This patch adds support for Chinese cryptographic algorithms in the IPsec security gateway example application:
1 Add SM4-CBC cipher algorithm support with 16-byte IV and key; 2 Add SM3-HMAC authentication algorithm support with 20-byte key; 3 Update SA configuration parsing to recognize "sm4-cbc" and "sm3-hmac" keywords; 4 Implement proper IV handling and authentication offset/length configuration. These additions enable the IPsec security gateway to use Chinese national cryptographic standards for secure communications. Signed-off-by: Sunyang Wu <[email protected]> --- doc/guides/sample_app_ug/ipsec_secgw.rst | 9 +++++++++ examples/ipsec-secgw/esp.c | 5 +++++ examples/ipsec-secgw/sa.c | 17 ++++++++++++++++- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst index 7319505fe9..7c31c96b7c 100644 --- a/doc/guides/sample_app_ug/ipsec_secgw.rst +++ b/doc/guides/sample_app_ug/ipsec_secgw.rst @@ -576,6 +576,7 @@ where each options means: * *aes-128-ctr*: AES-CTR 128-bit algorithm * *3des-cbc*: 3DES-CBC 192-bit algorithm * *des-cbc*: DES-CBC 64-bit algorithm + * *sm4-cbc*: SM4-CBC 128-bit algorithm * Syntax: *cipher_algo <your algorithm>* @@ -605,6 +606,7 @@ where each options means: * *sha1-hmac*: HMAC SHA1 algorithm * *sha256-hmac*: HMAC SHA256 algorithm * *aes-xcbc-mac*: AES XCBC MAC algorithm + * *sm3-hmac*: HMAC SM3 algorithm ``<auth_key>`` @@ -820,6 +822,13 @@ Example SA rules: src 1111:1111:1111:1111:1111:1111:1111:5555 \ dst 2222:2222:2222:2222:2222:2222:2222:5555 + sa out 30 cipher_algo sm4-cbc \ + cipher_key 01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10 \ + auth_algo sm3-hmac \ + auth_key 01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10:11:22:33:44 \ + mode ipv4-tunnel \ + src 172.16.1.5 dst 172.16.2.5 + sa in 105 aead_algo aes-128-gcm \ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \ mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index b72a5604c8..46c3ad3ec7 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -103,6 +103,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: + case RTE_CRYPTO_CIPHER_SM4_CBC: /* Copy IV at the end of crypto operation */ rte_memcpy(iv_ptr, iv, sa->iv_len); break; @@ -123,6 +124,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa, case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA256_HMAC: case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + case RTE_CRYPTO_AUTH_SM3_HMAC: sym_cop->auth.data.offset = ip_hdr_len; sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) + sa->iv_len + payload_len; @@ -341,6 +343,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: + case RTE_CRYPTO_CIPHER_SM4_CBC: memset(iv, 0, sa->iv_len); break; case RTE_CRYPTO_CIPHER_AES_CTR: @@ -405,6 +408,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: + case RTE_CRYPTO_CIPHER_SM4_CBC: sym_cop->cipher.data.offset = ip_hdr_len + sizeof(struct rte_esp_hdr); sym_cop->cipher.data.length = pad_payload_len + sa->iv_len; @@ -436,6 +440,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa, case RTE_CRYPTO_AUTH_SHA1_HMAC: case RTE_CRYPTO_AUTH_SHA256_HMAC: case RTE_CRYPTO_AUTH_AES_XCBC_MAC: + case RTE_CRYPTO_AUTH_SM3_HMAC: sym_cop->auth.data.offset = ip_hdr_len; sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) + sa->iv_len + pad_payload_len; diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 313919b4b5..86aeb25a49 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -128,6 +128,13 @@ const struct supported_cipher_algo cipher_algos[] = { .iv_len = 8, .block_size = 8, .key_len = 8 + }, + { + .keyword = "sm4-cbc", + .algo = RTE_CRYPTO_CIPHER_SM4_CBC, + .iv_len = 16, + .block_size = 16, + .key_len = 16 } }; @@ -175,6 +182,12 @@ const struct supported_auth_algo auth_algos[] = { .algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC, .digest_len = 12, .key_len = 16 + }, + { + .keyword = "sm3-hmac", + .algo = RTE_CRYPTO_AUTH_SM3_HMAC, + .digest_len = 12, + .key_len = 20 } }; @@ -502,7 +515,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, return; if (algo->algo == RTE_CRYPTO_CIPHER_AES_CBC || - algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC) + algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC || + algo->algo == RTE_CRYPTO_CIPHER_SM4_CBC) rule->salt = (uint32_t)rte_rand(); if (algo->algo == RTE_CRYPTO_CIPHER_AES_CTR) { @@ -1319,6 +1333,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: case RTE_CRYPTO_CIPHER_AES_CBC: + case RTE_CRYPTO_CIPHER_SM4_CBC: iv_length = sa->iv_len; break; case RTE_CRYPTO_CIPHER_AES_CTR: -- 2.19.0.rc0.windows.1
