[openssl] master update

Matt Caswell matt at openssl.org
Fri Sep 25 10:14:00 UTC 2020


The branch master has been updated
       via  a48309cb5c58be8fa310608124925d4729664cf8 (commit)
       via  bfb56a974d93908b5d6ede39655ece442ff7a755 (commit)
       via  989684227b669b5deb52ca05aa99f798fe0852e3 (commit)
       via  fb2a6954fbfde3890deb572014f6d135808bf43b (commit)
       via  ce64d3eee06a64e78ea5be7e8f0dd7172aa78259 (commit)
      from  7a032be7f293bd80e3fe18c5568cf382b0b79543 (commit)


- Log -----------------------------------------------------------------
commit a48309cb5c58be8fa310608124925d4729664cf8
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Sep 18 12:10:21 2020 +0100

    Document the provider side SM2 Asymmetric Cipher support
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/12913)

commit bfb56a974d93908b5d6ede39655ece442ff7a755
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Sep 18 11:57:24 2020 +0100

    Extend the SM2 asym cipher test
    
    Ensure we test getting and setting ctx params
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/12913)

commit 989684227b669b5deb52ca05aa99f798fe0852e3
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Sep 18 11:06:34 2020 +0100

    Remove some dead SM2 code
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/12913)

commit fb2a6954fbfde3890deb572014f6d135808bf43b
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Sep 18 10:41:58 2020 +0100

    Clean up some SM2 related TODOs in the tests
    
    Now that we have full SM2 support, we can remove some TODOs from the tests.
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/12913)

commit ce64d3eee06a64e78ea5be7e8f0dd7172aa78259
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Sep 18 09:55:16 2020 +0100

    Move SM2 asymmetric encryption to be available in the default provider
    
    Fixes #12908
    
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/12913)

-----------------------------------------------------------------------

Summary of changes:
 crypto/evp/pmeth_lib.c                             |   3 -
 crypto/sm2/build.info                              |   2 +-
 crypto/sm2/sm2_pmeth.c                             | 393 ---------------------
 doc/man7/EVP_ASYM_CIPHER-SM2.pod                   |  41 +++
 doc/man7/{SM2.pod => EVP_PKEY-SM2.pod}             |   5 +-
 doc/man7/OSSL_PROVIDER-default.pod                 |   2 +
 doc/man7/provider-asym_cipher.pod                  |   9 +
 include/crypto/evp.h                               |   1 -
 include/openssl/core_names.h                       |   3 +
 providers/common/include/prov/provider_util.h      |   8 +
 providers/common/provider_util.c                   |  12 +-
 providers/defltprov.c                              |   3 +
 providers/implementations/asymciphers/build.info   |   5 +
 providers/implementations/asymciphers/sm2_enc.c    | 225 ++++++++++++
 .../implementations/include/prov/implementations.h |   3 +
 test/evp_extra_test.c                              |  75 ++--
 test/recipes/20-test_pkeyutl.t                     |  10 +-
 test/recipes/25-test_req.t                         |  18 +-
 18 files changed, 370 insertions(+), 448 deletions(-)
 delete mode 100644 crypto/sm2/sm2_pmeth.c
 create mode 100644 doc/man7/EVP_ASYM_CIPHER-SM2.pod
 rename doc/man7/{SM2.pod => EVP_PKEY-SM2.pod} (94%)
 create mode 100644 providers/implementations/asymciphers/sm2_enc.c

diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 26193cd644..656a0e065a 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -75,9 +75,6 @@ static pmeth_fn standard_methods[] = {
     ed25519_pkey_method,
     ed448_pkey_method,
 # endif
-# ifndef OPENSSL_NO_SM2
-    sm2_pkey_method,
-# endif
 };
 
 DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
diff --git a/crypto/sm2/build.info b/crypto/sm2/build.info
index be76d96d31..402a76cc5d 100644
--- a/crypto/sm2/build.info
+++ b/crypto/sm2/build.info
@@ -1,5 +1,5 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
-        sm2_sign.c sm2_crypt.c sm2_err.c sm2_pmeth.c
+        sm2_sign.c sm2_crypt.c sm2_err.c
 
