path: root/feature-add-SMx-support.patch

From 93b312c0263cbf40f66448ff7ddbea7a2def1953 Mon Sep 17 00:00:00 2001
From: kircher <majun65@huawei.com>
Date: Fri, 29 Jul 2022 10:45:08 +0800
Subject: [PATCH] add SMx support in openssh
HostKeyAlgorithms sm2
KexAlgorithms sm2-sm3
MACs hmac-sm3
Ciphers sm4-ctr
PubkeyAcceptedAlgorithms sm2
FingerprintHash sm3

---
 Makefile.in                           |   4 +-
 authfd.c                              |   2 +
 authfile.c                            |   1 +
 cipher.c                              |   1 +
 digest-openssl.c                      |   1 +
 digest.h                              |   3 +-
 kex.c                                 |   1 +
 kex.h                                 |   3 +
 kexecdh.c                             |  23 +-
 kexgen.c                              |   3 +
 kexsm2.c                              | 406 ++++++++++++++++++++++++++
 mac.c                                 |   1 +
 pathnames.h                           |   1 +
 regress/agent.sh                      |   9 +
 regress/keytype.sh                    |   2 +
 regress/knownhosts-command.sh         |   1 +
 regress/misc/fuzz-harness/sig_fuzz.cc |   4 +
 regress/unittests/kex/test_kex.c      |   3 +
 ssh-ecdsa.c                           |   6 +-
 ssh-keygen.c                          |  12 +-
 ssh-keyscan.c                         |  12 +-
 ssh-sm2.c                             | 230 +++++++++++++++
 ssh_api.c                             |   2 +
 sshconnect2.c                         |   1 +
 sshd.c                                |   7 +
 sshkey.c                              |  62 +++-
 sshkey.h                              |   9 +
 27 files changed, 794 insertions(+), 16 deletions(-)
 create mode 100644 kexsm2.c
 create mode 100644 ssh-sm2.c

diff --git a/Makefile.in b/Makefile.in
index 07bf440..1393190 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -100,14 +100,14 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	log.o match.o moduli.o nchan.o packet.o \
 	readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \
 	atomicio.o dispatch.o mac.o misc.o utf8.o \
-	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
+	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-sm2.o ssh-ecdsa-sk.o \
 	ssh-ed25519-sk.o ssh-rsa.o dh.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
 	ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
 	poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
 	ssh-ed25519.o digest-openssl.o digest-libc.o \
 	hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
-	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
+	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o kexsm2.o \
 	kexgexc.o kexgexs.o \
 	kexsntrup761x25519.o sntrup761.o kexgen.o \
 	kexgssc.o \
diff --git a/authfd.c b/authfd.c
index 9f092f7..163b4b5 100644
--- a/authfd.c
+++ b/authfd.c
@@ -512,6 +512,8 @@ ssh_add_identity_constrained(int sock, struct sshkey *key,
 	case KEY_DSA_CERT:
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 	case KEY_ECDSA_SK:
 	case KEY_ECDSA_SK_CERT:
 #endif
diff --git a/authfile.c b/authfile.c
index 666730b..dce1e84 100644
--- a/authfile.c
+++ b/authfile.c
@@ -343,6 +343,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
 	case KEY_RSA:
 	case KEY_DSA:
 	case KEY_ECDSA:
+	case KEY_SM2:
 #endif /* WITH_OPENSSL */
 	case KEY_ED25519:
 	case KEY_XMSS:
diff --git a/cipher.c b/cipher.c
index b54b994..039e414 100644
--- a/cipher.c
+++ b/cipher.c
@@ -88,6 +88,7 @@ static const struct sshcipher ciphers[] = {
 #endif
 	{ "chacha20-poly1305@openssh.com",
 				8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL },
+	{ "sm4-ctr",            16, 16, 0, 0, 0, EVP_sm4_ctr },
 	{ "none",		8, 0, 0, 0, CFLAG_NONE, NULL },
 
 	{ NULL,			0, 0, 0, 0, 0, NULL }
diff --git a/digest-openssl.c b/digest-openssl.c
index 94730e9..fa92360 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
 	{ SSH_DIGEST_SHA256,	"SHA256",	32,	EVP_sha256 },
 	{ SSH_DIGEST_SHA384,	"SHA384",	48,	EVP_sha384 },
 	{ SSH_DIGEST_SHA512,	"SHA512",	64,	EVP_sha512 },
+	{ SSH_DIGEST_SM3,       "SM3",          32,     EVP_sm3 },
 	{ -1,			NULL,		0,	NULL },
 };
 
diff --git a/digest.h b/digest.h
index c7ceeb3..520722c 100644
--- a/digest.h
+++ b/digest.h
@@ -27,7 +27,8 @@
 #define SSH_DIGEST_SHA256	2
 #define SSH_DIGEST_SHA384	3
 #define SSH_DIGEST_SHA512	4
-#define SSH_DIGEST_MAX		5
+#define SSH_DIGEST_SM3          5
+#define SSH_DIGEST_MAX		6
 
 struct sshbuf;
 struct ssh_digest_ctx;
diff --git a/kex.c b/kex.c
index d0a9dee..6284f90 100644
--- a/kex.c
+++ b/kex.c
@@ -124,6 +124,7 @@ static const struct kexalg kexalgs[] = {
 	    SSH_DIGEST_SHA512 },
 #endif
 #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
+	{ "sm2-sm3", KEX_SM2_SM3, NID_sm2, SSH_DIGEST_SM3 },
 	{ NULL, 0, -1, -1},
 };
 static const struct kexalg gss_kexalgs[] = {
diff --git a/kex.h b/kex.h
index d26ba26..8b95227 100644
--- a/kex.h
+++ b/kex.h
@@ -102,6 +102,7 @@ enum kex_exchange {
 	KEX_ECDH_SHA2,
 	KEX_C25519_SHA256,
 	KEX_KEM_SNTRUP761X25519_SHA512,
+	KEX_SM2_SM3,
 #ifdef GSSAPI
 	KEX_GSS_GRP1_SHA1,
 	KEX_GSS_GRP14_SHA1,
@@ -277,6 +278,8 @@ int	kexc25519_shared_key_ext(const u_char key[CURVE25519_SIZE],
 	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
 	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));
 
