<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style> </head> <body dir="ltr"> <div style="font-family: "IntelOne Text"; font-size: 10pt; color: rgb(0, 0, 0);" class="elementToProof"> Release note and PMD documentation need update to support SHAKE algo </div> <div id="appendonsend"></div> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr">From: Finn, Emma <emma.finn@intel.com> Sent: 08 January 2026 15:33 To: Akhil Goyal <gakhil@marvell.com>; Fan Zhang <fanzhang.oss@gmail.com>; Ji, Kai <kai.ji@intel.com> Cc: dev@dpdk.org <dev@dpdk.org>; Finn, Emma <emma.finn@intel.com> Subject: [v2] crypto/openssl: Add support for SHAKE algorithms <div> </div> </div> <div class="BodyFragment"> <div class="PlainText">OpenSSL 3.X has support for SHAKE, Hence adding SHAKE-128 and SHAKE-256 support to the OpenSSL PMD. Signed-off-by: Emma Finn <emma.finn@intel.com> --- v2: * Fixed unused digest_length variable --- app/test/test_cryptodev_blockcipher.c | 4 +- drivers/crypto/openssl/rte_openssl_pmd.c | 30 ++++++++++++-- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 42 ++++++++++++++++++++ 3 files changed, 72 insertions(+), 4 deletions(-) diff --git a/app/test/test_cryptodev_blockcipher.c b/app/test/test_cryptodev_blockcipher.c index 6b37347789..1438f24993 100644 --- a/app/test/test_cryptodev_blockcipher.c +++ b/app/test/test_cryptodev_blockcipher.c @@ -1174,7 +1174,9 @@ authonly_setup(void) RTE_CRYPTO_AUTH_SHA512_HMAC, RTE_CRYPTO_AUTH_AES_CMAC, RTE_CRYPTO_AUTH_NULL, - RTE_CRYPTO_AUTH_AES_XCBC_MAC + RTE_CRYPTO_AUTH_AES_XCBC_MAC, + RTE_CRYPTO_AUTH_SHAKE_128, + RTE_CRYPTO_AUTH_SHAKE_256 }; rte_cryptodev_info_get(dev_id, &dev_info); diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 4f171f48cc..755674f71a 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -270,6 +270,12 @@ get_auth_algo(enum rte_crypto_auth_algorithm sessalgo, case RTE_CRYPTO_AUTH_SHA512_HMAC: *algo = EVP_sha512(); break; + case RTE_CRYPTO_AUTH_SHAKE_128: + *algo = EVP_shake128(); + break; + case RTE_CRYPTO_AUTH_SHAKE_256: + *algo = EVP_shake256(); + break; default: res = -EINVAL; break; @@ -659,6 +665,8 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, case RTE_CRYPTO_AUTH_SHA256: case RTE_CRYPTO_AUTH_SHA384: case RTE_CRYPTO_AUTH_SHA512: + case RTE_CRYPTO_AUTH_SHAKE_128: + case RTE_CRYPTO_AUTH_SHAKE_256: sess->auth.mode = OPENSSL_AUTH_AS_AUTH; if (get_auth_algo(xform->auth.algo, &sess->auth.auth.evp_algo) != 0) @@ -1397,7 +1405,7 @@ process_openssl_auth_decryption_ccm(struct rte_mbuf *mbuf_src, int offset, static int process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, __rte_unused uint8_t *iv, __rte_unused EVP_PKEY * pkey, - int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo) + int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo, int digest_length) { size_t dstlen; struct rte_mbuf *m; @@ -1437,8 +1445,24 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, } process_auth_final: - if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0) + /* SHAKE algorithms are XOFs and require EVP_DigestFinalXOF */ + if (algo == EVP_shake128() || algo == EVP_shake256()) { +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Set XOF output length before calling EVP_DigestFinalXOF */ + if (EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) <= 0) + goto process_auth_err; + if (EVP_DigestFinalXOF(ctx, dst, digest_length) <= 0) + goto process_auth_err; +#else + RTE_SET_USED(digest_length); + OPENSSL_LOG(ERR, "SHAKE algorithms require OpenSSL 3.0+"); goto process_auth_err; +#endif + } else { + if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0) + goto process_auth_err; + } + return 0; process_auth_err: @@ -1995,7 +2019,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, ctx_a = get_local_auth_ctx(sess, qp); status = process_openssl_auth(mbuf_src, dst, op->sym->auth.data.offset, NULL, NULL, srclen, - ctx_a, sess->auth.auth.evp_algo); + ctx_a, sess->auth.auth.evp_algo, sess->auth.digest_length); break; case OPENSSL_AUTH_AS_HMAC: ctx_h = get_local_hmac_ctx(sess, qp); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 5095e6cbea..f6c32fdcb6 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -269,6 +269,48 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { }, } }, } }, + { /* SHAKE_128 */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHAKE_128, + .block_size = 168, + .key_size = { + .min = 0, + .max = 0, + .increment = 0 + }, + .digest_size = { + .min = 1, + .max = 256, + .increment = 1 + }, + .iv_size = { 0 } + }, } + }, } + }, + { /* SHAKE_256 */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHAKE_256, + .block_size = 136, + .key_size = { + .min = 0, + .max = 0, + .increment = 0 + }, + .digest_size = { + .min = 1, + .max = 256, + .increment = 1 + }, + .iv_size = { 0 } + }, } + }, } + }, { /* AES CBC */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, {.sym = { -- 2.43.0 </div> </div> </body> </html>