[PATCH] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth

DPDK patches and discussions
 help / color / mirror / Atom feed

* [PATCH] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth
@ 2025-11-14  1:46 Sunyang Wu
  2025-11-14 16:03 ` [EXTERNAL] " Akhil Goyal
  2025-11-17  9:08 ` [PATCH v2] " Sunyang Wu
  0 siblings, 2 replies; 3+ messages in thread
From: Sunyang Wu @ 2025-11-14  1:46 UTC (permalink / raw)
  To: dev; +Cc: gakhil

This patch adds support for Chinese cryptographic algorithms in the
IPsec security gateway example application:

1 Add SM4-CBC cipher algorithm support with 16-byte IV and key;
2 Add SM3-HMAC authentication algorithm support with 20-byte key;
3 Update SA configuration parsing to recognize "sm4-cbc" and "sm3-hmac"
keywords;
4 Implement proper IV handling and authentication offset/length
configuration.

These additions enable the IPsec security gateway to use Chinese
national cryptographic standards for secure communications.

Signed-off-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
---
 examples/ipsec-secgw/esp.c |  5 +++++
 examples/ipsec-secgw/sa.c  | 17 ++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index b72a5604c8..46c3ad3ec7 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -103,6 +103,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
+		case RTE_CRYPTO_CIPHER_SM4_CBC:
 			/* Copy IV at the end of crypto operation */
 			rte_memcpy(iv_ptr, iv, sa->iv_len);
 			break;
@@ -123,6 +124,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+		case RTE_CRYPTO_AUTH_SM3_HMAC:
 			sym_cop->auth.data.offset = ip_hdr_len;
 			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
 				sa->iv_len + payload_len;
@@ -341,6 +343,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
+		case RTE_CRYPTO_CIPHER_SM4_CBC:
 			memset(iv, 0, sa->iv_len);
 			break;
 		case RTE_CRYPTO_CIPHER_AES_CTR:
@@ -405,6 +408,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
+		case RTE_CRYPTO_CIPHER_SM4_CBC:
 			sym_cop->cipher.data.offset = ip_hdr_len +
 				sizeof(struct rte_esp_hdr);
 			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
@@ -436,6 +440,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+		case RTE_CRYPTO_AUTH_SM3_HMAC:
 			sym_cop->auth.data.offset = ip_hdr_len;
 			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
 				sa->iv_len + pad_payload_len;
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 313919b4b5..86aeb25a49 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -128,6 +128,13 @@ const struct supported_cipher_algo cipher_algos[] = {
 		.iv_len = 8,
 		.block_size = 8,
 		.key_len = 8
+	},
+	{
+		.keyword = "sm4-cbc",
+		.algo = RTE_CRYPTO_CIPHER_SM4_CBC,
+		.iv_len = 16,
+		.block_size = 16,
+		.key_len = 16
 	}
 };
 
@@ -175,6 +182,12 @@ const struct supported_auth_algo auth_algos[] = {
 		.algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
 		.digest_len = 12,
 		.key_len = 16
+	},
+	{
+		.keyword = "sm3-hmac",
+		.algo = RTE_CRYPTO_AUTH_SM3_HMAC,
+		.digest_len = 12,
+		.key_len = 20
 	}
 };
 
@@ -502,7 +515,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 				return;
 
 			if (algo->algo == RTE_CRYPTO_CIPHER_AES_CBC ||
-				algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC)
+				algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC ||
+				algo->algo == RTE_CRYPTO_CIPHER_SM4_CBC)
 				rule->salt = (uint32_t)rte_rand();
 
 			if (algo->algo == RTE_CRYPTO_CIPHER_AES_CTR) {
@@ -1319,6 +1333,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 			case RTE_CRYPTO_CIPHER_DES_CBC:
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 			case RTE_CRYPTO_CIPHER_AES_CBC:
+			case RTE_CRYPTO_CIPHER_SM4_CBC:
 				iv_length = sa->iv_len;
 				break;
 			case RTE_CRYPTO_CIPHER_AES_CTR:
-- 
2.19.0.rc0.windows.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [EXTERNAL] [PATCH] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth
  2025-11-14  1:46 [PATCH] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth Sunyang Wu
@ 2025-11-14 16:03 ` Akhil Goyal
  2025-11-17  9:08 ` [PATCH v2] " Sunyang Wu
  1 sibling, 0 replies; 3+ messages in thread
From: Akhil Goyal @ 2025-11-14 16:03 UTC (permalink / raw)
  To: Sunyang Wu, dev; +Cc: Radu Nicolau