 
diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
deleted file mode 100644
index 32713a5ac4..0000000000
--- a/crypto/sm2/sm2_pmeth.c
+++ /dev/null
@@ -1,393 +0,0 @@
-/*
- * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * ECDSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-#include "internal/cryptlib.h"
-#include <openssl/asn1t.h>
-#include <openssl/ec.h>
-#include <openssl/evp.h>
-#include "crypto/evp.h"
-#include "crypto/sm2.h"
-#include "crypto/sm2err.h"
-#include "crypto/ec.h"
-
-/* EC pkey context structure */
-
-typedef struct {
-    /* message digest */
-    const EVP_MD *md;
-    /* Distinguishing Identifier, ISO/IEC 15946-3, FIPS 196 */
-    uint8_t *id;
-    size_t id_len;
-    /* id_set indicates if the 'id' field is set (1) or not (0) */
-    int id_set;
-} SM2_PKEY_CTX;
-
-static int pkey_sm2_init(EVP_PKEY_CTX *ctx)
-{
-    SM2_PKEY_CTX *smctx;
-
-    if ((smctx = OPENSSL_zalloc(sizeof(*smctx))) == NULL) {
-        SM2err(SM2_F_PKEY_SM2_INIT, ERR_R_MALLOC_FAILURE);
-        return 0;
-    }
-
-    ctx->data = smctx;
-    return 1;
-}
-
-static void pkey_sm2_cleanup(EVP_PKEY_CTX *ctx)
-{
-    SM2_PKEY_CTX *smctx = ctx->data;
-
-    if (smctx != NULL) {
-        OPENSSL_free(smctx->id);
-        OPENSSL_free(smctx);
-        ctx->data = NULL;
-    }
-}
-
-static int pkey_sm2_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
-{
-    SM2_PKEY_CTX *dctx, *sctx;
-
-    if (!pkey_sm2_init(dst))
-        return 0;
-    sctx = src->data;
-    dctx = dst->data;
-    if (sctx->id != NULL) {
-        dctx->id = OPENSSL_malloc(sctx->id_len);
-        if (dctx->id == NULL) {
-            SM2err(SM2_F_PKEY_SM2_COPY, ERR_R_MALLOC_FAILURE);
-            pkey_sm2_cleanup(dst);
-            return 0;
-        }
-        memcpy(dctx->id, sctx->id, sctx->id_len);
-    }
-    dctx->id_len = sctx->id_len;
-    dctx->id_set = sctx->id_set;
-    dctx->md = sctx->md;
-
-    return 1;
-}
-
-static int pkey_sm2_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
-                         const unsigned char *tbs, size_t tbslen)
-{
-    int ret;
-    unsigned int sltmp;
-    EC_KEY *ec = ctx->pkey->pkey.ec;
-    const int sig_sz = ECDSA_size(ctx->pkey->pkey.ec);
-
-    if (sig_sz <= 0) {
-        return 0;
-    }
-
-    if (sig == NULL) {
-        *siglen = (size_t)sig_sz;
-        return 1;
-    }
-
-    if (*siglen < (size_t)sig_sz) {
-        SM2err(SM2_F_PKEY_SM2_SIGN, SM2_R_BUFFER_TOO_SMALL);
-        return 0;
-    }
-
-    ret = sm2_internal_sign(tbs, tbslen, sig, &sltmp, ec);
-
-    if (ret <= 0)
-        return ret;
-    *siglen = (size_t)sltmp;
-    return 1;
-}
-
-static int pkey_sm2_verify(EVP_PKEY_CTX *ctx,
-                           const unsigned char *sig, size_t siglen,
-                           const unsigned char *tbs, size_t tbslen)
-{
-    EC_KEY *ec = ctx->pkey->pkey.ec;
-
-    return sm2_internal_verify(tbs, tbslen, sig, siglen, ec);
-}
-
-static int pkey_sm2_encrypt(EVP_PKEY_CTX *ctx,
-                            unsigned char *out, size_t *outlen,
-                            const unsigned char *in, size_t inlen)
-{
-    int ret;
-    EC_KEY *ec = ctx->pkey->pkey.ec;
-    SM2_PKEY_CTX *dctx = ctx->data;
-    const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md;
-    OPENSSL_CTX *libctx = ec_key_get_libctx(ec);
-    const char *propq = ec_key_get0_propq(ec);
-    EVP_MD *fetched_md = NULL;
-
-    if (out == NULL) {
-        if (!sm2_ciphertext_size(ec, md, inlen, outlen))
-            return -1;
-        else
-            return 1;
-    }
-
-    fetched_md = EVP_MD_fetch(libctx, EVP_MD_name(md), propq);
-    if (fetched_md == NULL)
-        return 0;
-    ret = sm2_encrypt(ec, fetched_md, in, inlen, out, outlen);
-    EVP_MD_free(fetched_md);
-    return ret;
-}
-
-static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx,
-                            unsigned char *out, size_t *outlen,
-                            const unsigned char *in, size_t inlen)
-{
-    int ret;
-    EC_KEY *ec = ctx->pkey->pkey.ec;
-    SM2_PKEY_CTX *dctx = ctx->data;
-    const EVP_MD *md = (dctx->md == NULL) ? EVP_sm3() : dctx->md;
-    OPENSSL_CTX *libctx = ec_key_get_libctx(ec);
-    const char *propq = ec_key_get0_propq(ec);
-    EVP_MD *fetched_md = NULL;
-
-    if (out == NULL) {
-        if (!sm2_plaintext_size(ec, md, inlen, outlen))
-            return -1;
-        else
-            return 1;
-    }
-
-    fetched_md = EVP_MD_fetch(libctx, EVP_MD_name(md), propq);
-    if (fetched_md == NULL)
-        return 0;
-    ret = sm2_decrypt(ec, fetched_md, in, inlen, out, outlen);
-    EVP_MD_free(fetched_md);
-    return ret;
-}
-
-static int pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
-{
-    SM2_PKEY_CTX *smctx = ctx->data;
-    uint8_t *tmp_id;
-
-    switch (type) {
-    case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID:
-        /*
-         * This control could be removed, which would signal it being
-         * unsupported.  However, that means that when the caller uses
-         * the correct curve, it may interpret the unsupported signal
-         * as an error, so it's better to accept the control, check the
-         * value and return a corresponding value.
-         */
-        if (p1 != NID_sm2) {
-            SM2err(SM2_F_PKEY_SM2_CTRL, SM2_R_INVALID_CURVE);
-            return 0;
-        }
-        return 1;
-
-    case EVP_PKEY_CTRL_MD:
-        smctx->md = p2;
-        return 1;
-
-    case EVP_PKEY_CTRL_GET_MD:
-        *(const EVP_MD **)p2 = smctx->md;
-        return 1;
-
-    case EVP_PKEY_CTRL_SET1_ID:
-        if (p1 > 0) {
-            tmp_id = OPENSSL_malloc(p1);
-            if (tmp_id == NULL) {
-                SM2err(SM2_F_PKEY_SM2_CTRL, ERR_R_MALLOC_FAILURE);
-                return 0;
-            }
-            memcpy(tmp_id, p2, p1);
-            OPENSSL_free(smctx->id);
-            smctx->id = tmp_id;
