* [PATCH] crypto/openssl: Add support for SHAKE algorithms
@ 2026-01-08 14:38 Emma Finn
2026-01-08 15:33 ` [v2] " Emma Finn
0 siblings, 1 reply; 2+ messages in thread
From: Emma Finn @ 2026-01-08 14:38 UTC (permalink / raw)
To: Akhil Goyal, Fan Zhang, Kai Ji; +Cc: dev, Emma Finn
OpenSSL 3.X has support for SHAKE, Hence adding
SHAKE-128 and SHAKE-256 support to the OpenSSL PMD.
Signed-off-by: Emma Finn <emma.finn@intel.com>
---
app/test/test_cryptodev_blockcipher.c | 4 +-
drivers/crypto/openssl/rte_openssl_pmd.c | 28 +++++++++++--
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 42 ++++++++++++++++++++
3 files changed, 70 insertions(+), 4 deletions(-)
diff --git a/app/test/test_cryptodev_blockcipher.c b/app/test/test_cryptodev_blockcipher.c
index 6b37347789..1438f24993 100644
--- a/app/test/test_cryptodev_blockcipher.c
+++ b/app/test/test_cryptodev_blockcipher.c
@@ -1174,7 +1174,9 @@ authonly_setup(void)
RTE_CRYPTO_AUTH_SHA512_HMAC,
RTE_CRYPTO_AUTH_AES_CMAC,
RTE_CRYPTO_AUTH_NULL,
- RTE_CRYPTO_AUTH_AES_XCBC_MAC
+ RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+ RTE_CRYPTO_AUTH_SHAKE_128,
+ RTE_CRYPTO_AUTH_SHAKE_256
};
rte_cryptodev_info_get(dev_id, &dev_info);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 4f171f48cc..eaf5eef6ff 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -270,6 +270,12 @@ get_auth_algo(enum rte_crypto_auth_algorithm sessalgo,
case RTE_CRYPTO_AUTH_SHA512_HMAC:
*algo = EVP_sha512();
break;
+ case RTE_CRYPTO_AUTH_SHAKE_128:
+ *algo = EVP_shake128();
+ break;
+ case RTE_CRYPTO_AUTH_SHAKE_256:
+ *algo = EVP_shake256();
+ break;
default:
res = -EINVAL;
break;
@@ -659,6 +665,8 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
case RTE_CRYPTO_AUTH_SHA256:
case RTE_CRYPTO_AUTH_SHA384:
case RTE_CRYPTO_AUTH_SHA512:
+ case RTE_CRYPTO_AUTH_SHAKE_128:
+ case RTE_CRYPTO_AUTH_SHAKE_256:
sess->auth.mode = OPENSSL_AUTH_AS_AUTH;
if (get_auth_algo(xform->auth.algo,
&sess->auth.auth.evp_algo) != 0)
@@ -1397,7 +1405,7 @@ process_openssl_auth_decryption_ccm(struct rte_mbuf *mbuf_src, int offset,
static int
process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
__rte_unused uint8_t *iv, __rte_unused EVP_PKEY * pkey,
- int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
+ int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo, int digest_length)
{
size_t dstlen;
struct rte_mbuf *m;
@@ -1437,8 +1445,22 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
}
process_auth_final:
- if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
+ /* SHAKE algorithms are XOFs and require EVP_DigestFinalXOF */
+ if (algo == EVP_shake128() || algo == EVP_shake256()) {
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Set XOF output length before calling EVP_DigestFinalXOF */
+ if (EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) <= 0)
+ goto process_auth_err;
+ if (EVP_DigestFinalXOF(ctx, dst, digest_length) <= 0)
+ goto process_auth_err;
+#else
+ OPENSSL_LOG(ERR, "SHAKE algorithms require OpenSSL 3.0+");
goto process_auth_err;
+#endif
+ } else {
+ if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
+ goto process_auth_err;
+}
return 0;
process_auth_err:
@@ -1995,7 +2017,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
ctx_a = get_local_auth_ctx(sess, qp);
status = process_openssl_auth(mbuf_src, dst,
op->sym->auth.data.offset, NULL, NULL, srclen,
- ctx_a, sess->auth.auth.evp_algo);
+ ctx_a, sess->auth.auth.evp_algo, sess->auth.digest_length);
break;
case OPENSSL_AUTH_AS_HMAC:
ctx_h = get_local_hmac_ctx(sess, qp);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 5095e6cbea..f6c32fdcb6 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -269,6 +269,48 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
}, }
}, }
},
+ { /* SHAKE_128 */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHAKE_128,
+ .block_size = 168,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 1,
+ .max = 256,
+ .increment = 1
+ },
+ .iv_size = { 0 }
+ }, }
+ }, }
+ },
+ { /* SHAKE_256 */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHAKE_256,
+ .block_size = 136,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 1,
+ .max = 256,
+ .increment = 1
+ },
+ .iv_size = { 0 }
+ }, }
+ }, }
+ },
{ /* AES CBC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
--
2.43.0
^ permalink raw reply [flat|nested] 2+ messages in thread
* [v2] crypto/openssl: Add support for SHAKE algorithms
2026-01-08 14:38 [PATCH] crypto/openssl: Add support for SHAKE algorithms Emma Finn
@ 2026-01-08 15:33 ` Emma Finn
0 siblings, 0 replies; 2+ messages in thread
From: Emma Finn @ 2026-01-08 15:33 UTC (permalink / raw)
To: Akhil Goyal, Fan Zhang, Kai Ji; +Cc: dev, Emma Finn
OpenSSL 3.X has support for SHAKE, Hence adding
SHAKE-128 and SHAKE-256 support to the OpenSSL PMD.