> This patch adds support for Chinese cryptographic algorithms in the
> IPsec security gateway example application:
> 
> 1 Add SM4-CBC cipher algorithm support with 16-byte IV and key;
> 2 Add SM3-HMAC authentication algorithm support with 20-byte key;
> 3 Update SA configuration parsing to recognize "sm4-cbc" and "sm3-hmac"
> keywords;
> 4 Implement proper IV handling and authentication offset/length
> configuration.
> 
> These additions enable the IPsec security gateway to use Chinese
> national cryptographic standards for secure communications.
> 
> Signed-off-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
> ---
>  examples/ipsec-secgw/esp.c |  5 +++++
>  examples/ipsec-secgw/sa.c  | 17 ++++++++++++++++-
>  2 files changed, 21 insertions(+), 1 deletion(-)
please update documentation also
doc/guides/sample_app_ug/ipsec_secgw.rst


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH v2] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth
  2025-11-14  1:46 [PATCH] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth Sunyang Wu
  2025-11-14 16:03 ` [EXTERNAL] " Akhil Goyal
@ 2025-11-17  9:08 ` Sunyang Wu
  1 sibling, 0 replies; 3+ messages in thread
From: Sunyang Wu @ 2025-11-17  9:08 UTC (permalink / raw)
  To: dev; +Cc: gakhil

This patch adds support for Chinese cryptographic algorithms in the
IPsec security gateway example application:

1 Add SM4-CBC cipher algorithm support with 16-byte IV and key;
2 Add SM3-HMAC authentication algorithm support with 20-byte key;
3 Update SA configuration parsing to recognize "sm4-cbc" and "sm3-hmac"
keywords;
4 Implement proper IV handling and authentication offset/length
configuration.

These additions enable the IPsec security gateway to use Chinese
national cryptographic standards for secure communications.

Signed-off-by: Sunyang Wu <sunyang.wu@jaguarmicro.com>
---
 doc/guides/sample_app_ug/ipsec_secgw.rst |  9 +++++++++
 examples/ipsec-secgw/esp.c               |  5 +++++
 examples/ipsec-secgw/sa.c                | 17 ++++++++++++++++-
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/doc/guides/sample_app_ug/ipsec_secgw.rst b/doc/guides/sample_app_ug/ipsec_secgw.rst
index 7319505fe9..7c31c96b7c 100644
--- a/doc/guides/sample_app_ug/ipsec_secgw.rst
+++ b/doc/guides/sample_app_ug/ipsec_secgw.rst
@@ -576,6 +576,7 @@ where each options means:
    * *aes-128-ctr*: AES-CTR 128-bit algorithm
    * *3des-cbc*: 3DES-CBC 192-bit algorithm
    * *des-cbc*: DES-CBC 64-bit algorithm
+   * *sm4-cbc*: SM4-CBC 128-bit algorithm
 
  * Syntax: *cipher_algo <your algorithm>*
 
@@ -605,6 +606,7 @@ where each options means:
     * *sha1-hmac*: HMAC SHA1 algorithm
     * *sha256-hmac*: HMAC SHA256 algorithm
     * *aes-xcbc-mac*: AES XCBC MAC algorithm
+    * *sm3-hmac*: HMAC SM3 algorithm
 
 ``<auth_key>``
 
@@ -820,6 +822,13 @@ Example SA rules:
     src 1111:1111:1111:1111:1111:1111:1111:5555 \
     dst 2222:2222:2222:2222:2222:2222:2222:5555
 
+    sa out 30 cipher_algo sm4-cbc \
+    cipher_key 01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10 \
+    auth_algo sm3-hmac \
+    auth_key 01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10:11:22:33:44 \
+    mode ipv4-tunnel \
+    src 172.16.1.5 dst 172.16.2.5
+
     sa in 105 aead_algo aes-128-gcm \
     aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
     mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c
index b72a5604c8..46c3ad3ec7 100644
--- a/examples/ipsec-secgw/esp.c
+++ b/examples/ipsec-secgw/esp.c
@@ -103,6 +103,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
+		case RTE_CRYPTO_CIPHER_SM4_CBC:
 			/* Copy IV at the end of crypto operation */
 			rte_memcpy(iv_ptr, iv, sa->iv_len);
 			break;
@@ -123,6 +124,7 @@ esp_inbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+		case RTE_CRYPTO_AUTH_SM3_HMAC:
 			sym_cop->auth.data.offset = ip_hdr_len;
 			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
 				sa->iv_len + payload_len;
@@ -341,6 +343,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
+		case RTE_CRYPTO_CIPHER_SM4_CBC:
 			memset(iv, 0, sa->iv_len);
 			break;
 		case RTE_CRYPTO_CIPHER_AES_CTR:
@@ -405,6 +408,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_CIPHER_DES_CBC:
 		case RTE_CRYPTO_CIPHER_3DES_CBC:
 		case RTE_CRYPTO_CIPHER_AES_CBC:
+		case RTE_CRYPTO_CIPHER_SM4_CBC:
 			sym_cop->cipher.data.offset = ip_hdr_len +
 				sizeof(struct rte_esp_hdr);
 			sym_cop->cipher.data.length = pad_payload_len + sa->iv_len;
@@ -436,6 +440,7 @@ esp_outbound(struct rte_mbuf *m, struct ipsec_sa *sa,
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
 		case RTE_CRYPTO_AUTH_SHA256_HMAC:
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+		case RTE_CRYPTO_AUTH_SM3_HMAC:
 			sym_cop->auth.data.offset = ip_hdr_len;
 			sym_cop->auth.data.length = sizeof(struct rte_esp_hdr) +
 				sa->iv_len + pad_payload_len;
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 313919b4b5..86aeb25a49 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -128,6 +128,13 @@ const struct supported_cipher_algo cipher_algos[] = {
 		.iv_len = 8,
 		.block_size = 8,
 		.key_len = 8
+	},
+	{
+		.keyword = "sm4-cbc",
+		.algo = RTE_CRYPTO_CIPHER_SM4_CBC,
+		.iv_len = 16,
+		.block_size = 16,
+		.key_len = 16
 	}
 };
 
@@ -175,6 +182,12 @@ const struct supported_auth_algo auth_algos[] = {
 		.algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
 		.digest_len = 12,
 		.key_len = 16
+	},
+	{
+		.keyword = "sm3-hmac",
+		.algo = RTE_CRYPTO_AUTH_SM3_HMAC,
+		.digest_len = 12,
+		.key_len = 20
 	}
 };
 
@@ -502,7 +515,8 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens,
 				return;
 
 			if (algo->algo == RTE_CRYPTO_CIPHER_AES_CBC ||
-				algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC)
+				algo->algo == RTE_CRYPTO_CIPHER_3DES_CBC ||
+				algo->algo == RTE_CRYPTO_CIPHER_SM4_CBC)
 				rule->salt = (uint32_t)rte_rand();
 
 			if (algo->algo == RTE_CRYPTO_CIPHER_AES_CTR) {
@@ -1319,6 +1333,7 @@ sa_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[],
 			case RTE_CRYPTO_CIPHER_DES_CBC:
 			case RTE_CRYPTO_CIPHER_3DES_CBC:
 			case RTE_CRYPTO_CIPHER_AES_CBC:
+			case RTE_CRYPTO_CIPHER_SM4_CBC:
 				iv_length = sa->iv_len;
 				break;
 			case RTE_CRYPTO_CIPHER_AES_CTR:
-- 
2.19.0.rc0.windows.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-11-17  9:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-14  1:46 [PATCH] examples/ipsec-secgw: add support for SM4-CBC cipher and SM3-HMAC auth Sunyang Wu
2025-11-14 16:03 ` [EXTERNAL] " Akhil Goyal
2025-11-17  9:08 ` [PATCH v2] " Sunyang Wu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).