2 files changed, 28 insertions, 13 deletions

diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t
index 543038cab9..3c135630f7 100644
--- a/test/recipes/20-test_pkeyutl.t
+++ b/test/recipes/20-test_pkeyutl.t
@@ -24,14 +24,21 @@ SKIP: {
     skip "Skipping tests that require EC, SM2 or SM3", 2
         if disabled("ec") || disabled("sm2") || disabled("sm3");
 
+    # TODO(3.0) Remove this when we have a SM2 keymgmt and decoder
+    my @tmp_sm2_hack = qw(-engine loader_attic)
+        unless disabled('dynamic-engine') || disabled('deprecated-3.0');
+    skip "Skipping tests that require dynamic enginess (temporary meaasure)", 2
+        unless @tmp_sm2_hack;
+
     # SM2
-    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-sign',
+    ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack, '-sign',
                       '-in', srctop_file('test', 'certs', 'sm2.pem'),
                       '-inkey', srctop_file('test', 'certs', 'sm2.key'),
                       '-out', 'sm2.sig', '-rawin',
                       '-digest', 'sm3', '-pkeyopt', 'distid:someid']))),
                       "Sign a piece of data using SM2");
-    ok_nofips(run(app(([ 'openssl', 'pkeyutl', '-verify', '-certin',
+    ok_nofips(run(app(([ 'openssl', 'pkeyutl', @tmp_sm2_hack,
+                      '-verify', '-certin',
                       '-in', srctop_file('test', 'certs', 'sm2.pem'),
                       '-inkey', srctop_file('test', 'certs', 'sm2.pem'),
                       '-sigfile', 'sm2.sig', '-rawin',
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 8d26be2bf0..544d32963c 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -29,6 +29,14 @@ if (disabled("rsa")) {
     note("There should not be more that at most 80 per line");
 }
 
+# TODO(3.0) This should be removed as soon as missing support is added
+# Identified problems:
+# - SM2 lacks provider-native keymgmt and decoder
+# - ED25519, ED448, X25519 and X448 signature implementations do not
+#   respond to the "algorithm-id" parameter request.
+my @tmp_loader_hack = qw(-engine loader_attic)
+    unless disabled('dynamic-engine') || disabled('deprecated-3.0');
+
 # Check for duplicate -addext parameters, and one "working" case.
 my @addext_args = ( "openssl", "req", "-new", "-out", "testreq.pem",
     "-config", srctop_file("test", "test.cnf"), @req_new );
@@ -135,15 +143,15 @@ subtest "generating certificate requests with Ed25519" => sub {
 
     SKIP: {
         skip "Ed25519 is not supported by this OpenSSL build", 2
-            if disabled("ec");
+            if disabled("ec") || !@tmp_loader_hack;
 
-        ok(run(app(["openssl", "req",
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-new", "-out", "testreq-ed25519.pem", "-utf8",
                     "-key", srctop_file("test", "tested25519.pem")])),
            "Generating request");
 
-        ok(run(app(["openssl", "req",
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-verify", "-in", "testreq-ed25519.pem", "-noout"])),
            "Verifying signature on request");
@@ -155,15 +163,15 @@ subtest "generating certificate requests with Ed448" => sub {
 
     SKIP: {
         skip "Ed448 is not supported by this OpenSSL build", 2
-            if disabled("ec");
+            if disabled("ec") || !@tmp_loader_hack;
 
-        ok(run(app(["openssl", "req",
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-new", "-out", "testreq-ed448.pem", "-utf8",
                     "-key", srctop_file("test", "tested448.pem")])),
            "Generating request");
 
-        ok(run(app(["openssl", "req",
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-verify", "-in", "testreq-ed448.pem", "-noout"])),
            "Verifying signature on request");
@@ -187,28 +195,28 @@ subtest "generating SM2 certificate requests" => sub {
 
     SKIP: {
         skip "SM2 is not supported by this OpenSSL build", 4
-        if disabled("sm2");
-        ok(run(app(["openssl", "req",
+        if disabled("sm2") || !@tmp_loader_hack;
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
                     "-sigopt", "distid:1234567812345678",
                     "-out", "testreq-sm2.pem", "-sm3"])),
            "Generating SM2 certificate request");
 
-        ok(run(app(["openssl", "req",
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-verify", "-in", "testreq-sm2.pem", "-noout",
                     "-vfyopt", "distid:1234567812345678", "-sm3"])),
            "Verifying signature on SM2 certificate request");
 
-        ok(run(app(["openssl", "req",
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
                     "-sigopt", "hexdistid:DEADBEEF",
                     "-out", "testreq-sm2.pem", "-sm3"])),
            "Generating SM2 certificate request with hex id");
 
-        ok(run(app(["openssl", "req",
+        ok(run(app(["openssl", "req", @tmp_loader_hack,
                     "-config", srctop_file("test", "test.cnf"),
                     "-verify", "-in", "testreq-sm2.pem", "-noout",
                     "-vfyopt", "hexdistid:DEADBEEF", "-sm3"])),