+int SM2KAP_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *eckey, int server);
+
 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
 void	dump_digest(const char *, const u_char *, int);
 #endif
diff --git a/kexecdh.c b/kexecdh.c
index efb2e55..69ec13b 100644
--- a/kexecdh.c
+++ b/kexecdh.c
@@ -44,7 +44,7 @@
 
 static int
 kex_ecdh_dec_key_group(struct kex *, const struct sshbuf *, EC_KEY *key,
-    const EC_GROUP *, struct sshbuf **);
+    const EC_GROUP *, struct sshbuf **, int server);
 
 int
 kex_ecdh_keypair(struct kex *kex)
@@ -124,7 +124,7 @@ kex_ecdh_enc(struct kex *kex, const struct sshbuf *client_blob,
 	    (r = sshbuf_get_u32(server_blob, NULL)) != 0)
 		goto out;
 	if ((r = kex_ecdh_dec_key_group(kex, client_blob, server_key, group,
-	    shared_secretp)) != 0)
+	    shared_secretp, 1)) != 0)
 		goto out;
 	*server_blobp = server_blob;
 	server_blob = NULL;
@@ -136,7 +136,7 @@ kex_ecdh_enc(struct kex *kex, const struct sshbuf *client_blob,
 
 static int
 kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
-    EC_KEY *key, const EC_GROUP *group, struct sshbuf **shared_secretp)
+    EC_KEY *key, const EC_GROUP *group, struct sshbuf **shared_secretp, int server)
 {
 	struct sshbuf *buf = NULL;
 	BIGNUM *shared_secret = NULL;
@@ -176,11 +176,20 @@ kex_ecdh_dec_key_group(struct kex *kex, const struct sshbuf *ec_blob,
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
 	}
-	if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
+	if (kex->ec_nid == NID_sm2) {
+		if (SM2KAP_compute_key(kbuf, klen, dh_pub, key, server) != (int)klen ||
 	    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
-		r = SSH_ERR_LIBCRYPTO_ERROR;
-		goto out;
+			r = SSH_ERR_LIBCRYPTO_ERROR;
+			goto out;
+		}
+	} else {
+		if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen ||
+	    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
+			r = SSH_ERR_LIBCRYPTO_ERROR;
+			goto out;
+		}
 	}
+
 #ifdef DEBUG_KEXECDH
 	dump_digest("shared secret", kbuf, klen);
 #endif
@@ -203,7 +212,7 @@ kex_ecdh_dec(struct kex *kex, const struct sshbuf *server_blob,
 	int r;
 
