Change SM2 encryption to match updated standard.

Unfortunately it seems the SM2 format changed between 2010 and 2012,
now the ciphertext is C1 || C3 || C2.

Unfortunate no matter how you slice it, but at least it's easy to
convert from one form to another.

1 files changed, 4 insertions, 0 deletions

diff --git a/news.rst b/news.rst
index 8cafaaeaf..5bc4c13f4 100644
--- a/news.rst
+++ b/news.rst
@@ -22,6 +22,10 @@ Version 2.3.0, Not Yet Released
 * SM2 encryption and signature schemes were previously hardcoded to use SM3
   hash, now any hash is allowed. (GH #1188)
 
+* SM2 encryption in 2.2 followed an obsolete version of the standard. The
+  format of the ciphertext changed with GM/T 0003:2012. The only difference is
+  in the ordering of the embedded MAC vs the masked input.
+
 * XTS mode now supports 256-bit and 512-bit block ciphers.
 
 * Add ids to allow SHA-3 signatures with PKCSv1.5 (GH #1184)