-        } else {
-            /* set null-ID */
-            OPENSSL_free(smctx->id);
-            smctx->id = NULL;
-        }
-        smctx->id_len = (size_t)p1;
-        smctx->id_set = 1;
-        return 1;
-
-    case EVP_PKEY_CTRL_GET1_ID:
-        memcpy(p2, smctx->id, smctx->id_len);
-        return 1;
-
-    case EVP_PKEY_CTRL_GET1_ID_LEN:
-        *(size_t *)p2 = smctx->id_len;
-        return 1;
-
-    case EVP_PKEY_CTRL_DIGESTINIT:
-        /* nothing to be inited, this is to suppress the error... */
-        return 1;
-
-    default:
-        return -2;
-    }
-}
-
-static int pkey_sm2_ctrl_str(EVP_PKEY_CTX *ctx,
-                             const char *type, const char *value)
-{
-    uint8_t *hex_id;
-    long hex_len = 0;
-    int ret = 0;
-
-    if (strcmp(type, "ec_paramgen_curve") == 0) {
-        int nid = NID_undef;
-
-        if (((nid = EC_curve_nist2nid(value)) == NID_undef)
-            && ((nid = OBJ_sn2nid(value)) == NID_undef)
-            && ((nid = OBJ_ln2nid(value)) == NID_undef)) {
-            SM2err(SM2_F_PKEY_SM2_CTRL_STR, SM2_R_INVALID_CURVE);
-            return 0;
-        }
-        return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid);
-    } else if (strcmp(type, "ec_param_enc") == 0) {
-        int param_enc;
-
-        if (strcmp(value, "explicit") == 0)
-            param_enc = 0;
-        else if (strcmp(value, "named_curve") == 0)
-            param_enc = OPENSSL_EC_NAMED_CURVE;
-        else
-            return -2;
-        return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc);
-    } else if (strcmp(type, "distid") == 0) {
-        return pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID,
-                             (int)strlen(value), (void *)value);
-    } else if (strcmp(type, "hexdistid") == 0) {
-        hex_id = OPENSSL_hexstr2buf((const char *)value, &hex_len);
-        if (hex_id == NULL) {
-            SM2err(SM2_F_PKEY_SM2_CTRL_STR, ERR_R_PASSED_INVALID_ARGUMENT);
-            return 0;
-        }
-        ret = pkey_sm2_ctrl(ctx, EVP_PKEY_CTRL_SET1_ID, (int)hex_len,
-                            (void *)hex_id);
-        OPENSSL_free(hex_id);
-        return ret;
-    }
-
-    return -2;
-}
-
-static int pkey_sm2_digest_custom(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)
-{
-    uint8_t z[EVP_MAX_MD_SIZE];
-    SM2_PKEY_CTX *smctx = ctx->data;
-    EC_KEY *ec = ctx->pkey->pkey.ec;
-    const EVP_MD *md = EVP_MD_CTX_md(mctx);
-    int mdlen = EVP_MD_size(md);
-
-    if (!smctx->id_set) {
-        /*
-         * An ID value must be set. The specifications are not clear whether a
-         * NULL is allowed. We only allow it if set explicitly for maximum
-         * flexibility.
-         */
-        SM2err(SM2_F_PKEY_SM2_DIGEST_CUSTOM, SM2_R_ID_NOT_SET);
-        return 0;
-    }
-
-    if (mdlen < 0) {
-        SM2err(SM2_F_PKEY_SM2_DIGEST_CUSTOM, SM2_R_INVALID_DIGEST);
-        return 0;
-    }
-
-    /* get hashed prefix 'z' of tbs message */
-    if (!sm2_compute_z_digest(z, md, smctx->id, smctx->id_len, ec))
-        return 0;
-
-    return EVP_DigestUpdate(mctx, z, (size_t)mdlen);
-}
-
-static int pkey_sm2_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
-{
-    EC_KEY *ec = NULL;
-    int ret;
-
-    ec = EC_KEY_new_by_curve_name(NID_sm2);
-    if (ec == NULL)
-        return 0;
-    if (!ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec)))
-        EC_KEY_free(ec);
-    return ret;
-}
-
-static int pkey_sm2_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
-{
-    EC_KEY *ec = NULL;
-
-    ec = EC_KEY_new_by_curve_name(NID_sm2);
-    if (ec == NULL)
-        return 0;
-    if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) {
-        EC_KEY_free(ec);
-        return 0;
-    }
-    /* Note: if error is returned, we count on caller to free pkey->pkey.ec */
-    if (ctx->pkey != NULL
-        && !EVP_PKEY_copy_parameters(pkey, ctx->pkey))
-        return 0;
-
-    return EC_KEY_generate_key(ec);
-}
-
-static const EVP_PKEY_METHOD sm2_pkey_meth = {
-    EVP_PKEY_SM2,
-    0,
-    pkey_sm2_init,
-    pkey_sm2_copy,
-    pkey_sm2_cleanup,
-
-    0,
-    pkey_sm2_paramgen,
-
-    0,
-    pkey_sm2_keygen,
-
-    0,
-    pkey_sm2_sign,
-
-    0,
-    pkey_sm2_verify,
-
-    0, 0,
-
-    0, 0, 0, 0,
-
-    0,
-    pkey_sm2_encrypt,
-
-    0,
-    pkey_sm2_decrypt,
-
-    0,
-    0,
-    pkey_sm2_ctrl,
-    pkey_sm2_ctrl_str,
-
-    0, 0,
-
-    0, 0, 0,
-
-    pkey_sm2_digest_custom
-};
-
-const EVP_PKEY_METHOD *sm2_pkey_method(void)
-{
-    return &sm2_pkey_meth;
-}
diff --git a/doc/man7/EVP_ASYM_CIPHER-SM2.pod b/doc/man7/EVP_ASYM_CIPHER-SM2.pod
new file mode 100644
index 0000000000..27f0032b78
--- /dev/null
+++ b/doc/man7/EVP_ASYM_CIPHER-SM2.pod
@@ -0,0 +1,41 @@
+=pod
+
+=head1 NAME
+
+EVP_ASYM_CIPHER-SM2
+- SM2 Asymmetric Cipher algorithm support
+
+=head1 DESCRIPTION
+
+Asymmetric Cipher support for the B<SM2> key type.
+
+=head2 SM2 Asymmetric Cipher parameters
+
+=over 4
+
+=item "digest" (B<OSSL_ASYM_CIPHER_PARAM_DIGEST>) <UTF8 string>
+
+=item "digest-props" (B<OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS>) <UTF8 string>
+
+See L<provider-asym_cipher(7)/Asymmetric Cipher Parameters>.
+
+=back
+
+=head1 SEE ALSO
+
+L<EVP_PKEY-SM2(7)>,
+L<EVP_PKEY(3)>,
+L<provider-asym_cipher(7)>,
+L<provider-keymgmt(7)>,
+L<OSSL_PROVIDER-default(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man7/SM2.pod b/doc/man7/EVP_PKEY-SM2.pod
similarity index 94%
rename from doc/man7/SM2.pod
rename to doc/man7/EVP_PKEY-SM2.pod
index de52d05329..bb6258c873 100644
--- a/doc/man7/SM2.pod
+++ b/doc/man7/EVP_PKEY-SM2.pod
@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-SM2 - Chinese SM2 signature and encryption algorithm support
+EVP_PKEY-SM2, EVP_KEYMGMT-SM2, SM2
+- EVP_PKEY keytype support for the Chinese SM2 signature and encryption algorithms
 