 	r = kex_ecdh_dec_key_group(kex, server_blob, kex->ec_client_key,
-	    kex->ec_group, shared_secretp);
+	    kex->ec_group, shared_secretp, 0);
 	EC_KEY_free(kex->ec_client_key);
 	kex->ec_client_key = NULL;
 	return r;
diff --git a/kexgen.c b/kexgen.c
index 31f90f5..f3eff47 100644
--- a/kexgen.c
+++ b/kexgen.c
@@ -111,6 +111,7 @@ kex_gen_client(struct ssh *ssh)
 		r = kex_dh_keypair(kex);
 		break;
 	case KEX_ECDH_SHA2:
+	case KEX_SM2_SM3:
 		r = kex_ecdh_keypair(kex);
 		break;
 #endif
@@ -182,6 +183,7 @@ input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh)
 		r = kex_dh_dec(kex, server_blob, &shared_secret);
 		break;
 	case KEX_ECDH_SHA2:
+	case KEX_SM2_SM3:
 		r = kex_ecdh_dec(kex, server_blob, &shared_secret);
 		break;
 #endif
@@ -280,6 +282,7 @@ input_kex_gen_init(int type, u_int32_t seq, struct ssh *ssh)
 		    &shared_secret);
 		break;
 	case KEX_ECDH_SHA2:
+	case KEX_SM2_SM3:
 		r = kex_ecdh_enc(kex, client_pubkey, &server_pubkey,
 		    &shared_secret);
 		break;
diff --git a/kexsm2.c b/kexsm2.c
new file mode 100644
index 0000000..f507557
--- /dev/null
+++ b/kexsm2.c
@@ -0,0 +1,406 @@
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <string.h>
+#include <openssl/ecdh.h>
+#include <openssl/ec.h>
+
+int sm2_compute_z_digest(uint8_t *out,
+                         const EVP_MD *digest,
+                         const uint8_t *id,
+                         const size_t id_len,
+                         const EC_KEY *key)
+{
+    int rc = 0;
+    const EC_GROUP *group = EC_KEY_get0_group(key);
+    BN_CTX *ctx = NULL;
+    EVP_MD_CTX *hash = NULL;
+    BIGNUM *p = NULL;
+    BIGNUM *a = NULL;
+    BIGNUM *b = NULL;
+    BIGNUM *xG = NULL;
+    BIGNUM *yG = NULL;
+    BIGNUM *xA = NULL;
+    BIGNUM *yA = NULL;
+    int p_bytes = 0;
+    uint8_t *buf = NULL;
+    uint16_t entl = 0;
+    uint8_t e_byte = 0;
+
+    hash = EVP_MD_CTX_new();
+    ctx = BN_CTX_new();
+    if (hash == NULL || ctx == NULL) {
+        goto done;
+    }
+
+    p = BN_CTX_get(ctx);
+    a = BN_CTX_get(ctx);
+    b = BN_CTX_get(ctx);
+    xG = BN_CTX_get(ctx);
+    yG = BN_CTX_get(ctx);
+    xA = BN_CTX_get(ctx);
+    yA = BN_CTX_get(ctx);
+
+    if (yA == NULL) {
+        goto done;
+    }
+
+    if (!EVP_DigestInit(hash, digest)) {
+        goto done;
+    }
+
+    /* Z = h(ENTL || ID || a || b || xG || yG || xA || yA) */
+
+    if (id_len >= (UINT16_MAX / 8)) {
+        /* too large */
+        goto done;
+    }
+
+    entl = (uint16_t)(8 * id_len);
+
+    e_byte = entl >> 8;
+    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
+        goto done;
+    }
+    e_byte = entl & 0xFF;
+    if (!EVP_DigestUpdate(hash, &e_byte, 1)) {
+        goto done;
+    }
+
+    if (id_len > 0 && !EVP_DigestUpdate(hash, id, id_len)) {
+        goto done;
+    }
+
+    if (!EC_GROUP_get_curve(group, p, a, b, ctx)) {
+        goto done;
+    }
+
+    p_bytes = BN_num_bytes(p);
+    buf = OPENSSL_zalloc(p_bytes);
+    if (buf == NULL) {
+        goto done;
+    }
+
+    if (BN_bn2binpad(a, buf, p_bytes) < 0
+            || !EVP_DigestUpdate(hash, buf, p_bytes)
+            || BN_bn2binpad(b, buf, p_bytes) < 0
+            || !EVP_DigestUpdate(hash, buf, p_bytes)
+            || !EC_POINT_get_affine_coordinates(group,
+                                                EC_GROUP_get0_generator(group),
+                                                xG, yG, ctx)
+            || BN_bn2binpad(xG, buf, p_bytes) < 0
+            || !EVP_DigestUpdate(hash, buf, p_bytes)
+            || BN_bn2binpad(yG, buf, p_bytes) < 0
+            || !EVP_DigestUpdate(hash, buf, p_bytes)
+            || !EC_POINT_get_affine_coordinates(group,
+                                                EC_KEY_get0_public_key(key),
+                                                xA, yA, ctx)
+            || BN_bn2binpad(xA, buf, p_bytes) < 0
+            || !EVP_DigestUpdate(hash, buf, p_bytes)
+            || BN_bn2binpad(yA, buf, p_bytes) < 0
+            || !EVP_DigestUpdate(hash, buf, p_bytes)
+            || !EVP_DigestFinal(hash, out, NULL)) {
+        goto done;
+    }
+
+    rc = 1;
+
+ done:
+    OPENSSL_free(buf);
+    BN_CTX_free(ctx);
+    EVP_MD_CTX_free(hash);
+    return rc;
+}
+
+
+/* GM/T003_2012 Defined Key Derive Function */
+int kdf_gmt003_2012(unsigned char *out, size_t outlen, const unsigned char *Z, size_t Zlen, const unsigned char *SharedInfo, size_t SharedInfolen, const EVP_MD *md)
+{
+    EVP_MD_CTX *mctx = NULL;
+    unsigned int counter;
+    unsigned char ctr[4];
+    size_t mdlen;
+    int retval = 0;
+    unsigned char dgst[EVP_MAX_MD_SIZE];
+
+    if (!out || !outlen) return retval;
+    if (md == NULL) {
+        md = EVP_sm3();
+    }
+    mdlen = EVP_MD_size(md);
+    mctx = EVP_MD_CTX_new();
+    if (mctx == NULL) {
+        goto err;
+    }
+
+    for (counter = 1;; counter++) {
+        if (!EVP_DigestInit(mctx, md)) {
+            goto err;
+        }
+        ctr[0] = (unsigned char)((counter >> 24) & 0xFF);
+        ctr[1] = (unsigned char)((counter >> 16) & 0xFF);
+        ctr[2] = (unsigned char)((counter >> 8) & 0xFF);
+        ctr[3] = (unsigned char)(counter & 0xFF);
+
+        if (!EVP_DigestUpdate(mctx, Z, Zlen)) {
+            goto err;
+        }
+        if (!EVP_DigestUpdate(mctx, ctr, sizeof(ctr))) {
+            goto err;
+        }
+        if (!EVP_DigestUpdate(mctx, SharedInfo, SharedInfolen)) {
+            goto err;
+        }
+        if (!EVP_DigestFinal(mctx, dgst, NULL)) {
+            goto err;
+        }
+
+        if (outlen > mdlen) {
+            memcpy(out, dgst, mdlen);
+            out += mdlen;
+            outlen -= mdlen;
+        } else {
+            memcpy(out, dgst, outlen);
+            memset(dgst, 0, mdlen);
+            break;
+        }
+    }
+
+    retval = 1;
+
+err:
+    EVP_MD_CTX_free(mctx);
+    return retval;
+}
+
+int sm2_kap_compute_key(void *out, size_t outlen, int server,\
+    const uint8_t *peer_uid, int peer_uid_len, const uint8_t *self_uid, int self_uid_len, \
+    const EC_KEY *peer_ecdhe_key, const EC_KEY *self_ecdhe_key, const EC_KEY *peer_pub_key, const EC_KEY *self_eckey, \
+    const EVP_MD *md)
+{
+    BN_CTX *ctx = NULL;
+    EC_POINT *UorV = NULL;
+    const EC_POINT *Rs, *Rp;
+    BIGNUM *Xs = NULL, *Xp = NULL, *h = NULL, *t = NULL, *two_power_w = NULL, *order = NULL;
+    const BIGNUM *priv_key, *r;
+    const EC_GROUP *group;
+    int w;
+    int ret = -1;
+    size_t buflen, len;
+    unsigned char *buf = NULL;
+
+    if (outlen > INT_MAX) {
+        goto err;
+    }
+
+    if (!peer_pub_key || !self_eckey) {
+        goto err;
+    }
+
+    priv_key = EC_KEY_get0_private_key(self_eckey);
+    if (!priv_key) {
+        goto err;
+    }
+
+    if (!peer_ecdhe_key || !self_ecdhe_key) {
+        goto err;
+    }
+
+    Rs = EC_KEY_get0_public_key(self_ecdhe_key);
+    Rp = EC_KEY_get0_public_key(peer_ecdhe_key);
+    r = EC_KEY_get0_private_key(self_ecdhe_key);
+
+    if (!Rs || !Rp || !r) {
+        goto err;
+    }
+
+    ctx = BN_CTX_new();
+    Xs = BN_new();
+    Xp = BN_new();
+    h = BN_new();
+    t = BN_new();
+    two_power_w = BN_new();
+    order = BN_new();
+    if (!Xs || !Xp || !h || !t || !two_power_w || !order) {
+        goto err;
+    }
+
+    group = EC_KEY_get0_group(self_eckey);
+
+    /*Second: Caculate -- w*/
+    if (!EC_GROUP_get_order(group, order, ctx) || !EC_GROUP_get_cofactor(group, h, ctx)) {
+        goto err;
+    }
+
+    w = (BN_num_bits(order) + 1) / 2 - 1;
+    if (!BN_lshift(two_power_w, BN_value_one(), w)) {
+        goto err;
+    }
+
+    /*Third: Caculate -- X =  2 ^ w + (x & (2 ^ w - 1)) = 2 ^ w + (x mod 2 ^ w)*/
+    UorV = EC_POINT_new(group);
+
+    if (!UorV) {
+        goto err;
+    }
+
+    /*Test peer public key On curve*/
+    if (!EC_POINT_is_on_curve(group, Rp, ctx)) {
+        goto err;
+    }
+
+    /*Get x*/
+    if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) {
+        if (!EC_POINT_get_affine_coordinates_GFp(group, Rs, Xs, NULL, ctx)) {
+            goto err;
+        }
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, Rp, Xp, NULL, ctx)) {
+            goto err;
+        }
+    }
+
+    /*x mod 2 ^ w*/
+    /*Caculate Self x*/
+    if (!BN_nnmod(Xs, Xs, two_power_w, ctx)) {
+        goto err;
+    }
+
+    if (!BN_add(Xs, Xs, two_power_w)) {
+        goto err;
+    }
+
+    /*Caculate Peer x*/
+    if (!BN_nnmod(Xp, Xp, two_power_w, ctx)) {
+        goto err;
+    }
+
+    if (!BN_add(Xp, Xp, two_power_w)) {
+        goto err;
+    }
+
+    /*Forth: Caculate t*/
+    if (!BN_mod_mul(t, Xs, r, order, ctx)) {
+        goto err;
+    }
+
+    if (!BN_mod_add(t, t, priv_key, order, ctx)) {
+        goto err;
+    }
+
+    /*Fifth: Caculate V or U*/
+    if (!BN_mul(t, t, h, ctx)) {
+        goto err;
+    }
+
+    /* [x]R */
+    if (!EC_POINT_mul(group, UorV, NULL, Rp, Xp, ctx)) {
+        goto err;
+    }
+
+    /* P + [x]R */
+    if (!EC_POINT_add(group, UorV, UorV, EC_KEY_get0_public_key(peer_pub_key), ctx)) {
+        goto err;
+    }
+
+    if (!EC_POINT_mul(group, UorV, NULL, UorV, t, ctx)) {
+        goto err;
+    }
+
+    /* Detect UorV is in */
+    if (EC_POINT_is_at_infinity(group, UorV)) {
+        goto err;
+    }
+
+    /*Sixth: Caculate Key -- Need Xuorv, Yuorv, Zc, Zs, klen*/
+    {
+        /*
+        size_t buflen, len;
+        unsigned char *buf = NULL;
+        */
+        size_t elemet_len, idx;
+
+        elemet_len = (size_t)((EC_GROUP_get_degree(group) + 7) / 8);
+        buflen = elemet_len * 2 + 32 * 2 + 1;    /*add 1 byte tag*/
+        buf = (unsigned char *)OPENSSL_malloc(buflen + 10);
+        if (!buf) {
+            goto err;
+        }
+        memset(buf, 0, buflen + 10);
+        /*1 : Get public key for UorV, Notice: the first byte is a tag, not a valid char*/
+        idx = EC_POINT_point2oct(group, UorV, 4, buf, buflen, ctx);
+        if (!idx) {
+            goto err;
+        }
+
+        if (!server) {
+            /*SIDE A*/
+            len = buflen - idx;
+            if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)self_uid, self_uid_len, self_eckey)) {
+                goto err;
+            }
+            len = 32;
+            idx += len;
+        }
+
+        /*Caculate Peer Z*/
+        len = buflen - idx;
+        if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)peer_uid, peer_uid_len, peer_pub_key)) {
+            goto err;
+        }
+        len = 32;
+        idx += len;
+
+        if (server) {
+            /*SIDE B*/
+            len = buflen - idx;
+            if (!sm2_compute_z_digest( (unsigned char *)(buf + idx), md, (const uint8_t *)self_uid, self_uid_len, self_eckey)) {
+                goto err;
+            }
+            len = 32;
+            idx += len;
+        }
+
+        len = outlen;
+        if (!kdf_gmt003_2012(out, len, (const unsigned char *)(buf + 1), idx - 1, NULL, 0, md)) {
+            goto err;
+        }
+    }
+
+    ret = outlen;
+
+err:
+    if (Xs) BN_free(Xs);
+    if (Xp) BN_free(Xp);
+    if (h) BN_free(h);
+    if (t) BN_free(t);
+    if (two_power_w) BN_free(two_power_w);
+    if (order) BN_free(order);
+    if (UorV) EC_POINT_free(UorV);
+    if (buf) OPENSSL_free(buf);
+    if (ctx) BN_CTX_free(ctx);
+
+    return ret;
+}
+
+int SM2KAP_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *eckey, int server)
+{
+	int ret = 0;
+	EC_KEY *pubkey = NULL;
+	unsigned char id[16] = {1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8};
+
+	if ((pubkey = EC_KEY_new_by_curve_name(NID_sm2)) == NULL) {
+		return ret;
+	}
+
+	if (EC_KEY_set_public_key(pubkey, pub_key) != 1) {
+		ret = 0;
+		goto out;
+	}
+
+	ret = sm2_kap_compute_key(out, outlen, server, id, sizeof(id), id, sizeof(id), pubkey, eckey, pubkey, eckey, (EVP_MD*)EVP_sm3());
+
+out:
+	EC_KEY_free(pubkey);
+	return ret;
+}
diff --git a/mac.c b/mac.c
index bf051ba..2de17a0 100644
--- a/mac.c
+++ b/mac.c
@@ -65,6 +65,7 @@ static const struct macalg macs[] = {
 	{ "hmac-md5-96",			SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 },
 	{ "umac-64@openssh.com",		SSH_UMAC, 0, 0, 128, 64, 0 },
 	{ "umac-128@openssh.com",		SSH_UMAC128, 0, 0, 128, 128, 0 },
+	{ "hmac-sm3",                           SSH_DIGEST, SSH_DIGEST_SM3, 0, 0, 0, 0 },
 
