[PWCI] "[v2] crypto/openssl: Add support for SHAKE algorithms"

[ovsrobot]

NOTE: This is an auto submission for "[v2] crypto/openssl: Add support for SHAKE algorithms".

See "http://patchwork.dpdk.org/project/dpdk/list/?series=36995" for details.

Summary by Sourcery

Add SHAKE extendable-output function (XOF) authentication support to the OpenSSL crypto PMD and its tests.

New Features:

• Advertise and enable SHAKE_128 and SHAKE_256 authentication algorithms in the OpenSSL cryptodev PMD capabilities and session configuration.

Enhancements:

• Handle SHAKE XOF digests via OpenSSL EVP_DigestFinalXOF with OpenSSL 3.0+ and report an error when unsupported.
• Extend cryptodev auth-only test coverage to include SHAKE_128 and SHAKE_256 algorithms.

Summary by CodeRabbit

• New Features

  • Added SHAKE-128 and SHAKE-256 authentication algorithm support to the cryptographic backend, enabling additional authentication options with flexible digest size configuration (1-256 bytes).

• Tests

  • Extended authentication test coverage for newly supported SHAKE algorithms.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[sourcery-ai]

Reviewer's Guide

Adds SHAKE_128 and SHAKE_256 authentication support to the OpenSSL crypto PMD, wiring them into capability reporting, session configuration, digest processing (with OpenSSL 3.x XOF handling), and test coverage.

Sequence diagram for SHAKE authentication processing in OpenSSL PMD

sequenceDiagram
    participant App as App_thread
    participant Dev as rte_cryptodev
    participant QP as openssl_qp
    participant Sess as openssl_session
    participant AuthOp as process_openssl_auth_op
    participant AuthProc as process_openssl_auth
    participant EVP as OpenSSL_EVP

    App->>Dev: rte_cryptodev_enqueue_burst(crypto_op with SHAKE_128/256)
    Dev->>QP: enqueue op to queue pair
    QP->>Sess: lookup openssl_session
    Note over Sess: sess->auth.algo = RTE_CRYPTO_AUTH_SHAKE_128/256
    Sess->>Sess: get_auth_algo(SHAKE_128/256, evp_algo=EVP_shake128/256)
    Sess->>Sess: sess->auth.mode = OPENSSL_AUTH_AS_AUTH
    Sess->>Sess: sess->auth.digest_length = xform->auth.digest_length

    QP->>AuthOp: process_openssl_auth_op(qp, op, sess)
    AuthOp->>AuthProc: process_openssl_auth(mbuf_src, dst,
    AuthOp->>AuthProc:  data.offset, iv=NULL, pkey=NULL,
    AuthOp->>AuthProc:  srclen, ctx_a,
    AuthOp->>AuthProc:  sess->auth.auth.evp_algo,
    AuthOp->>AuthProc:  sess->auth.digest_length)

    AuthProc->>EVP: EVP_DigestInit_ex(ctx, algo=EVP_shake128/256)
    AuthProc->>EVP: EVP_DigestUpdate(ctx, src_chunks)
    AuthProc->>EVP: EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN,
    AuthProc->>EVP:  digest_length, NULL)
    EVP-->>AuthProc: success
    AuthProc->>EVP: EVP_DigestFinalXOF(ctx, dst, digest_length)
    EVP-->>AuthProc: success
    AuthProc-->>AuthOp: 0 (success)
    AuthOp-->>QP: auth status = SUCCESS
    QP-->>Dev: completed op
    Dev-->>App: rte_cryptodev_dequeue_burst() returns op with digest