 =head1 DESCRIPTION
 
@@ -33,7 +34,7 @@ that B<EVP_PKEY_CTX> should be assigned to the B<EVP_MD_CTX>, like this:
 There is normally no need to pass a B<pctx> parameter to EVP_DigestSignInit()
 or EVP_DigestVerifyInit() in such a scenario.
 
-SM2 can be tested with the L<openssl-speed(1)> application since version 3.0.0.
+SM2 can be tested with the L<openssl-speed(1)> application since version 3.0.
 Currently, the only valid algorithm name is B<sm2>.
 
 =head1 EXAMPLES
diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod
index 848c887b29..da6185c4d3 100644
--- a/doc/man7/OSSL_PROVIDER-default.pod
+++ b/doc/man7/OSSL_PROVIDER-default.pod
@@ -180,6 +180,8 @@ The OpenSSL default provider supports these operations and algorithms:
 
 =item RSA, see L<EVP_ASYM_CIPHER-RSA(7)>
 
+=item SM2, see L<EVP_ASYM_CIPHER-SM2(7)>
+
 =back
 
 =head2 Asymmetric Key Encapsulation
diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod
index 5531a08f37..ca3e12fa85 100644
--- a/doc/man7/provider-asym_cipher.pod
+++ b/doc/man7/provider-asym_cipher.pod
@@ -193,10 +193,19 @@ further details.
 Gets or sets the name of the OAEP digest algorithm used when OAEP padding is in
 use.
 
+=item "digest" (B<OSSL_ASYM_CIPHER_PARAM_DIGEST>) <UTF8 string>
+
+Gets or sets the name of the digest algorithm used by the algorithm (where
+applicable).
+
 =item "digest-props" (B<OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS>) <UTF8 string>
 
 Gets or sets the properties to use when fetching the OAEP digest algorithm.
 
+=item "digest-props" (B<OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS>) <UTF8 string>
+
+Gets or sets the properties to use when fetching the cipher digest algorithm.
+
 =item "mgf1-digest" (B<OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST>) <UTF8 string>
 
 Gets or sets the name of the MGF1 digest algorithm used when OAEP or PSS padding
diff --git a/include/crypto/evp.h b/include/crypto/evp.h
index 7016606757..835224a7aa 100644
--- a/include/crypto/evp.h
+++ b/include/crypto/evp.h
@@ -156,7 +156,6 @@ const EVP_PKEY_METHOD *dh_pkey_method(void);
 const EVP_PKEY_METHOD *dhx_pkey_method(void);
 const EVP_PKEY_METHOD *dsa_pkey_method(void);
 const EVP_PKEY_METHOD *ec_pkey_method(void);
-const EVP_PKEY_METHOD *sm2_pkey_method(void);
 const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
 const EVP_PKEY_METHOD *ecx448_pkey_method(void);
 const EVP_PKEY_METHOD *ed25519_pkey_method(void);
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index a8d4d51533..c9f2bfab5e 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -432,6 +432,9 @@ extern "C" {
 #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE        OSSL_PKEY_PARAM_DIGEST_SIZE
 
