OpenSSL 3.X has support for SHAKE, Hence adding SHAKE-128 and SHAKE-256 support to the OpenSSL PMD.
Signed-off-by: Emma Finn <[email protected]> --- app/test/test_cryptodev_blockcipher.c | 4 +- drivers/crypto/openssl/rte_openssl_pmd.c | 28 +++++++++++-- drivers/crypto/openssl/rte_openssl_pmd_ops.c | 42 ++++++++++++++++++++ 3 files changed, 70 insertions(+), 4 deletions(-) diff --git a/app/test/test_cryptodev_blockcipher.c b/app/test/test_cryptodev_blockcipher.c index 6b37347789..1438f24993 100644 --- a/app/test/test_cryptodev_blockcipher.c +++ b/app/test/test_cryptodev_blockcipher.c @@ -1174,7 +1174,9 @@ authonly_setup(void) RTE_CRYPTO_AUTH_SHA512_HMAC, RTE_CRYPTO_AUTH_AES_CMAC, RTE_CRYPTO_AUTH_NULL, - RTE_CRYPTO_AUTH_AES_XCBC_MAC + RTE_CRYPTO_AUTH_AES_XCBC_MAC, + RTE_CRYPTO_AUTH_SHAKE_128, + RTE_CRYPTO_AUTH_SHAKE_256 }; rte_cryptodev_info_get(dev_id, &dev_info); diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c index 8817d7893c..7d3276fa46 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd.c +++ b/drivers/crypto/openssl/rte_openssl_pmd.c @@ -294,6 +294,12 @@ get_auth_algo(enum rte_crypto_auth_algorithm sessalgo, case RTE_CRYPTO_AUTH_SHA3_512_HMAC: *algo = EVP_sha3_512(); break; + case RTE_CRYPTO_AUTH_SHAKE_128: + *algo = EVP_shake128(); + break; + case RTE_CRYPTO_AUTH_SHAKE_256: + *algo = EVP_shake256(); + break; default: res = -EINVAL; break; @@ -687,6 +693,8 @@ openssl_set_session_auth_parameters(struct openssl_session *sess, case RTE_CRYPTO_AUTH_SHA3_256: case RTE_CRYPTO_AUTH_SHA3_384: case RTE_CRYPTO_AUTH_SHA3_512: + case RTE_CRYPTO_AUTH_SHAKE_128: + case RTE_CRYPTO_AUTH_SHAKE_256: sess->auth.mode = OPENSSL_AUTH_AS_AUTH; if (get_auth_algo(xform->auth.algo, &sess->auth.auth.evp_algo) != 0) @@ -1433,7 +1441,7 @@ process_openssl_auth_decryption_ccm(struct rte_mbuf *mbuf_src, int offset, static int process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, __rte_unused uint8_t *iv, __rte_unused EVP_PKEY * pkey, - int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo) + int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo, int digest_length) { size_t dstlen; struct rte_mbuf *m; @@ -1473,8 +1481,22 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset, } process_auth_final: - if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0) + /* SHAKE algorithms are XOFs and require EVP_DigestFinalXOF */ + if (algo == EVP_shake128() || algo == EVP_shake256()) { +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + /* Set XOF output length before calling EVP_DigestFinalXOF */ + if (EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) <= 0) + goto process_auth_err; + if (EVP_DigestFinalXOF(ctx, dst, digest_length) <= 0) + goto process_auth_err; +#else + OPENSSL_LOG(ERR, "SHAKE algorithms require OpenSSL 3.0+"); goto process_auth_err; +#endif + } else { + if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0) + goto process_auth_err; +} return 0; process_auth_err: @@ -2031,7 +2053,7 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op, ctx_a = get_local_auth_ctx(sess, qp); status = process_openssl_auth(mbuf_src, dst, op->sym->auth.data.offset, NULL, NULL, srclen, - ctx_a, sess->auth.auth.evp_algo); + ctx_a, sess->auth.auth.evp_algo, sess->auth.digest_length); break; case OPENSSL_AUTH_AS_HMAC: ctx_h = get_local_hmac_ctx(sess, qp); diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c index 8d6ae346a8..ef2ab944a0 100644 --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c @@ -437,6 +437,48 @@ static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = { }, } }, } }, + { /* SHAKE_128 */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHAKE_128, + .block_size = 168, + .key_size = { + .min = 0, + .max = 0, + .increment = 0 + }, + .digest_size = { + .min = 1, + .max = 256, + .increment = 1 + }, + .iv_size = { 0 } + }, } + }, } + }, + { /* SHAKE_256 */ + .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, + {.sym = { + .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, + {.auth = { + .algo = RTE_CRYPTO_AUTH_SHAKE_256, + .block_size = 136, + .key_size = { + .min = 0, + .max = 0, + .increment = 0 + }, + .digest_size = { + .min = 1, + .max = 256, + .increment = 1 + }, + .iv_size = { 0 } + }, } + }, } + }, { /* AES CBC */ .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, {.sym = { -- 2.43.0
