From: Viktor Dukhovni Date: Tue, 10 Feb 2026 15:45:02 +0000 (+1100) Subject: New SM2 "tls-version" signature parameter X-Git-Tag: openssl-4.0.0-alpha1~224 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1409546f57e109ef2f38bb2bfc87c37a7d3afbdb;p=thirdparty%2Fopenssl.git New SM2 "tls-version" signature parameter When the version is TLS 1.3, this sets the SM2 distinguished identifier to the RFC8998 specified value: "TLSv1.3+GM+Cipher+Suite". Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Paul Yang MergeDate: Sat Feb 21 13:25:39 2026 (Merged from https://github.com/openssl/openssl/pull/29953) --- diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c index 96d1c6892aa..4b40a660934 100644 --- a/providers/implementations/signature/sm2_sig.c +++ b/providers/implementations/signature/sm2_sig.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include "internal/nelem.h" #include "internal/sizes.h" @@ -432,6 +433,22 @@ static const OSSL_PARAM *sm2sig_gettable_ctx_params(ossl_unused void *vpsm2ctx, static int sm2sig_set_ctx_params(void *vpsm2ctx, const OSSL_PARAM params[]) { + /* + * (https://datatracker.ietf.org/doc/html/rfc8998#section-3.2.1) + * + * The SM2 signature algorithm requests an identifier value when generating + * or verifying a signature. In all uses except when a client of a server + * needs to verify a peer's SM2 certificate in the Certificate message, an + * implementation of this document MUST use the following ASCII string + * value as the SM2 identifier when doing a TLS 1.3 key exchange: + * + * TLSv1.3+GM+Cipher+Suite + */ + static const uint8_t sm2_tls_id[] = { + 0x54, 0x4c, 0x53, 0x76, 0x31, 0x2e, 0x33, 0x2b, + 0x47, 0x4d, 0x2b, 0x43, 0x69, 0x70, 0x68, 0x65, + 0x72, 0x2b, 0x53, 0x75, 0x69, 0x74, 0x65 + }; PROV_SM2_CTX *psm2ctx = (PROV_SM2_CTX *)vpsm2ctx; struct sm2sig_set_ctx_params_st p; size_t mdsize; @@ -455,6 +472,17 @@ static int sm2sig_set_ctx_params(void *vpsm2ctx, const OSSL_PARAM params[]) OPENSSL_free(psm2ctx->id); psm2ctx->id = tmp_id; psm2ctx->id_len = tmp_idlen; + } else if (p.tlsver != NULL) { + unsigned int ver = 0; + + if (!psm2ctx->flag_compute_z_digest + || !OSSL_PARAM_get_uint(p.tlsver, &ver)) + return 0; + if (ver == TLS1_3_VERSION) { + OPENSSL_free(psm2ctx->id); + psm2ctx->id_len = sizeof(sm2_tls_id); + psm2ctx->id = OPENSSL_memdup(sm2_tls_id, psm2ctx->id_len); + } } /* diff --git a/providers/implementations/signature/sm2_sig.inc.in b/providers/implementations/signature/sm2_sig.inc.in index f410d74a47d..3a34316609b 100644 --- a/providers/implementations/signature/sm2_sig.inc.in +++ b/providers/implementations/signature/sm2_sig.inc.in @@ -21,4 +21,5 @@ use OpenSSL::paramnames qw(produce_param_decoder); (['OSSL_SIGNATURE_PARAM_DIGEST_SIZE', 'size', 'size_t'], ['OSSL_SIGNATURE_PARAM_DIGEST', 'digest', 'utf8_string'], ['OSSL_PKEY_PARAM_DIST_ID', 'distid', 'octet_string'], + ['OSSL_SIGNATURE_PARAM_TLS_VERSION', 'tlsver', 'uint'], )); -} diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm index 680f4f3317b..a99cade68fc 100644 --- a/util/perl/OpenSSL/paramnames.pm +++ b/util/perl/OpenSSL/paramnames.pm @@ -513,6 +513,7 @@ my %params = ( 'OSSL_SIGNATURE_PARAM_MU' => "mu", # int 'OSSL_SIGNATURE_PARAM_TEST_ENTROPY' => "test-entropy", 'OSSL_SIGNATURE_PARAM_ADD_RANDOM' => "additional-random", + 'OSSL_SIGNATURE_PARAM_TLS_VERSION' => "tls-version", # Asym cipher parameters 'OSSL_ASYM_CIPHER_PARAM_DIGEST' => '*OSSL_PKEY_PARAM_DIGEST',