 /* Asym cipher parameters */
+#define OSSL_ASYM_CIPHER_PARAM_DIGEST                   OSSL_PKEY_PARAM_DIGEST
+#define OSSL_ASYM_CIPHER_PARAM_PROPERTIES               OSSL_PKEY_PARAM_PROPERTIES
+#define OSSL_ASYM_CIPHER_PARAM_ENGINE                   OSSL_PKEY_PARAM_ENGINE
 #define OSSL_ASYM_CIPHER_PARAM_PAD_MODE                 OSSL_PKEY_PARAM_PAD_MODE
 #define OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST              \
     OSSL_PKEY_PARAM_MGF1_DIGEST
diff --git a/providers/common/include/prov/provider_util.h b/providers/common/include/prov/provider_util.h
index d964f832ad..83f6d63ed7 100644
--- a/providers/common/include/prov/provider_util.h
+++ b/providers/common/include/prov/provider_util.h
@@ -58,6 +58,14 @@ const EVP_CIPHER *ossl_prov_cipher_cipher(const PROV_CIPHER *pc);
 ENGINE *ossl_prov_cipher_engine(const PROV_CIPHER *pc);
 
 /* Digest functions */
+
+/*
+ * Fetch a digest from the specified libctx using the provided mdname and
+ * propquery. Store the result in the PROV_DIGEST and return the fetched md.
+ */
+const EVP_MD *ossl_prov_digest_fetch(PROV_DIGEST *pd, OPENSSL_CTX *libctx,
+                                     const char *mdname, const char *propquery);
+
 /*
  * Load a digest from the specified parameters with the specified context.
  * The params "properties", "engine" and "digest" are used to determine the
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 4259d7167a..2e9fe8d5da 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -124,6 +124,15 @@ int ossl_prov_digest_copy(PROV_DIGEST *dst, const PROV_DIGEST *src)
     return 1;
 }
 
+const EVP_MD *ossl_prov_digest_fetch(PROV_DIGEST *pd, OPENSSL_CTX *libctx,
+                           const char *mdname, const char *propquery)
+{
+    EVP_MD_free(pd->alloc_md);
+    pd->md = pd->alloc_md = EVP_MD_fetch(libctx, mdname, propquery);
+
+    return pd->md;
+}
+
 int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
                                       const OSSL_PARAM params[],
                                       OPENSSL_CTX *ctx)
@@ -141,9 +150,8 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
     if (p->data_type != OSSL_PARAM_UTF8_STRING)
         return 0;
 
-    EVP_MD_free(pd->alloc_md);
     ERR_set_mark();
-    pd->md = pd->alloc_md = EVP_MD_fetch(ctx, p->data, propquery);
+    ossl_prov_digest_fetch(pd, ctx, p->data, propquery);
     /* TODO legacy stuff, to be removed */
 #ifndef FIPS_MODULE /* Inside the FIPS module, we don't support legacy digests */
     if (pd->md == NULL)
diff --git a/providers/defltprov.c b/providers/defltprov.c
index 8564ddd5ca..dee48fb255 100644
--- a/providers/defltprov.c
+++ b/providers/defltprov.c
@@ -381,6 +381,9 @@ static const OSSL_ALGORITHM deflt_signature[] = {
 
 static const OSSL_ALGORITHM deflt_asym_cipher[] = {
     { "RSA:rsaEncryption", "provider=default", rsa_asym_cipher_functions },
+#ifndef OPENSSL_NO_SM2
+    { "SM2", "provider=default", sm2_asym_cipher_functions },
+#endif
     { NULL, NULL, NULL }
 };
 
diff --git a/providers/implementations/asymciphers/build.info b/providers/implementations/asymciphers/build.info
index b4033d8a7d..4b629d04ee 100644
--- a/providers/implementations/asymciphers/build.info
+++ b/providers/implementations/asymciphers/build.info
@@ -2,5 +2,10 @@
 # switch each to the Legacy provider when needed.
 
