From cf3cd850cdb5fc23d932fe5981406efec351b528 Mon Sep 17 00:00:00 2001
From: slontis <shane.lontis@oracle.com>
Date: Mon, 17 Nov 2025 14:37:00 +1100
Subject: [PATCH] Fix CI Provider compatibility test breakage

Fixes #29142

In https://github.com/openssl/openssl/pull/28349 I forgot to tag
to run 'extended tests', and the additional RSA keygen acvp test
did not check for backwards compatability when testing against
older FIPS providers.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29157)
---
 test/acvp_test.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/test/acvp_test.c b/test/acvp_test.c
index 7d46b7c1789..710c777906a 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1310,6 +1310,16 @@ static int rsa_keygen_test(int id)
     OSSL_PARAM *params = NULL;
     const struct rsa_keygen_st *tst = &rsa_keygen_data[id];
 
+    /*
+     * RSA key generation parameters "a" and "b" were added in OpenSSL 4.0,
+     * So skip the test if the FIPS provider is older.
+     */
+    if ((tst->a > 0 || tst->b > 0)
+            && fips_provider_version_lt(libctx, 4, 0, 0)) {
+        TEST_note("ACVP rsa_keygen_test %d test skipped", id);
+        return 1;
+    }
+
     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
         || !TEST_ptr(xp1_bn = BN_bin2bn(tst->xp1, (int)tst->xp1_len, NULL))
         || !TEST_ptr(xp2_bn = BN_bin2bn(tst->xp2, (int)tst->xp2_len, NULL))
-- 
2.47.3