Loading

Class diagram for updated OpenSSL PMD auth structures and functions with SHAKE support

classDiagram
    class openssl_session {
        +AuthConfig auth
    }

    class AuthConfig {
        +int mode
        +AuthAlgoConfig auth
        +int digest_length
    }

    class AuthAlgoConfig {
        +const EVP_MD *evp_algo
    }

    class rte_cryptodev_capabilities {
        +int op
        +SymCapability sym
    }

    class SymCapability {
        +int xform_type
        +AuthCapability auth
    }

    class AuthCapability {
        +int algo
        +int block_size
        +SizeRange key_size
        +SizeRange digest_size
        +SizeRange iv_size
    }

    class SizeRange {
        +int min
        +int max
        +int increment
    }

    class openssl_qp {
        +int id
    }

    class rte_crypto_op {
        +SymOp *sym
    }

    class SymOp {
        +AuthXform auth
    }

    class AuthXform {
        +int algo
        +int data_offset
        +int digest_length
    }

    class EVP_MD_CTX
    class EVP_MD

    class get_auth_algo {
        +int get_auth_algo(int sessalgo, const EVP_MD **algo)
    }

    class process_openssl_auth {
        +int process_openssl_auth(rte_mbuf *mbuf_src, uint8_t *dst, int offset, uint8_t *iv, EVP_PKEY *pkey, int srclen, EVP_MD_CTX *ctx, const EVP_MD *algo, int digest_length)
    }

    class process_openssl_auth_op {
        +int process_openssl_auth_op(openssl_qp *qp, rte_crypto_op *op, openssl_session *sess, uint8_t *dst, int srclen)
    }

    %% Relationships
    openssl_session --> AuthConfig : has
    AuthConfig --> AuthAlgoConfig : has
    AuthConfig --> EVP_MD : uses evp_algo

    rte_cryptodev_capabilities --> SymCapability : has
    SymCapability --> AuthCapability : has
    AuthCapability --> SizeRange : has

    rte_crypto_op --> SymOp : has
    SymOp --> AuthXform : has

    process_openssl_auth_op --> openssl_session : uses
    process_openssl_auth_op --> openssl_qp : uses
    process_openssl_auth_op --> rte_crypto_op : uses
    process_openssl_auth_op --> process_openssl_auth : calls

    process_openssl_auth --> EVP_MD_CTX : uses
    process_openssl_auth --> EVP_MD : uses

    get_auth_algo --> EVP_MD : returns

    %% New algorithms
    class RTE_CRYPTO_AUTH_SHAKE_128
    class RTE_CRYPTO_AUTH_SHAKE_256

    AuthCapability --> RTE_CRYPTO_AUTH_SHAKE_128 : algo
    AuthCapability --> RTE_CRYPTO_AUTH_SHAKE_256 : algo

    get_auth_algo --> RTE_CRYPTO_AUTH_SHAKE_128 : case
    get_auth_algo --> RTE_CRYPTO_AUTH_SHAKE_256 : case

    class EVP_shake128
    class EVP_shake256

    get_auth_algo --> EVP_shake128 : sets algo
    get_auth_algo --> EVP_shake256 : sets algo

    process_openssl_auth --> EVP_shake128 : XOF path
    process_openssl_auth --> EVP_shake256 : XOF path

Loading

File-Level Changes

Change	Details	Files
Advertise SHAKE_128 and SHAKE_256 authentication capabilities in the OpenSSL PMD.	Add SHAKE_128 capability entry with block size 168 and variable digest length 1–256 bytes Add SHAKE_256 capability entry with block size 136 and variable digest length 1–256 bytes Specify zero key and IV sizes for SHAKE auth algorithms	drivers/crypto/openssl/rte_openssl_pmd_ops.c
Wire SHAKE_128 and SHAKE_256 into OpenSSL PMD auth session handling and digest computation with XOF-specific logic.	Extend get_auth_algo() to map RTE_CRYPTO_AUTH_SHAKE_128/256 to EVP_shake128()/EVP_shake256() Treat SHAKE_128/256 as plain AUTH mode in openssl_set_session_auth_parameters() Change process_openssl_auth() to accept an explicit digest_length parameter Implement SHAKE-specific finalization using EVP_MD_CTX_ctrl(EVP_MD_CTRL_XOF_LEN) and EVP_DigestFinalXOF() for OpenSSL >= 3.0, with an error/log path for older OpenSSL versions Update process_openssl_auth_op() to pass sess->auth.digest_length into process_openssl_auth()	drivers/crypto/openssl/rte_openssl_pmd.c
Extend cryptodev auth-only tests to cover SHAKE_128 and SHAKE_256 algorithms.	Include RTE_CRYPTO_AUTH_SHAKE_128 and RTE_CRYPTO_AUTH_SHAKE_256 in the list of auth algorithms used by authonly_setup()	app/test/test_cryptodev_blockcipher.c