 $RSA_GOAL=../../libimplementations.a
+$SM2_GOAL=../../libimplementations.a
 
 SOURCE[$RSA_GOAL]=rsa_enc.c
+
+IF[{- !$disabled{"sm2"} -}]
+  SOURCE[$SM2_GOAL]=sm2_enc.c
+ENDIF
diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c
new file mode 100644
index 0000000000..4f2f64bb1a
--- /dev/null
+++ b/providers/implementations/asymciphers/sm2_enc.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+#include <openssl/params.h>
+#include <openssl/err.h>
+#include <crypto/sm2.h>
+#include "prov/providercommonerr.h"
+#include "prov/provider_ctx.h"
+#include "prov/implementations.h"
+#include "prov/provider_util.h"
+
+static OSSL_FUNC_asym_cipher_newctx_fn sm2_newctx;
+static OSSL_FUNC_asym_cipher_encrypt_init_fn sm2_init;
+static OSSL_FUNC_asym_cipher_encrypt_fn sm2_asym_encrypt;
+static OSSL_FUNC_asym_cipher_decrypt_init_fn sm2_init;
+static OSSL_FUNC_asym_cipher_decrypt_fn sm2_asym_decrypt;
+static OSSL_FUNC_asym_cipher_freectx_fn sm2_freectx;
+static OSSL_FUNC_asym_cipher_dupctx_fn sm2_dupctx;
+static OSSL_FUNC_asym_cipher_get_ctx_params_fn sm2_get_ctx_params;
+static OSSL_FUNC_asym_cipher_gettable_ctx_params_fn sm2_gettable_ctx_params;
+static OSSL_FUNC_asym_cipher_set_ctx_params_fn sm2_set_ctx_params;
+static OSSL_FUNC_asym_cipher_settable_ctx_params_fn sm2_settable_ctx_params;
+
+/*
+ * What's passed as an actual key is defined by the KEYMGMT interface.
+ * We happen to know that our KEYMGMT simply passes EC_KEY structures, so
+ * we use that here too.
+ */
+
+typedef struct {
+    OPENSSL_CTX *libctx;
+    EC_KEY *key;
+    PROV_DIGEST md;
+} PROV_SM2_CTX;
+
+static void *sm2_newctx(void *provctx)
+{
+    PROV_SM2_CTX *psm2ctx =  OPENSSL_zalloc(sizeof(PROV_SM2_CTX));
+
+    if (psm2ctx == NULL)
+        return NULL;
+    psm2ctx->libctx = PROV_LIBRARY_CONTEXT_OF(provctx);
+
+    return psm2ctx;
+}
+
+static int sm2_init(void *vpsm2ctx, void *vkey)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx == NULL || vkey == NULL || !EC_KEY_up_ref(vkey))
+        return 0;
+    EC_KEY_free(psm2ctx->key);
+    psm2ctx->key = vkey;
+
+    return 1;
+}
+
+static const EVP_MD *sm2_get_md(PROV_SM2_CTX *psm2ctx)
+{
+    const EVP_MD *md = ossl_prov_digest_md(&psm2ctx->md);
+
+    if (md == NULL)
+        md = ossl_prov_digest_fetch(&psm2ctx->md, psm2ctx->libctx, "SM3", NULL);
+
+    return md;
+}
+
+static int sm2_asym_encrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen,
+                            size_t outsize, const unsigned char *in,
+                            size_t inlen)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    const EVP_MD *md = sm2_get_md(psm2ctx);
+
+    if (md == NULL)
+        return 0;
+
+    if (out == NULL) {
+        if (!sm2_ciphertext_size(psm2ctx->key, md, inlen, outlen)) {
+            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY);
+            return 0;
+        }
+        return 1;
+    }
+
+    return sm2_encrypt(psm2ctx->key, md, in, inlen, out, outlen);
+}
+
+static int sm2_asym_decrypt(void *vpsm2ctx, unsigned char *out, size_t *outlen,
+                            size_t outsize, const unsigned char *in,
+                            size_t inlen)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    const EVP_MD *md = sm2_get_md(psm2ctx);
+
+    if (md == NULL)
+        return 0;
+
+    if (out == NULL) {
+        if (!sm2_plaintext_size(psm2ctx->key, md, inlen, outlen))
+            return 0;
+        return 1;
+    }
+
+    return sm2_decrypt(psm2ctx->key, md, in, inlen, out, outlen);
+}
+
+static void sm2_freectx(void *vpsm2ctx)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    EC_KEY_free(psm2ctx->key);
+    ossl_prov_digest_reset(&psm2ctx->md);
+
+    OPENSSL_free(psm2ctx);
+}
+
+static void *sm2_dupctx(void *vpsm2ctx)
+{
+    PROV_SM2_CTX *srcctx = (PROV_SM2_CTX *)vpsm2ctx;
+    PROV_SM2_CTX *dstctx;
+
+    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
+    if (dstctx == NULL)
+        return NULL;
+
+    *dstctx = *srcctx;
+    if (dstctx->key != NULL && !EC_KEY_up_ref(dstctx->key)) {
+        OPENSSL_free(dstctx);
+        return NULL;
+    }
+
+    if (!ossl_prov_digest_copy(&dstctx->md, &srcctx->md)) {
+        sm2_freectx(dstctx);
+        return NULL;
+    }
+
+    return dstctx;
+}
+
+static int sm2_get_ctx_params(void *vpsm2ctx, OSSL_PARAM *params)
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+    OSSL_PARAM *p;
+
+    if (vpsm2ctx == NULL || params == NULL)
+        return 0;
+
+    p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_DIGEST);
+    if (p != NULL) {
+        const EVP_MD *md = ossl_prov_digest_md(&psm2ctx->md);
+
+        if (!OSSL_PARAM_set_utf8_string(p, md == NULL ? ""
+                                                      : EVP_MD_name(md)))
+            return 0;
+    }
+
+    return 1;
+}
+
+static const OSSL_PARAM known_gettable_ctx_params[] = {
+    OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST, NULL, 0),
+    OSSL_PARAM_END
+};
+
+static const OSSL_PARAM *sm2_gettable_ctx_params(ossl_unused void *provctx)
+{
+    return known_gettable_ctx_params;
+}
+
+static int sm2_set_ctx_params(void *vpsm2ctx, const OSSL_PARAM params[])
+{
+    PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx;
+
+    if (psm2ctx == NULL || params == NULL)
+        return 0;
+
+    if (!ossl_prov_digest_load_from_params(&psm2ctx->md, params,
+                                           psm2ctx->libctx))
+        return 0;
+
+    return 1;
+}
+
+static const OSSL_PARAM known_settable_ctx_params[] = {
+    OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_PROPERTIES, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_ASYM_CIPHER_PARAM_ENGINE, NULL, 0),
+    OSSL_PARAM_END
+};
+
+static const OSSL_PARAM *sm2_settable_ctx_params(ossl_unused void *provctx)
+{
+    return known_settable_ctx_params;
+}
+
+const OSSL_DISPATCH sm2_asym_cipher_functions[] = {
+    { OSSL_FUNC_ASYM_CIPHER_NEWCTX, (void (*)(void))sm2_newctx },
+    { OSSL_FUNC_ASYM_CIPHER_ENCRYPT_INIT, (void (*)(void))sm2_init },
+    { OSSL_FUNC_ASYM_CIPHER_ENCRYPT, (void (*)(void))sm2_asym_encrypt },
+    { OSSL_FUNC_ASYM_CIPHER_DECRYPT_INIT, (void (*)(void))sm2_init },
+    { OSSL_FUNC_ASYM_CIPHER_DECRYPT, (void (*)(void))sm2_asym_decrypt },
+    { OSSL_FUNC_ASYM_CIPHER_FREECTX, (void (*)(void))sm2_freectx },
+    { OSSL_FUNC_ASYM_CIPHER_DUPCTX, (void (*)(void))sm2_dupctx },
+    { OSSL_FUNC_ASYM_CIPHER_GET_CTX_PARAMS,
+      (void (*)(void))sm2_get_ctx_params },
+    { OSSL_FUNC_ASYM_CIPHER_GETTABLE_CTX_PARAMS,
+      (void (*)(void))sm2_gettable_ctx_params },
+    { OSSL_FUNC_ASYM_CIPHER_SET_CTX_PARAMS,
+      (void (*)(void))sm2_set_ctx_params },
+    { OSSL_FUNC_ASYM_CIPHER_SETTABLE_CTX_PARAMS,
+      (void (*)(void))sm2_settable_ctx_params },
+    { 0, NULL }
+};
diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h
index b67b4c7361..dd45523ae9 100644
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -307,6 +307,9 @@ extern const OSSL_DISPATCH sm2_signature_functions[];
 