 	/* Encrypt-then-MAC variants */
 	{ "hmac-sha1-etm@openssh.com",		SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
diff --git a/pathnames.h b/pathnames.h
index a094888..0a805ad 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -80,6 +80,7 @@
 #define _PATH_SSH_CLIENT_ID_XMSS	_PATH_SSH_USER_DIR "/id_xmss"
 #define _PATH_SSH_CLIENT_ID_ECDSA_SK	_PATH_SSH_USER_DIR "/id_ecdsa_sk"
 #define _PATH_SSH_CLIENT_ID_ED25519_SK	_PATH_SSH_USER_DIR "/id_ed25519_sk"
+#define _PATH_SSH_CLIENT_ID_SM2         _PATH_SSH_USER_DIR "/id_sm2"
 
 /*
  * Configuration file in user's home directory.  This file need not be
diff --git a/regress/agent.sh b/regress/agent.sh
index f187b67..42a5124 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -87,9 +87,18 @@ fi
 for t in ${SSH_KEYTYPES}; do
 	trace "connect via agent using $t key"
 	if [ "$t" = "ssh-dss" ]; then
+		sed -i "/PubkeyAcceptedAlgorithms/d" $OBJ/ssh_proxy
+		sed -i "/PubkeyAcceptedAlgorithms/d" $OBJ/sshd_proxy
 		echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/ssh_proxy
 		echo "PubkeyAcceptedAlgorithms +ssh-dss" >> $OBJ/sshd_proxy
 	fi
+	if [ "$t" = "sm2" ]; then
+		sed -i "/PubkeyAcceptedAlgorithms/d" $OBJ/ssh_proxy
+		sed -i "/PubkeyAcceptedAlgorithms/d" $OBJ/sshd_proxy
+		echo "PubkeyAcceptedAlgorithms +sm2,sm2-cert" >> $OBJ/ssh_proxy
+		echo "PubkeyAcceptedAlgorithms +sm2,sm2-cert" >> $OBJ/sshd_proxy
+	fi
+
 	${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
 		somehost exit 52
 	r=$?
diff --git a/regress/keytype.sh b/regress/keytype.sh
index f1c0451..2665bd6 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -18,6 +18,7 @@ for i in ${SSH_KEYTYPES}; do
 		ecdsa-sha2-nistp521)	ktypes="$ktypes ecdsa-521" ;;
 		sk-ssh-ed25519*)	ktypes="$ktypes ed25519-sk" ;;
 		sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;;
+		sm2)			ktypes="$ktypes sm2-256" ;;
 	esac
 done
 
