Commit cf3cd850cd for openssl.org

commit cf3cd850cdb5fc23d932fe5981406efec351b528
Author: slontis <shane.lontis@oracle.com>
Date:   Mon Nov 17 14:37:00 2025 +1100

    Fix CI Provider compatibility test breakage

    Fixes #29142

    In https://github.com/openssl/openssl/pull/28349 I forgot to tag
    to run 'extended tests', and the additional RSA keygen acvp test
    did not check for backwards compatability when testing against
    older FIPS providers.

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/29157)

diff --git a/test/acvp_test.c b/test/acvp_test.c
index 7d46b7c178..710c777906 100644
--- a/test/acvp_test.c
+++ b/test/acvp_test.c
@@ -1310,6 +1310,16 @@ static int rsa_keygen_test(int id)
     OSSL_PARAM *params = NULL;
     const struct rsa_keygen_st *tst = &rsa_keygen_data[id];

+    /*
+     * RSA key generation parameters "a" and "b" were added in OpenSSL 4.0,
+     * So skip the test if the FIPS provider is older.
+     */
+    if ((tst->a > 0 || tst->b > 0)
+            && fips_provider_version_lt(libctx, 4, 0, 0)) {
+        TEST_note("ACVP rsa_keygen_test %d test skipped", id);
+        return 1;
+    }
+
     if (!TEST_ptr(bld = OSSL_PARAM_BLD_new())
         || !TEST_ptr(xp1_bn = BN_bin2bn(tst->xp1, (int)tst->xp1_len, NULL))
         || !TEST_ptr(xp2_bn = BN_bin2bn(tst->xp2, (int)tst->xp2_len, NULL))