Make test_ssl_new execute tests with fips provider again

This has regressed with
#24799

The test configs have to be generated differently based
on the fips provider version.

Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Neil Horman <[email protected]>
(Merged from #26715)

Author: t8m

test/generate_ssl_tests.pl

@@ -15,7 +15,7 @@
 use File::Basename;
 use File::Spec::Functions;
 
-use OpenSSL::Test qw/srctop_dir srctop_file/;
+use OpenSSL::Test qw/srctop_dir srctop_file run test/;
 use OpenSSL::Test::Utils;
 
 use FindBin;
@@ -136,10 +136,26 @@ sub print_templates {
 sub read_config {
     my $fname = shift;
     my $provider = shift;
-    local $ssltests::fips_mode = $provider eq "fips";
+
+    my $fips_mode = $provider eq "fips";
+    local $ssltests::fips_3_4 = 0;
+    local $ssltests::fips_3_5 = 0;
+
+    if ($fips_mode) {
+        my $provconf = srctop_file("test", "fips-and-base.cnf");
+        my $exit;
+
+        run(test(["fips_version_test", "-config", $provconf, ">=3.4.0"]),
+                 capture => 1, statusvar => \$exit);
+        $ssltests::fips_3_4 = $exit;
+        run(test(["fips_version_test", "-config", $provconf, ">=3.5.0"]),
+                 capture => 1, statusvar => \$exit);
+        $ssltests::fips_3_5 = $exit;
+    }
+
+    local $ssltests::fips_mode = $fips_mode;
     local $ssltests::no_deflt_libctx =
         $provider eq "default" || $provider eq "fips";
-
     open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n";
     local $/ = undef;
     my $content = <INPUT>;

test/recipes/80-test_ssl_new.t

@@ -28,7 +28,6 @@ use lib srctop_dir('Configurations');
 use lib bldtop_dir('.');
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
-my $dsaallow = '1';
 
 $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
 
@@ -49,12 +48,6 @@ map { s/;.*// } @conf_srcs if $^O eq "VMS";
 my @conf_files = map { basename($_, ".in") } @conf_srcs;
 map { s/\^// } @conf_files if $^O eq "VMS";
 
-unless ($no_fips) {
-    my $provconf = srctop_file("test", "fips-and-base.cnf");
-    run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]),
-              capture => 1, statusvar => \$dsaallow);
-}
-
 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
 my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
@@ -184,7 +177,6 @@ sub test_conf {
       # Test 3. Run the test.
       skip "No tests available; skipping tests", 1 if $skip;
       skip "Stale sources; skipping tests", 1 if !$run_test;
-      skip "Dsa not allowed in FIPS 140-3 provider", 1 if ($provider eq "fips") && ($dsaallow eq '0');
 
       my $msg = "running CTLOG_FILE=test/ct/log_list.cnf". # $ENV{CTLOG_FILE}.
           " TEST_CERTS_DIR=test/certs". # $ENV{TEST_CERTS_DIR}.