@@ -44,6 +45,7 @@ kname_to_ktype() {
 	rsa-*)		echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
 	ed25519-sk)	echo sk-ssh-ed25519@openssh.com;;
 	ecdsa-sk)	echo sk-ecdsa-sha2-nistp256@openssh.com;;
+	sm2-256)	echo sm2;;
 	esac
 }
 
diff --git a/regress/knownhosts-command.sh b/regress/knownhosts-command.sh
index 8472ec8..7f56fb1 100644
--- a/regress/knownhosts-command.sh
+++ b/regress/knownhosts-command.sh
@@ -41,6 +41,7 @@ ${SSH} -F $OBJ/ssh_proxy x true && fail "ssh connect succeeded with bad exit"
 for keytype in ${SSH_HOSTKEY_TYPES} ; do
 	algs=$keytype
 	test "x$keytype" = "xssh-dss" && continue
+	test "x$keytype" = "xsm2" && continue
 	test "x$keytype" = "xssh-rsa" && algs=ssh-rsa,rsa-sha2-256,rsa-sha2-512
 	verbose "keytype $keytype"
 	cat > $OBJ/knownhosts_command << _EOF
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
index b32502b..f260692 100644
--- a/regress/misc/fuzz-harness/sig_fuzz.cc
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -30,6 +30,7 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
   static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
   static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
   static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
+  static struct sshkey *sm2 = generate_or_die(KEY_SM2, 256);
 #endif
   struct sshkey_sig_details *details = NULL;
   static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
@@ -53,6 +54,9 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
   sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
   sshkey_sig_details_free(details);
   details = NULL;
+  sshkey_verify(sm2, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+  sshkey_sig_details_free(details);
+  details = NULL;
 #endif
   sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
   sshkey_sig_details_free(details);
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
index 3bd71a9..312e8f2 100644
--- a/regress/unittests/kex/test_kex.c
+++ b/regress/unittests/kex/test_kex.c
@@ -152,6 +152,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
 #endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 	server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
+	server2->kex->kex[KEX_SM2_SM3] = kex_gen_server;
 	server2->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
 	server2->kex->load_host_public_key = server->kex->load_host_public_key;
 	server2->kex->load_host_private_key = server->kex->load_host_private_key;
@@ -186,6 +187,7 @@ do_kex(char *kex)
 #endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 	do_kex_with_key(kex, KEY_ED25519, 256);
+	do_kex_with_key(kex, KEY_SM2, 256);
 }
 
 void
@@ -202,6 +204,7 @@ kex_tests(void)
 	do_kex("diffie-hellman-group-exchange-sha1");
 	do_kex("diffie-hellman-group14-sha1");
 	do_kex("diffie-hellman-group1-sha1");
+	do_kex("sm2-sm3");
 # ifdef USE_SNTRUP761X25519
 	do_kex("sntrup761x25519-sha512@openssh.com");
 # endif /* USE_SNTRUP761X25519 */
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index b036796..6697be6 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -66,7 +66,8 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
 		*sigp = NULL;
 
 	if (key == NULL || key->ecdsa == NULL ||
-	    sshkey_type_plain(key->type) != KEY_ECDSA)
+	   (sshkey_type_plain(key->type) != KEY_ECDSA &&
+	   sshkey_type_plain(key->type) != KEY_SM2))
 		return SSH_ERR_INVALID_ARGUMENT;
 
 	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
@@ -133,7 +134,8 @@ ssh_ecdsa_verify(const struct sshkey *key,
 	unsigned char *sigb = NULL, *psig = NULL;
 
 	if (key == NULL || key->ecdsa == NULL ||
-	    sshkey_type_plain(key->type) != KEY_ECDSA ||
+	   (sshkey_type_plain(key->type) != KEY_ECDSA &&
+	    sshkey_type_plain(key->type) != KEY_SM2) ||
 	    signature == NULL || signaturelen == 0)
 		return SSH_ERR_INVALID_ARGUMENT;
 
diff --git a/ssh-keygen.c b/ssh-keygen.c
index b9c4dce..bd6ea16 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -192,6 +192,7 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
 			*bitsp = DEFAULT_BITS_DSA;
 			break;
 		case KEY_ECDSA:
+		case KEY_SM2:
 			if (name != NULL &&
 			    (nid = sshkey_ecdsa_nid_from_name(name)) > 0)
 				*bitsp = sshkey_curve_nid_to_bits(nid);
@@ -224,6 +225,10 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
 			fatal("Invalid RSA key length: maximum is %d bits",
 			    OPENSSL_RSA_MAX_MODULUS_BITS);
 		break;
+	case KEY_SM2:
+		if (*bitsp != 256)
+			fatal("Invalid SM2 key length: must be 256 bits");
+		break;
 	case KEY_ECDSA:
 		if (sshkey_ecdsa_bits_to_nid(*bitsp) == -1)
 #ifdef OPENSSL_HAS_NISTP521
@@ -280,6 +285,9 @@ ask_filename(struct passwd *pw, const char *prompt)
 		case KEY_ECDSA:
 			name = _PATH_SSH_CLIENT_ID_ECDSA;
 			break;
+		case KEY_SM2:
+			name = _PATH_SSH_CLIENT_ID_SM2;
+			break;
 		case KEY_ECDSA_SK_CERT:
 		case KEY_ECDSA_SK:
 			name = _PATH_SSH_CLIENT_ID_ECDSA_SK;
@@ -391,6 +399,7 @@ do_convert_to_pkcs8(struct sshkey *k)
 		break;
 #ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
+	case KEY_SM2:
 		if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
 			fatal("PEM_write_EC_PUBKEY failed");
 		break;
@@ -415,6 +424,7 @@ do_convert_to_pem(struct sshkey *k)
 		break;
 #ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
+	case KEY_SM2:
 		if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
 			fatal("PEM_write_EC_PUBKEY failed");
 		break;
@@ -3148,7 +3158,7 @@ usage(void)
 	fprintf(stderr,
 	    "usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]\n"
 	    "                  [-m format] [-N new_passphrase] [-O option]\n"
-	    "                  [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n"
+	    "                  [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa | sm2]\n"
 	    "                  [-w provider] [-Z cipher]\n"
 	    "       ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]\n"
 	    "                   [-P old_passphrase] [-Z cipher]\n"
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 9ec4d9a..be2af0a 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -63,9 +63,10 @@ int ssh_port = SSH_DEFAULT_PORT;
 #define KT_XMSS		(1<<4)
 #define KT_ECDSA_SK	(1<<5)
 #define KT_ED25519_SK	(1<<6)
+#define KT_SM2   	(1<<7)
 