Signed-off-by: Emma Finn <emma.finn@intel.com>
---
v2:
* Fixed unused digest_length variable
---
app/test/test_cryptodev_blockcipher.c | 4 +-
drivers/crypto/openssl/rte_openssl_pmd.c | 30 ++++++++++++--
drivers/crypto/openssl/rte_openssl_pmd_ops.c | 42 ++++++++++++++++++++
3 files changed, 72 insertions(+), 4 deletions(-)
diff --git a/app/test/test_cryptodev_blockcipher.c b/app/test/test_cryptodev_blockcipher.c
index 6b37347789..1438f24993 100644
--- a/app/test/test_cryptodev_blockcipher.c
+++ b/app/test/test_cryptodev_blockcipher.c
@@ -1174,7 +1174,9 @@ authonly_setup(void)
RTE_CRYPTO_AUTH_SHA512_HMAC,
RTE_CRYPTO_AUTH_AES_CMAC,
RTE_CRYPTO_AUTH_NULL,
- RTE_CRYPTO_AUTH_AES_XCBC_MAC
+ RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+ RTE_CRYPTO_AUTH_SHAKE_128,
+ RTE_CRYPTO_AUTH_SHAKE_256
};
rte_cryptodev_info_get(dev_id, &dev_info);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 4f171f48cc..755674f71a 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -270,6 +270,12 @@ get_auth_algo(enum rte_crypto_auth_algorithm sessalgo,
case RTE_CRYPTO_AUTH_SHA512_HMAC:
*algo = EVP_sha512();
break;
+ case RTE_CRYPTO_AUTH_SHAKE_128:
+ *algo = EVP_shake128();
+ break;
+ case RTE_CRYPTO_AUTH_SHAKE_256:
+ *algo = EVP_shake256();
+ break;
default:
res = -EINVAL;
break;
@@ -659,6 +665,8 @@ openssl_set_session_auth_parameters(struct openssl_session *sess,
case RTE_CRYPTO_AUTH_SHA256:
case RTE_CRYPTO_AUTH_SHA384:
case RTE_CRYPTO_AUTH_SHA512:
+ case RTE_CRYPTO_AUTH_SHAKE_128:
+ case RTE_CRYPTO_AUTH_SHAKE_256:
sess->auth.mode = OPENSSL_AUTH_AS_AUTH;
if (get_auth_algo(xform->auth.algo,
&sess->auth.auth.evp_algo) != 0)
@@ -1397,7 +1405,7 @@ process_openssl_auth_decryption_ccm(struct rte_mbuf *mbuf_src, int offset,
static int
process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
__rte_unused uint8_t *iv, __rte_unused EVP_PKEY * pkey,
- int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo)
+ int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo, int digest_length)
{
size_t dstlen;
struct rte_mbuf *m;
@@ -1437,8 +1445,24 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
}
process_auth_final:
- if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
+ /* SHAKE algorithms are XOFs and require EVP_DigestFinalXOF */
+ if (algo == EVP_shake128() || algo == EVP_shake256()) {
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+ /* Set XOF output length before calling EVP_DigestFinalXOF */
+ if (EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) <= 0)
+ goto process_auth_err;
+ if (EVP_DigestFinalXOF(ctx, dst, digest_length) <= 0)
+ goto process_auth_err;
+#else
+ RTE_SET_USED(digest_length);
+ OPENSSL_LOG(ERR, "SHAKE algorithms require OpenSSL 3.0+");
goto process_auth_err;
+#endif
+ } else {
+ if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
+ goto process_auth_err;
+ }
+
return 0;
process_auth_err:
@@ -1995,7 +2019,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
ctx_a = get_local_auth_ctx(sess, qp);
status = process_openssl_auth(mbuf_src, dst,
op->sym->auth.data.offset, NULL, NULL, srclen,
- ctx_a, sess->auth.auth.evp_algo);
+ ctx_a, sess->auth.auth.evp_algo, sess->auth.digest_length);
break;
case OPENSSL_AUTH_AS_HMAC:
ctx_h = get_local_hmac_ctx(sess, qp);
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 5095e6cbea..f6c32fdcb6 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -269,6 +269,48 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
}, }
}, }
},
+ { /* SHAKE_128 */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHAKE_128,
+ .block_size = 168,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 1,
+ .max = 256,
+ .increment = 1
+ },
+ .iv_size = { 0 }
+ }, }
+ }, }
+ },
+ { /* SHAKE_256 */
+ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+ {.sym = {
+ .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+ {.auth = {
+ .algo = RTE_CRYPTO_AUTH_SHAKE_256,
+ .block_size = 136,
+ .key_size = {
+ .min = 0,
+ .max = 0,
+ .increment = 0
+ },
+ .digest_size = {
+ .min = 1,
+ .max = 256,
+ .increment = 1
+ },
+ .iv_size = { 0 }
+ }, }
+ }, }
+ },
{ /* AES CBC */
.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
{.sym = {
--
2.43.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-08 15:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-08 14:38 [PATCH] crypto/openssl: Add support for SHAKE algorithms Emma Finn
2026-01-08 15:33 ` [v2] " Emma Finn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).