diff --git a/m4/mbedtls.m4 b/m4/mbedtls.m4 index 2c478b960..18c9230db 100644 --- a/m4/mbedtls.m4 +++ b/m4/mbedtls.m4 @@ -91,4 +91,20 @@ AC_DEFUN([ss_MBEDTLS], [AC_MSG_RESULT([ok])], [AC_MSG_WARN([We will continue without Camellia block cipher support, MBEDTLS_CAMELLIA_C required])] ) + + AC_MSG_CHECKING([whether mbedtls supports the SM4 block cipher or not]) + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ +#include + ]], + [[ +#ifndef MBEDTLS_SM4_C +#error the SM4 block cipher not supported by your mbed TLS. +#endif + ]] + )], + [AC_MSG_RESULT([ok])], + [AC_MSG_WARN([We will continue without SM4 block cipher support, MBEDTLS_SM4_C required])] + ) ]) diff --git a/src/aead.c b/src/aead.c index 10fcfe006..baa766adb 100644 --- a/src/aead.c +++ b/src/aead.c @@ -44,15 +44,16 @@ #define AES128GCM 0 #define AES192GCM 1 #define AES256GCM 2 +#define SM4128GCM 3 /* * methods above requires gcm context * methods below doesn't require it, * then we need to fake one */ -#define CHACHA20POLY1305IETF 3 +#define CHACHA20POLY1305IETF 4 #ifdef FS_HAVE_XCHACHA20IETF -#define XCHACHA20POLY1305IETF 4 +#define XCHACHA20POLY1305IETF 5 #endif #define CHUNK_SIZE_LEN 2 @@ -108,6 +109,7 @@ const char *supported_aead_ciphers[AEAD_CIPHER_NUM] = { "aes-128-gcm", "aes-192-gcm", "aes-256-gcm", + "sm4-128-gcm", "chacha20-ietf-poly1305", #ifdef FS_HAVE_XCHACHA20IETF "xchacha20-ietf-poly1305" @@ -121,6 +123,7 @@ static const char *supported_aead_ciphers_mbedtls[AEAD_CIPHER_NUM] = { "AES-128-GCM", "AES-192-GCM", "AES-256-GCM", + "SM4-128-GCM", CIPHER_UNSUPPORTED, #ifdef FS_HAVE_XCHACHA20IETF CIPHER_UNSUPPORTED @@ -128,14 +131,14 @@ static const char *supported_aead_ciphers_mbedtls[AEAD_CIPHER_NUM] = { }; static const int supported_aead_ciphers_nonce_size[AEAD_CIPHER_NUM] = { - 12, 12, 12, 12, + 12, 12, 12, 12, 12, #ifdef FS_HAVE_XCHACHA20IETF 24 #endif }; static const int supported_aead_ciphers_key_size[AEAD_CIPHER_NUM] = { - 16, 24, 32, 32, + 16, 24, 32, 16, 32, #ifdef FS_HAVE_XCHACHA20IETF 32 #endif @@ -177,7 +180,7 @@ aead_cipher_encrypt(cipher_ctx_t *cipher_ctx, // Otherwise, just use the mbedTLS one with crappy AES-NI. case AES192GCM: case AES128GCM: - + case SM4128GCM: err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen, m, mlen, c, clen, c + mlen, tlen); *clen += tlen; @@ -226,6 +229,7 @@ aead_cipher_decrypt(cipher_ctx_t *cipher_ctx, // Otherwise, just use the mbedTLS one with crappy AES-NI. case AES192GCM: case AES128GCM: + case SM4128GCM: err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen, m, mlen - tlen, p, plen, m + mlen - tlen, tlen); break; diff --git a/src/aead.h b/src/aead.h index 3f2408f9d..f9e5d568c 100644 --- a/src/aead.h +++ b/src/aead.h @@ -28,9 +28,9 @@ // currently, XCHACHA20POLY1305IETF is not released yet // XCHACHA20POLY1305 is removed in upstream #ifdef FS_HAVE_XCHACHA20IETF -#define AEAD_CIPHER_NUM 5 +#define AEAD_CIPHER_NUM 6 #else -#define AEAD_CIPHER_NUM 4 +#define AEAD_CIPHER_NUM 5 #endif int aead_encrypt_all(buffer_t *, cipher_t *, size_t); diff --git a/src/stream.c b/src/stream.c index 35d9050b3..e3b8990e1 100644 --- a/src/stream.c +++ b/src/stream.c @@ -86,14 +86,16 @@ #define CAMELLIA_128_CFB 10 #define CAMELLIA_192_CFB 11 #define CAMELLIA_256_CFB 12 -#define CAST5_CFB 13 -#define DES_CFB 14 -#define IDEA_CFB 15 -#define RC2_CFB 16 -#define SEED_CFB 17 -#define SALSA20 18 -#define CHACHA20 19 -#define CHACHA20IETF 20 +#define SM4_128_CBC 13 +#define SM4_128_CTR 14 +#define CAST5_CFB 15 +#define DES_CFB 16 +#define IDEA_CFB 17 +#define RC2_CFB 18 +#define SEED_CFB 19 +#define SALSA20 20 +#define CHACHA20 21 +#define CHACHA20IETF 22 const char *supported_stream_ciphers[STREAM_CIPHER_NUM] = { "table", @@ -109,6 +111,8 @@ const char *supported_stream_ciphers[STREAM_CIPHER_NUM] = { "camellia-128-cfb", "camellia-192-cfb", "camellia-256-cfb", + "sm4-128-cbc", + "sm4-128-ctr", "cast5-cfb", "des-cfb", "idea-cfb", @@ -133,6 +137,8 @@ static const char *supported_stream_ciphers_mbedtls[STREAM_CIPHER_NUM] = { "CAMELLIA-128-CFB128", "CAMELLIA-192-CFB128", "CAMELLIA-256-CFB128", + "SM4-128-CBC", + "SM4-128-CTR", CIPHER_UNSUPPORTED, CIPHER_UNSUPPORTED, CIPHER_UNSUPPORTED, @@ -144,11 +150,11 @@ static const char *supported_stream_ciphers_mbedtls[STREAM_CIPHER_NUM] = { }; static const int supported_stream_ciphers_nonce_size[STREAM_CIPHER_NUM] = { - 0, 0, 16, 16, 16, 16, 16, 16, 16, 8, 16, 16, 16, 8, 8, 8, 8, 16, 8, 8, 12 + 0, 0, 16, 16, 16, 16, 16, 16, 16, 8, 16, 16, 16, 16, 16, 8, 8, 8, 8, 16, 8, 8, 12 }; static const int supported_stream_ciphers_key_size[STREAM_CIPHER_NUM] = { - 0, 16, 16, 16, 24, 32, 16, 24, 32, 16, 16, 24, 32, 16, 8, 16, 16, 16, 32, 32, 32 + 0, 16, 16, 16, 24, 32, 16, 24, 32, 16, 16, 24, 32, 16, 16, 16, 8, 16, 16, 16, 32, 32, 32 }; static int diff --git a/src/stream.h b/src/stream.h index 35bd98f8e..1616eb3cb 100644 --- a/src/stream.h +++ b/src/stream.h @@ -37,7 +37,7 @@ #endif #include -#define STREAM_CIPHER_NUM 21 +#define STREAM_CIPHER_NUM 23 #include "crypto.h" diff --git a/src/utils.c b/src/utils.c index 744100769..136adb59e 100644 --- a/src/utils.c +++ b/src/utils.c @@ -322,6 +322,8 @@ usage() " camellia-128-cfb, camellia-192-cfb,\n"); printf( " camellia-256-cfb, bf-cfb,\n"); + printf( + " sm4-128-cbc, sm4-128-ctr, sm4-128-gcm,\n"); printf( " chacha20-ietf-poly1305,\n"); #ifdef FS_HAVE_XCHACHA20IETF