 /* Asym Cipher */
 extern const OSSL_DISPATCH rsa_asym_cipher_functions[];
+#ifndef OPENSSL_NO_SM2
+extern const OSSL_DISPATCH sm2_asym_cipher_functions[];
+#endif
 
 /* Asym Key encapsulation  */
 extern const OSSL_DISPATCH rsa_asym_kem_functions[];
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index afb9966bfa..1cc4f94941 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -982,7 +982,7 @@ static int test_EVP_SM2(void)
 {
     int ret = 0;
     EVP_PKEY *pkey = NULL;
-    EVP_PKEY *params = NULL;
+    EVP_PKEY *pkeyparams = NULL;
     EVP_PKEY_CTX *pctx = NULL;
     EVP_PKEY_CTX *kctx = NULL;
     EVP_PKEY_CTX *sctx = NULL;
@@ -1000,6 +1000,11 @@ static int test_EVP_SM2(void)
 
     uint8_t sm2_id[] = {1, 2, 3, 4, 'l', 'e', 't', 't', 'e', 'r'};
 
+    OSSL_PARAM sparams[2] = {OSSL_PARAM_END, OSSL_PARAM_END};
+    OSSL_PARAM gparams[2] = {OSSL_PARAM_END, OSSL_PARAM_END};
+    int i;
+    char mdname[20];
+
     pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SM2, NULL);
     if (!TEST_ptr(pctx))
         goto done;
@@ -1011,10 +1016,10 @@ static int test_EVP_SM2(void)
     if (!TEST_true(EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_sm2)))
         goto done;
 
-    if (!TEST_true(EVP_PKEY_paramgen(pctx, &params)))
+    if (!TEST_true(EVP_PKEY_paramgen(pctx, &pkeyparams)))
         goto done;
 
-    kctx = EVP_PKEY_CTX_new(params, NULL);
+    kctx = EVP_PKEY_CTX_new(pkeyparams, NULL);
     if (!TEST_ptr(kctx))
         goto done;
 
@@ -1070,34 +1075,54 @@ static int test_EVP_SM2(void)
         goto done;
 
     /* now check encryption/decryption */
-    /*
-     * SM2 public key encrytion is not moved into default provider yet,
-     * so we make sure the key gets downgraded for the moment being.
-     * TODO Remove this call when provided SM2 encryption is implemented
-     */
-    if (!TEST_ptr(EVP_PKEY_get0(pkey)))
-       goto done;
 
-    if (!TEST_ptr(cctx = EVP_PKEY_CTX_new(pkey, NULL)))
-        goto done;
+    gparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST,
+                                                  mdname, sizeof(mdname));
+    for (i = 0; i < 2; i++) {
+        EVP_PKEY_CTX_free(cctx);
 
-    if (!TEST_true(EVP_PKEY_encrypt_init(cctx)))
-        goto done;
+        sparams[0] = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_DIGEST,
+                                                      i == 0 ? "SM3" : "SHA2-256",
+                                                      0);
 
-    if (!TEST_true(EVP_PKEY_encrypt(cctx, ciphertext, &ctext_len, kMsg, sizeof(kMsg))))
-        goto done;
+        if (!TEST_ptr(cctx = EVP_PKEY_CTX_new(pkey, NULL)))
+            goto done;
 
-    if (!TEST_true(EVP_PKEY_decrypt_init(cctx)))
-        goto done;
+        if (!TEST_true(EVP_PKEY_encrypt_init(cctx)))
+            goto done;
 
-    if (!TEST_true(EVP_PKEY_decrypt(cctx, plaintext, &ptext_len, ciphertext, ctext_len)))
-        goto done;
+        if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams)))
+            goto done;
 
