Add TLS1.3 ciphersuites from RFC8998

This adds TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3
as defined in RFC 8998.

Fixes openssl/project#1871

Signed-off-by: Milan Broz <gmazyland@gmail.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Feb 19 15:11:15 2026
(Merged from https://github.com/openssl/openssl/pull/30028)

diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod
index 1df33ba11daf389d3372c51efcc2415886addc4a..ccf0c0b934149c66e0bb6d1869031ffcfe7ba1e7 100644 (file)
--- a/doc/man3/SSL_CTX_set_cipher_list.pod
+++ b/doc/man3/SSL_CTX_set_cipher_list.pod
@@ -50,6 +50,10 @@ ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are:
 
 =item TLS_AES_128_CCM_8_SHA256
 
+=item TLS_SM4_GCM_SM3
+
+=item TLS_SM4_CCM_SM3
+
 =item TLS_SHA384_SHA384 - integrity-only
 
 =item TLS_SHA256_SHA256 - integrity-only

diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 7dfd8c1be4b78277b58508c0e282dcd671dec4f7..08b08e93a587d3009e286ab879b32d6c8cb3b01a 100644 (file)
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -661,6 +661,10 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb(SSL_CTX *ctx, int (*fp)(SSL *, unsigned
 #define TLS1_CK_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0x0300C06E
 #define TLS1_CK_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0x0300C06F
 
+/* SM ciphersuites from RFC8998 */
+#define TLS1_3_CK_SM4_GCM_SM3 0x030000C6
+#define TLS1_3_CK_SM4_CCM_SM3 0x030000C7
+
 /* a bundle of RFC standard cipher names, generated from ssl3_ciphers[] */
 #define TLS1_RFC_RSA_WITH_AES_128_SHA "TLS_RSA_WITH_AES_128_CBC_SHA"
 #define TLS1_RFC_DHE_DSS_WITH_AES_128_SHA "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
@@ -853,6 +857,8 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb(SSL_CTX *ctx, int (*fp)(SSL *, unsigned
 #define TLS1_RFC_DHE_PSK_WITH_ARIA_256_GCM_SHA384 "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384"
 #define TLS1_RFC_RSA_PSK_WITH_ARIA_128_GCM_SHA256 "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256"
 #define TLS1_RFC_RSA_PSK_WITH_ARIA_256_GCM_SHA384 "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384"
+#define TLS1_3_RFC_SM4_GCM_SM3 "TLS_SM4_GCM_SM3"
+#define TLS1_3_RFC_SM4_CCM_SM3 "TLS_SM4_CCM_SM3"
 
 /*
  * XXX Backward compatibility alert: Older versions of OpenSSL gave some DHE

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 2990e4014d733c4fb1a4a0cb78806632a5485ddd..09836c34d9c1cbf0c1db639d8c87db154d03032d 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -166,6 +166,42 @@ static SSL_CIPHER tls13_ciphers[] = {
         384,
     },
 #endif
+    {
+        1,
+        TLS1_3_RFC_SM4_GCM_SM3,
+        TLS1_3_RFC_SM4_GCM_SM3,
+        TLS1_3_CK_SM4_GCM_SM3,
+        SSL_kANY,
+        SSL_aANY,
+        SSL_SM4GCM,
+        SSL_AEAD,
+        TLS1_3_VERSION,
+        TLS1_3_VERSION,
+        0,
+        0,
+        SSL_NOT_DEFAULT | SSL_HIGH,
+        SSL_HANDSHAKE_MAC_SM3,
+        128,
+        128,
+    },
+    {
+        1,
+        TLS1_3_RFC_SM4_CCM_SM3,
+        TLS1_3_RFC_SM4_CCM_SM3,
+        TLS1_3_CK_SM4_CCM_SM3,
+        SSL_kANY,
+        SSL_aANY,
+        SSL_SM4CCM,
+        SSL_AEAD,
+        TLS1_3_VERSION,
+        TLS1_3_VERSION,
+        0,
+        0,
+        SSL_NOT_DEFAULT | SSL_HIGH,
+        SSL_HANDSHAKE_MAC_SM3,
+        128,
+        128,
+    },
 };
 
 /*

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 95e787300a3d2ef9d669fc0e4818aeeda0e50887..a9c7c5f7fc58b65f380366c6d87c90db2ec1bf50 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -59,8 +59,10 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
     { SSL_CHACHA20POLY1305, NID_chacha20_poly1305 }, /* SSL_ENC_CHACHA_IDX 19 */
     { SSL_ARIA128GCM, NID_aria_128_gcm }, /* SSL_ENC_ARIA128GCM_IDX 20 */
     { SSL_ARIA256GCM, NID_aria_256_gcm }, /* SSL_ENC_ARIA256GCM_IDX 21 */
-    { SSL_MAGMA, NID_magma_ctr_acpkm }, /* SSL_ENC_MAGMA_IDX */
-    { SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm }, /* SSL_ENC_KUZNYECHIK_IDX */
+    { SSL_MAGMA, NID_magma_ctr_acpkm }, /* SSL_ENC_MAGMA_IDX 22 */
+    { SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm }, /* SSL_ENC_KUZNYECHIK_IDX 23 */
+    { SSL_SM4GCM, NID_sm4_gcm }, /* SSL_ENC_SM4GCM_IDX 24 */
+    { SSL_SM4CCM, NID_sm4_ccm }, /* SSL_ENC_SM4CCM_IDX 25 */
 };
 
