[PATCH] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth

Thu, 13 Nov 2025 17:46:49 -0800 

This patch adds support for Chinese cryptographic algorithms in the
IPsec security gateway example application:

1 Add SM4-CBC cipher algorithm support with 16-byte IV and key;
2 Add SM3-HMAC authentication algorithm support with 20-byte key;
3 Update SA configuration parsing to recognize "sm4-cbc" and "sm3-hmac"
keywords;
4 Implement proper IV handling and authentication offset/length
configuration.

These additions enable the IPsec security gateway to use Chinese
national cryptographic standards for secure communications.

Signed-off-by: Sunyang Wu <[email protected]>
---
 examples/ipsec-secgw/esp.c |  5 +++++
 examples/ipsec-secgw/sa.c  | 17 ++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index b72a5604c8..46c3ad3ec7 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -103,6 +103,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
                case RTE_CRYPTO_CIPHER_DES_CBC:
                case RTE_CRYPTO_CIPHER_3DES_CBC:
                case RTE_CRYPTO_CIPHER_AES_CBC:
+               case RTE_CRYPTO_CIPHER_SM4_CBC:
                        /* Copy IV at the end of crypto operation */
                        rte_memcpy(iv_ptr, iv, sa->iv_len);
                        break;
@@ -123,6 +124,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
                case RTE_CRYPTO_AUTH_SHA1_HMAC:
                case RTE_CRYPTO_AUTH_SHA256_HMAC:
                case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+               case RTE_CRYPTO_AUTH_SM3_HMAC:
                        sym_cop->auth.data.offset = ip_hdr_len;
                        sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
                                sa->iv_len + payload_len;
@@ -341,6 +343,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
                case RTE_CRYPTO_CIPHER_DES_CBC:
                case RTE_CRYPTO_CIPHER_3DES_CBC:
                case RTE_CRYPTO_CIPHER_AES_CBC:
+               case RTE_CRYPTO_CIPHER_SM4_CBC:
                        memset(iv, 0, sa->iv_len);
                        break;
                case RTE_CRYPTO_CIPHER_AES_CTR:
@@ -405,6 +408,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
                case RTE_CRYPTO_CIPHER_DES_CBC:
                case RTE_CRYPTO_CIPHER_3DES_CBC:
                case RTE_CRYPTO_CIPHER_AES_CBC:
+               case RTE_CRYPTO_CIPHER_SM4_CBC:
                        sym_cop->cipher.data.offset = ip_hdr_len +
                                sizeof(struct rte_esp_hdr);
                        sym_cop->cipher.data.length = pad_payload_len + 
sa->iv_len;
@@ -436,6 +440,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
                case RTE_CRYPTO_AUTH_SHA1_HMAC:
                case RTE_CRYPTO_AUTH_SHA256_HMAC:
                case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+               case RTE_CRYPTO_AUTH_SM3_HMAC:
                        sym_cop->auth.data.offset = ip_hdr_len;
                        sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
                                sa->iv_len + pad_payload_len;
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 313919b4b5..86aeb25a49 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -128,6 +128,13 @@ const struct supported_cipher_algo cipher_algos[] = {
                .iv_len = 8,
                .block_size = 8,
                .key_len = 8
+       },
+       {
+               .keyword = "sm4-cbc",
+               .algo = RTE_CRYPTO_CIPHER_SM4_CBC,
+               .iv_len = 16,
+               .block_size = 16,
+               .key_len = 16
        }
 };
 
@@ -175,6 +182,12 @@ const struct supported_auth_algo auth_algos[] = {
                .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
                .digest_len = 12,
                .key_len = 16
+       },
+       {
+               .keyword = "sm3-hmac",
+               .algo = RTE_CRYPTO_AUTH_SM3_HMAC,
+               .digest_len = 12,
+               .key_len = 20
        }
 };
 
@@ -502,7 +515,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
                                return;
 
                        if (algo->algo == RTE_CRYPTO_CIPHER_AES_CBC ||
-                               algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC)
+                               algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC ||
+                               algo->algo == RTE_CRYPTO_CIPHER_SM4_CBC)
                                rule->salt = (uint32_t)rte_rand();
 
                        if (algo->algo == RTE_CRYPTO_CIPHER_AES_CTR) {
@@ -1319,6 +1333,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa 
entries[],
                        case RTE_CRYPTO_CIPHER_DES_CBC:
                        case RTE_CRYPTO_CIPHER_3DES_CBC:
                        case RTE_CRYPTO_CIPHER_AES_CBC:
+                       case RTE_CRYPTO_CIPHER_SM4_CBC:
                                iv_length = sa->iv_len;
                                break;
                        case RTE_CRYPTO_CIPHER_AES_CTR:
-- 
2.19.0.rc0.windows.1

Reply via email to