 #define KT_MIN		KT_DSA
-#define KT_MAX		KT_ED25519_SK
+#define KT_MAX		KT_SM2
 
 int get_cert = 0;
 int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519|KT_ECDSA_SK|KT_ED25519_SK;
@@ -261,6 +262,11 @@ keygrab_ssh2(con *c)
 		    "ecdsa-sha2-nistp384,"
 		    "ecdsa-sha2-nistp521";
 		break;
+	case KT_SM2:
+		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                    "sm2-cert" :
+                    "sm2";
+                break;
 	case KT_ECDSA_SK:
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
 		    "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" :
@@ -290,6 +296,7 @@ keygrab_ssh2(con *c)
 	c->c_ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 # ifdef OPENSSL_HAS_ECC
 	c->c_ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
+	c->c_ssh->kex->kex[KEX_SM2_SM3] = kex_gen_client;
 # endif
 #endif
 	c->c_ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
@@ -730,6 +737,9 @@ main(int argc, char **argv)
 				case KEY_ECDSA:
 					get_keytypes |= KT_ECDSA;
 					break;
+				case KEY_SM2:
+					get_keytypes |= KT_SM2;
+                                        break;
 				case KEY_RSA:
 					get_keytypes |= KT_RSA;
 					break;
diff --git a/ssh-sm2.c b/ssh-sm2.c
new file mode 100644
index 0000000..c242139
--- /dev/null
+++ b/ssh-sm2.c
@@ -0,0 +1,230 @@
+#include "includes.h"
+#include <sys/types.h>
+#include <openssl/bn.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+
+#include <string.h>
+#include "sshbuf.h"
+#include "ssherr.h"
+#include "digest.h"
+#include "sshkey.h"
+
+#include "openbsd-compat/openssl-compat.h"
+
+const unsigned char *sm2_id = (const unsigned char *)"1234567812345678";
+
+int
+ssh_sm2_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat)
+{
+	u_char *sig = NULL;
+        size_t slen = 0;
+	int pkey_len = 0;
+	int r = 0;
+	int len = 0;
+	EVP_PKEY *key_sm2 = NULL;
+        struct sshbuf *b = NULL;
+	EVP_PKEY_CTX *pctx = NULL;
+	EVP_MD_CTX *mctx = NULL;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (lenp != NULL)
+                *lenp = 0;
+        if (sigp != NULL)
+                *sigp = NULL;
+
+	if (key == NULL || key->ecdsa == NULL ||
+	    sshkey_type_plain(key->type) != KEY_SM2)
+		return SSH_ERR_INVALID_ARGUMENT;
+
+	if ((key_sm2 = EVP_PKEY_new()) == NULL) {
+		return SSH_ERR_ALLOC_FAIL;
+	}
+
+	if ((EVP_PKEY_set1_EC_KEY(key_sm2, key->ecdsa)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+		goto out;
+	}
+
+        if ((pkey_len = EVP_PKEY_size(key_sm2)) == 0) {
+                ret = SSH_ERR_INVALID_ARGUMENT;
+		goto out;
+        }
+
+	slen = pkey_len;
+	
+	if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+		goto out;
+	}
+
+        if ((sig = OPENSSL_malloc(pkey_len)) == NULL) {
+		ret = SSH_ERR_ALLOC_FAIL;
+		goto out;
+        }
+
+	if ((pctx = EVP_PKEY_CTX_new(key_sm2, NULL)) == NULL) {
+		ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+	}
+
+	if (EVP_PKEY_CTX_set1_id(pctx, sm2_id, 16) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+	}
+	
+	if ((mctx = EVP_MD_CTX_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+	}
+
+	EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
+
+        if ((EVP_DigestSignInit(mctx, NULL, EVP_sm3(), NULL, key_sm2)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+		goto out;
+	}
+
+        if ((EVP_DigestSignUpdate(mctx, data, datalen)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+	}
+        
+	if ((EVP_DigestSignFinal(mctx, sig, &slen)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+	}
+
+	if ((b = sshbuf_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        if ((r = sshbuf_put_cstring(b, "sm2")) != 0 ||
+            (r = sshbuf_put_string(b, sig, slen)) != 0)
+                goto out;
+	len = sshbuf_len(b);
+	if (sigp != NULL) {
+                if ((*sigp = malloc(len)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                memcpy(*sigp, sshbuf_ptr(b), len);
+        } 
+	if (lenp != NULL)
+                *lenp = len;
+	ret = 0;
+
+out:
+	EVP_PKEY_free(key_sm2);
+        if (sig != NULL) {
+                explicit_bzero(sig, slen);
+                OPENSSL_free(sig);
+        }
+	EVP_PKEY_CTX_free(pctx);
+	EVP_MD_CTX_free(mctx);
+        sshbuf_free(b);
+	return ret;
+}
+
+int
+ssh_sm2_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat)
+{
+	const u_char *sig = NULL;
+	char *ktype = NULL;
+	size_t slen = 0;
+        int pkey_len = 0;
+        int r = 0;
+        int len = 0;
+	EVP_PKEY *key_sm2 = NULL;
+        struct sshbuf *b = NULL;
+        EVP_PKEY_CTX *pctx = NULL;
+        EVP_MD_CTX *mctx = NULL;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (key == NULL ||
+            sshkey_type_plain(key->type) != KEY_SM2 ||
+            signature == NULL || signaturelen == 0)
+                return SSH_ERR_INVALID_ARGUMENT;
+
+        if ((b = sshbuf_from(signature, signaturelen)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+
+        if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 ||
+            (r = sshbuf_get_string_direct(b, &sig, &slen)) != 0)
+                goto out;
+
+	if (strcmp("sm2", ktype) != 0) {
+                ret = SSH_ERR_KEY_TYPE_MISMATCH;
+                goto out;
+	}
+
+        if (sshbuf_len(b) != 0) {
+                ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+                goto out;
+        }
+
+        if ((key_sm2 = EVP_PKEY_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        if ((EVP_PKEY_set1_EC_KEY(key_sm2, key->ecdsa)) != 1) {
+                ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+        }
+
+        if ((pkey_len = EVP_PKEY_size(key_sm2)) == 0) {
+                ret = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
+
+        if ((EVP_PKEY_set_alias_type(key_sm2, EVP_PKEY_SM2)) != 1) {
+                ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+        }
+
+	if ((pctx = EVP_PKEY_CTX_new(key_sm2, NULL)) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        if (EVP_PKEY_CTX_set1_id(pctx, sm2_id, 16) != 1) {
+                ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+        }
+
+        if ((mctx = EVP_MD_CTX_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+	EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
+
+        if ((EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, key_sm2)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+	}
+        
+	if ((EVP_DigestVerifyUpdate(mctx, data, datalen)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+	}
+        
+	if ((EVP_DigestVerifyFinal(mctx, sig, slen)) != 1) {
+		ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+	}
+
+	ret = 0;
+out:
+	EVP_PKEY_free(key_sm2);
+        EVP_PKEY_CTX_free(pctx);
+        EVP_MD_CTX_free(mctx);
+        sshbuf_free(b);
+	free(ktype);
+	return ret;
+}
diff --git a/ssh_api.c b/ssh_api.c
index d3c6617..adc2598 100644
--- a/ssh_api.c
+++ b/ssh_api.c
@@ -115,6 +115,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
 		ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 # ifdef OPENSSL_HAS_ECC
 		ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
+		ssh->kex->kex[KEX_SM2_SM3] = kex_gen_server;
 # endif
 #endif /* WITH_OPENSSL */
 		ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
@@ -133,6 +134,7 @@ ssh_init(struct ssh **sshp, int is_server, struct kex_params *kex_params)
 		ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 # ifdef OPENSSL_HAS_ECC
 		ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
+		ssh->kex->kex[KEX_SM2_SM3] = kex_gen_client;
 # endif
 #endif /* WITH_OPENSSL */
 		ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
diff --git a/sshconnect2.c b/sshconnect2.c
index fafc0a2..9a01f1a 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -327,6 +327,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
 	ssh->kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
 # ifdef OPENSSL_HAS_ECC
 	ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
+	ssh->kex->kex[KEX_SM2_SM3] = kex_gen_client;
 # endif
 # ifdef GSSAPI
 	if (options.gss_keyex) {
diff --git a/sshd.c b/sshd.c
index 8424e33..57d70fe 100644
--- a/sshd.c
+++ b/sshd.c
@@ -706,6 +706,7 @@ list_hostkey_types(void)
 			/* FALLTHROUGH */
 		case KEY_DSA:
 		case KEY_ECDSA:
+		case KEY_SM2:
 		case KEY_ED25519:
 		case KEY_ECDSA_SK:
 		case KEY_ED25519_SK:
@@ -727,6 +728,7 @@ list_hostkey_types(void)
 			/* FALLTHROUGH */
 		case KEY_DSA_CERT:
 		case KEY_ECDSA_CERT:
+		case KEY_SM2_CERT:
 		case KEY_ED25519_CERT:
 		case KEY_ECDSA_SK_CERT:
 		case KEY_ED25519_SK_CERT:
@@ -753,6 +755,7 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
 		case KEY_RSA_CERT:
 		case KEY_DSA_CERT:
 		case KEY_ECDSA_CERT:
+		case KEY_SM2_CERT:
 		case KEY_ED25519_CERT:
 		case KEY_ECDSA_SK_CERT:
 		case KEY_ED25519_SK_CERT:
@@ -769,8 +772,10 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
 			continue;
 		switch (type) {
 		case KEY_ECDSA:
+		case KEY_SM2:
 		case KEY_ECDSA_SK:
 		case KEY_ECDSA_CERT:
+		case KEY_SM2_CERT:
 		case KEY_ECDSA_SK_CERT:
 			if (key->ecdsa_nid != nid)
 				continue;
@@ -1983,6 +1988,7 @@ main(int ac, char **av)
 		case KEY_RSA:
 		case KEY_DSA:
 		case KEY_ECDSA:
+		case KEY_SM2:
 		case KEY_ED25519:
 		case KEY_ECDSA_SK:
 		case KEY_ED25519_SK:
@@ -2572,6 +2578,7 @@ do_ssh2_kex(struct ssh *ssh)
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 # ifdef OPENSSL_HAS_ECC
 	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
+	kex->kex[KEX_SM2_SM3] = kex_gen_server;
 # endif
 # ifdef GSSAPI
 	if (options.gss_keyex) {
diff --git a/sshkey.c b/sshkey.c
index b0c2189..51f8e51 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -159,6 +159,8 @@ static const struct keytype keytypes[] = {
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 	{ "null", "null", NULL, KEY_NULL, 0, 0, 0 },
+	{ "sm2", "SM2", NULL, KEY_SM2, NID_sm2, 0, 0 },
+	{ "sm2-cert", "SM2-CERT", NULL, KEY_SM2_CERT, NID_sm2, 1, 0 },
 	{ NULL, NULL, NULL, -1, -1, 0, 0 }
 };
 
@@ -233,6 +235,8 @@ key_type_is_ecdsa_variant(int type)
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA_SK:
 	case KEY_ECDSA_SK_CERT:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 		return 1;
 	}
 	return 0;
@@ -342,6 +346,8 @@ sshkey_size(const struct sshkey *k)
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA_SK:
 	case KEY_ECDSA_SK_CERT:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 		return sshkey_curve_nid_to_bits(k->ecdsa_nid);
 #endif /* WITH_OPENSSL */
 	case KEY_ED25519:
@@ -366,6 +372,8 @@ sshkey_type_is_valid_ca(int type)
 	case KEY_ED25519:
 	case KEY_ED25519_SK:
 	case KEY_XMSS:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 		return 1;
 	default:
 		return 0;
@@ -445,6 +453,8 @@ sshkey_type_plain(int type)
 		return KEY_ED25519_SK;
 	case KEY_XMSS_CERT:
 		return KEY_XMSS;
+	case KEY_SM2_CERT:
+		return KEY_SM2;
 	default:
 		return type;
 	}
@@ -540,6 +550,8 @@ sshkey_curve_name_to_nid(const char *name)
 	else if (strcmp(name, "nistp521") == 0)
 		return NID_secp521r1;
 # endif /* OPENSSL_HAS_NISTP521 */
+	else if (strcmp(name, "sm2") == 0)
+		return NID_sm2;
 	else
 		return -1;
 }
@@ -556,6 +568,8 @@ sshkey_curve_nid_to_bits(int nid)
 	case NID_secp521r1:
 		return 521;
 # endif /* OPENSSL_HAS_NISTP521 */
+	case NID_sm2:
+		return 256;
 	default:
 		return 0;
 	}
@@ -590,6 +604,8 @@ sshkey_curve_nid_to_name(int nid)
 	case NID_secp521r1:
 		return "nistp521";
 # endif /* OPENSSL_HAS_NISTP521 */
+	case NID_sm2:
+                return "sm2";
 	default:
 		return NULL;
 	}
@@ -695,6 +711,8 @@ sshkey_new(int type)
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA_SK:
 	case KEY_ECDSA_SK_CERT:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 		/* Cannot do anything until we know the group */
 		break;
 #endif /* WITH_OPENSSL */
@@ -749,6 +767,8 @@ sshkey_free(struct sshkey *k)
 		/* FALLTHROUGH */
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 		EC_KEY_free(k->ecdsa);
 		k->ecdsa = NULL;
 		break;
@@ -858,6 +878,8 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
 		/* FALLTHROUGH */
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 		if (a->ecdsa == NULL || b->ecdsa == NULL ||
 		    EC_KEY_get0_public_key(a->ecdsa) == NULL ||
 		    EC_KEY_get0_public_key(b->ecdsa) == NULL)
@@ -933,6 +955,7 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
 #ifdef WITH_OPENSSL
 	case KEY_DSA_CERT:
 	case KEY_ECDSA_CERT:
+	case KEY_SM2_CERT:
 	case KEY_ECDSA_SK_CERT:
 	case KEY_RSA_CERT:
 #endif /* WITH_OPENSSL */
@@ -962,6 +985,7 @@ to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
 # ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
 	case KEY_ECDSA_SK:
+	case KEY_SM2:
 		if (key->ecdsa == NULL)
 			return SSH_ERR_INVALID_ARGUMENT;
 		if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
@@ -1436,6 +1460,8 @@ sshkey_read(struct sshkey *ret, char **cpp)
 	case KEY_DSA:
 	case KEY_ECDSA:
 	case KEY_ECDSA_SK:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 	case KEY_ED25519:
 	case KEY_ED25519_SK:
 	case KEY_DSA_CERT:
@@ -1535,6 +1561,7 @@ sshkey_read(struct sshkey *ret, char **cpp)
 		break;
 # ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
+	case KEY_SM2:
 		EC_KEY_free(ret->ecdsa);
 		ret->ecdsa = k->ecdsa;
 		ret->ecdsa_nid = k->ecdsa_nid;
@@ -1795,7 +1822,7 @@ sshkey_ecdsa_key_to_nid(EC_KEY *k)
 }
 
 static int
-ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
+ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap, int sm2)
 {
 	EC_KEY *private;
 	int ret = SSH_ERR_INTERNAL_ERROR;
@@ -1804,6 +1831,9 @@ ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
 		return SSH_ERR_INVALID_ARGUMENT;
 	if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
 		return SSH_ERR_KEY_LENGTH;
+	if (sm2 && bits == 256) {
+		*nid = NID_sm2;
+	}
 	*ecdsap = NULL;
 	if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
 		ret = SSH_ERR_ALLOC_FAIL;
@@ -1857,7 +1887,11 @@ sshkey_generate(int type, u_int bits, struct sshkey **keyp)
 # ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
 		ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
-		    &k->ecdsa);
+		    &k->ecdsa, 0);
+		break;
+	 case KEY_SM2:
+		ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
+		    &k->ecdsa, 1);
 		break;
 # endif /* OPENSSL_HAS_ECC */
 	case KEY_RSA:
@@ -1993,6 +2027,8 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA_SK:
 	case KEY_ECDSA_SK_CERT:
+	case KEY_SM2:
+	case KEY_SM2_CERT:
 		n->ecdsa_nid = k->ecdsa_nid;
 		n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
 		if (n->ecdsa == NULL) {
@@ -2548,6 +2584,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
 		break;
 # ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA_CERT:
+	case KEY_SM2_CERT:
 	case KEY_ECDSA_SK_CERT:
 		/* Skip nonce */
 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
@@ -2557,6 +2594,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
 		/* FALLTHROUGH */
 	case KEY_ECDSA:
 	case KEY_ECDSA_SK:
+	case KEY_SM2:
 		if ((key = sshkey_new(type)) == NULL) {
 			ret = SSH_ERR_ALLOC_FAIL;
 			goto out;
@@ -2865,6 +2903,10 @@ sshkey_sign(struct sshkey *key,
 	case KEY_ECDSA:
 		r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
 		break;
+	case KEY_SM2:
+	case KEY_SM2_CERT:
+		r = ssh_sm2_sign(key, sigp, lenp, data, datalen, compat);
+		break;
 # endif /* OPENSSL_HAS_ECC */
 	case KEY_RSA_CERT:
 	case KEY_RSA:
@@ -2920,6 +2962,9 @@ sshkey_verify(const struct sshkey *key,
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA:
 		return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
+	case KEY_SM2:
+	case KEY_SM2_CERT:
+		return ssh_sm2_verify(key, sig, siglen, data, dlen, compat);
 	case KEY_ECDSA_SK_CERT:
 	case KEY_ECDSA_SK:
 		return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
@@ -2963,6 +3008,9 @@ sshkey_to_certified(struct sshkey *k)
 	case KEY_ECDSA:
 		newtype = KEY_ECDSA_CERT;
 		break;
+	case KEY_SM2:
+		newtype = KEY_SM2_CERT;
+		break;
 	case KEY_ECDSA_SK:
 		newtype = KEY_ECDSA_SK_CERT;
 		break;
@@ -3067,6 +3115,7 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
 		break;
 # ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA_CERT:
+	case KEY_SM2_CERT:
 	case KEY_ECDSA_SK_CERT:
 		if ((ret = sshbuf_put_cstring(cert,
 		    sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
@@ -3380,6 +3429,7 @@ sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf,
 		break;
 # ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
+	case KEY_SM2:
 		if ((r = sshbuf_put_cstring(b,
 		    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
 		    (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
@@ -3388,6 +3438,7 @@ sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf,
 			goto out;
 		break;
 	case KEY_ECDSA_CERT:
+	case KEY_SM2_CERT:
 		if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
 			r = SSH_ERR_INVALID_ARGUMENT;
 			goto out;
@@ -3605,6 +3656,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 		break;
 # ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
+	case KEY_SM2:
 		if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
 			r = SSH_ERR_INVALID_ARGUMENT;
 			goto out;
@@ -3624,6 +3676,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 			goto out;
 		/* FALLTHROUGH */
 	case KEY_ECDSA_CERT:
+	case KEY_SM2_CERT:
 		if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0)
 			goto out;
 		if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
@@ -4519,6 +4572,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
 		break;
 #ifdef OPENSSL_HAS_ECC
 	case KEY_ECDSA:
+	case KEY_SM2:
 		if (format == SSHKEY_PRIVATE_PEM) {
 			success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
 			    cipher, passphrase, len, NULL, NULL);
@@ -4580,6 +4634,7 @@ sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
 #ifdef WITH_OPENSSL
 	case KEY_DSA:
 	case KEY_ECDSA:
+	case KEY_SM2:
 	case KEY_RSA:
 		break; /* see below */
 #endif /* WITH_OPENSSL */
@@ -4760,6 +4815,9 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
 		prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
 		prv->type = KEY_ECDSA;
 		prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
+		if (prv->ecdsa_nid == NID_sm2) {
+			prv->type = KEY_SM2;
+		}
 		if (prv->ecdsa_nid == -1 ||
 		    sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
 		    sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
diff --git a/sshkey.h b/sshkey.h
index 43eef5e..3b84096 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -31,6 +31,7 @@
 #ifdef WITH_OPENSSL
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
+#include <openssl/evp.h>
 # ifdef OPENSSL_HAS_ECC
 #  include <openssl/ec.h>
 #  include <openssl/ecdsa.h>
@@ -65,6 +66,8 @@ enum sshkey_types {
 	KEY_DSA_CERT,
 	KEY_ECDSA_CERT,
 	KEY_ED25519_CERT,
+	KEY_SM2,
+	KEY_SM2_CERT,
 	KEY_XMSS,
 	KEY_XMSS_CERT,
 	KEY_ECDSA_SK,
@@ -323,6 +326,12 @@ int ssh_xmss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
 int ssh_xmss_verify(const struct sshkey *key,
     const u_char *signature, size_t signaturelen,
     const u_char *data, size_t datalen, u_int compat);
+int ssh_sm2_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_sm2_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat);
+
 #endif
 
 #if !defined(WITH_OPENSSL)
-- 
2.23.0