 /* NB: make sure indices in this table matches values above */
@@ -77,8 +79,9 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
     { 0, NID_md5_sha1 }, /* SSL_MD_MD5_SHA1_IDX 9 */
     { 0, NID_sha224 }, /* SSL_MD_SHA224_IDX 10 */
     { 0, NID_sha512 }, /* SSL_MD_SHA512_IDX 11 */
-    { SSL_MAGMAOMAC, NID_magma_mac }, /* sSL_MD_MAGMAOMAC_IDX */
-    { SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac } /* SSL_MD_KUZNYECHIKOMAC_IDX */
+    { SSL_MAGMAOMAC, NID_magma_mac }, /* sSL_MD_MAGMAOMAC_IDX 12 */
+    { SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac }, /* SSL_MD_KUZNYECHIKOMAC_IDX 13 */
+    { 0, NID_sm3 }, /* SSL_MD_SM3_IDX 14 */
 };
 
 /* *INDENT-OFF* */
@@ -1787,6 +1790,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_CHACHA20POLY1305:
         enc = "CHACHA20/POLY1305(256)";
         break;
+    case SSL_SM4GCM:
+        enc = "SM4GCM";
+        break;
+    case SSL_SM4CCM:
+        enc = "SM4CCM";
+        break;
     default:
         enc = "unknown";
         break;

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 0f6402b2b7da91429869f5e232a1d900ab1a0bc1..b36cbee4877ff3b619c65e48a619579a85d9539a 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -151,6 +151,8 @@
 #define SSL_ARIA256GCM 0x00200000U
 #define SSL_MAGMA 0x00400000U
 #define SSL_KUZNYECHIK 0x00800000U
+#define SSL_SM4GCM 0x01000000U
+#define SSL_SM4CCM 0x02000000U
 
 #define SSL_AESGCM (SSL_AES128GCM | SSL_AES256GCM)
 #define SSL_AESCCM (SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8)
@@ -198,7 +200,8 @@
 #define SSL_MD_SHA512_IDX 11
 #define SSL_MD_MAGMAOMAC_IDX 12
 #define SSL_MD_KUZNYECHIKOMAC_IDX 13
-#define SSL_MAX_DIGEST 14
+#define SSL_MD_SM3_IDX 14
+#define SSL_MAX_DIGEST 15
 
 #define SSL_MD_NUM_IDX SSL_MAX_DIGEST
 
@@ -212,6 +215,7 @@
 #define SSL_HANDSHAKE_MAC_GOST94 SSL_MD_GOST94_IDX
 #define SSL_HANDSHAKE_MAC_GOST12_256 SSL_MD_GOST12_256_IDX
 #define SSL_HANDSHAKE_MAC_GOST12_512 SSL_MD_GOST12_512_IDX
+#define SSL_HANDSHAKE_MAC_SM3 SSL_MD_SM3_IDX
 #define SSL_HANDSHAKE_MAC_DEFAULT SSL_HANDSHAKE_MAC_MD5_SHA1
 
 /* Bits 8-15 bits are PRF */
@@ -351,7 +355,9 @@
 #define SSL_ENC_ARIA256GCM_IDX 21
 #define SSL_ENC_MAGMA_IDX 22
 #define SSL_ENC_KUZNYECHIK_IDX 23
-#define SSL_ENC_NUM_IDX 24
+#define SSL_ENC_SM4GCM_IDX 24
+#define SSL_ENC_SM4CCM_IDX 25
+#define SSL_ENC_NUM_IDX 26
 
 /*-
  * SSL_kRSA <- RSA_ENC

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index c86c21f36200397171ed95023269a82cbaf0fa36..514cce8886977f45bcc2b0392732271172e4f1a4 100644 (file)
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -253,6 +253,8 @@ static const ssl_trace_tbl ssl_ciphers_tbl[] = {
     { 0x00C3, TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 },
     { 0x00C4, TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 },
     { 0x00C5, TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256 },
+    { 0x00C6, TLS1_3_RFC_SM4_GCM_SM3 },
+    { 0x00C7, TLS1_3_RFC_SM4_CCM_SM3 },
     { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
     { 0x5600, "TLS_FALLBACK_SCSV" },
     { 0xC001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },

diff --git a/test/ciphername_test.c b/test/ciphername_test.c
index cc29846990844e65ee5226a2b24e4293ed308847..67cfd5bbf429792956252df3b7c8a96642a46601 100644 (file)
--- a/test/ciphername_test.c
+++ b/test/ciphername_test.c
@@ -172,6 +172,8 @@ static CIPHER_ID_NAME cipher_names[] = {
     { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
     { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
     { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
+    { 0x00C6, "TLS_SM4_GCM_SM3" },
+    { 0x00C7, "TLS_SM4_CCM_SM3" },
     { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
     { 0x5600, "TLS_FALLBACK_SCSV" },
     { 0xC001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },