {
@@ -991,7 +993,7 @@ my @tests_dsa_tls_1_3 = (
 );
 
 if (!disabled("dsa")) {
-    push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
+    push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_3_4;
     push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
 }
 
@@ -1018,6 +1020,6 @@ my @tests_mldsa_tls_1_3 = (
     },
 );
 
-if (!disabled("ml-dsa")) {
+if (!disabled("ml-dsa") && (!$fips_mode || $fips_3_5)) {
     push @tests, @tests_mldsa_tls_1_3 unless disabled("tls1_3");
 }
diff --git a/test/ssl-tests/ssltests_base.pm b/test/ssl-tests/ssltests_base.pm
index 995ec98bd20..40fb7e4a16c 100644
--- a/test/ssl-tests/ssltests_base.pm
+++ b/test/ssl-tests/ssltests_base.pm
@@ -19,6 +19,8 @@ sub test_pem
 
 our $fips_mode = 0;
 our $no_deflt_libctx = 0;
+our $fips_3_4 = 0;
+our $fips_3_5 = 0;
 
 our %base_server = (
     "Certificate" => test_pem("servercert.pem"),