-    if (!TEST_true(ptext_len == sizeof(kMsg)))
-        goto done;
+        if (!TEST_true(EVP_PKEY_encrypt(cctx, ciphertext, &ctext_len, kMsg,
+                                        sizeof(kMsg))))
+            goto done;
 
-    if (!TEST_true(memcmp(plaintext, kMsg, sizeof(kMsg)) == 0))
-        goto done;
+        if (!TEST_true(EVP_PKEY_decrypt_init(cctx)))
+            goto done;
+
+        if (!TEST_true(EVP_PKEY_CTX_set_params(cctx, sparams)))
+            goto done;
+
+        if (!TEST_true(EVP_PKEY_decrypt(cctx, plaintext, &ptext_len, ciphertext,
+                                        ctext_len)))
+            goto done;
+
+        if (!TEST_true(EVP_PKEY_CTX_get_params(cctx, gparams)))
+            goto done;
+
+        /* Test we're still using the digest we think we are */
+        if (i == 0 && !TEST_int_eq(strcmp(mdname, "SM3"), 0))
+            goto done;
+        if (i == 1 && !TEST_int_eq(strcmp(mdname, "SHA2-256"), 0))
+            goto done;
+
+        if (!TEST_true(ptext_len == sizeof(kMsg)))
+            goto done;
+
+        if (!TEST_true(memcmp(plaintext, kMsg, sizeof(kMsg)) == 0))
+            goto done;
+    }
 
     ret = 1;
 done:
@@ -1106,7 +1131,7 @@ done:
     EVP_PKEY_CTX_free(sctx);
     EVP_PKEY_CTX_free(cctx);
     EVP_PKEY_free(pkey);
-    EVP_PKEY_free(params);
+    EVP_PKEY_free(pkeyparams);
     EVP_MD_CTX_free(md_ctx);
     EVP_MD_CTX_free(md_ctx_verify);
     OPENSSL_free(sig);
diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 3c135630f7..19bc327758 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -24,20 +24,14 @@ SKIP: {
     skip "Skipping tests that require EC, SM2 or SM3", 2
         if disabled("ec") || disabled("sm2") || disabled("sm3");
 
-    # TODO(3.0) Remove this when we have a SM2 keymgmt and decoder
-    my @tmp_sm2_hack = qw(-engine loader_attic)
-        unless disabled('dynamic-engine') || disabled('deprecated-3.0');
-    skip "Skipping tests that require dynamic enginess (temporary meaasure)", 2
-        unless @tmp_sm2_hack;
-
     # SM2
-    ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack, '-sign',
+    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign',
                       '-in', srctop_file('test', 'certs', 'sm2.pem'),
                       '-inkey', srctop_file('test', 'certs', 'sm2.key'),
                       '-out', 'sm2.sig', '-rawin',
                       '-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
                       "Sign a piece of data using SM2");
-    ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack,
+    ok_nofips(run(app(([ 'openssl', 'pkeyutl',
                       '-verify', '-certin',
                       '-in', srctop_file('test', 'certs', 'sm2.pem'),
                       '-inkey', srctop_file('test', 'certs', 'sm2.pem'),
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index b00b8c3404..8d26be2bf0 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -29,14 +29,6 @@ if (disabled("rsa")) {
     note("There should not be more that at most 80 per line");
 }
 
-# TODO(3.0) This should be removed as soon as missing support is added
-# Identified problems:
-# - SM2 lacks provider-native keymgmt and decoder
-# - ED25519, ED448, X25519 and X448 signature implementations do not
-#   respond to the "algorithm-id" parameter request.
-my @tmp_loader_hack = qw(-engine loader_attic)
-    unless disabled('dynamic-engine') || disabled('deprecated-3.0');
-
 # Check for duplicate -addext parameters, and one "working" case.
 my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
     "-config", srctop_file("test", "test.cnf"), @req_new );
@@ -195,28 +187,28 @@ subtest "generating SM2 certificate requests" => sub {
 
     SKIP: {
         skip "SM2 is not supported by this OpenSSL build", 4
-        if disabled("sm2") || !@tmp_loader_hack;
-        ok(run(app(["openssl", "req", @tmp_loader_hack,
+        if disabled("sm2");
+        ok(run(app(["openssl", "req",
                     "-config", srctop_file("test", "test.cnf"),
                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
                     "-sigopt", "distid:1234567812345678",
                     "-out", "testreq-sm2.pem", "-sm3"])),
            "Generating SM2 certificate request");
 
-        ok(run(app(["openssl", "req", @tmp_loader_hack,
+        ok(run(app(["openssl", "req",
                     "-config", srctop_file("test", "test.cnf"),
                     "-verify", "-in", "testreq-sm2.pem", "-noout",
                     "-vfyopt", "distid:1234567812345678", "-sm3"])),
            "Verifying signature on SM2 certificate request");
 
-        ok(run(app(["openssl", "req", @tmp_loader_hack,
+        ok(run(app(["openssl", "req",
                     "-config", srctop_file("test", "test.cnf"),
                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
                     "-sigopt", "hexdistid:DEADBEEF",
                     "-out", "testreq-sm2.pem", "-sm3"])),
            "Generating SM2 certificate request with hex id");
 
-        ok(run(app(["openssl", "req", @tmp_loader_hack,
+        ok(run(app(["openssl", "req",
                     "-config", srctop_file("test", "test.cnf"),
                     "-verify", "-in", "testreq-sm2.pem", "-noout",
                     "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])),


More information about the openssl-commits mailing list