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

Support for SHAKE-based authentication algorithms (SHAKE_128 and SHAKE_256) has been added to the OpenSSL crypto driver. Changes include registering new algorithm capabilities, mapping them in the auth algorithm handler, implementing XOF-based finalization with OpenSSL 3.0+ conditional compilation, and extending test coverage.

Changes

Cohort / File(s)	Summary
Test Coverage app/test/test_cryptodev_blockcipher.c	Extended authonly_setup capability list to include RTE_CRYPTO_AUTH_SHAKE_128 and RTE_CRYPTO_AUTH_SHAKE_256 algorithms.
OpenSSL Driver — Capabilities drivers/crypto/openssl/rte_openssl_pmd_ops.c	Added SHAKE_128 and SHAKE_256 symmetric authentication capabilities to openssl_pmd_capabilities array, each specifying block_size, digest_size range (1–256), and other capability parameters.
OpenSSL Driver — Implementation drivers/crypto/openssl/rte_openssl_pmd.c	Extended get_auth_algo to map SHAKE algorithms to EVP_shake128() and EVP_shake256(); updated openssl_set_session_auth_parameters to handle SHAKE options; modified process_openssl_auth_finalization to branch on XOF-based finalization using EVP_DigestFinalXOF and EVP_MD_CTX_ctrl (OpenSSL 3.0+); extended process_openssl_auth signature with digest_length parameter and updated callers accordingly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Shake, shake, hooray! The crypto garden grows,
With SHAKE_128, SHAKE_256 in crispy, fresh rows,
XOF finalization—conditional and bright,
OpenSSL backend dancing through the night! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change—adding SHAKE algorithm support to the crypto/openssl module—which is reflected in all three modified files.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The new SHAKE capabilities and get_auth_algo() cases are unconditionally compiled, but the XOF handling is gated on OpenSSL 3.0+; consider guarding capability advertisement and EVP_shake* usage with the same version checks (or failing session creation earlier) to avoid advertising algorithms that will only fail at runtime on older OpenSSL versions.
• process_openssl_auth() detects SHAKE by comparing algo against EVP_shake128()/EVP_shake256(), which is fragile if the EVP_MD comes from a different provider or wrapper; using the session's xform->auth.algo (or storing the enum in the session) would make the SHAKE/XOF branch selection more robust.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new SHAKE capabilities and `get_auth_algo()` cases are unconditionally compiled, but the XOF handling is gated on OpenSSL 3.0+; consider guarding capability advertisement and EVP_shake* usage with the same version checks (or failing session creation earlier) to avoid advertising algorithms that will only fail at runtime on older OpenSSL versions.
- `process_openssl_auth()` detects SHAKE by comparing `algo` against `EVP_shake128()`/`EVP_shake256()`, which is fragile if the EVP_MD comes from a different provider or wrapper; using the session's `xform->auth.algo` (or storing the enum in the session) would make the SHAKE/XOF branch selection more robust.

## Individual Comments

### Comment 1
<location> `drivers/crypto/openssl/rte_openssl_pmd_ops.c:272-271` </location>
<code_context>
 			}, }
 		}, }
 	},
+	{   /* SHAKE_128 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHAKE_128,
+				.block_size = 168,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 1,
+					.max = 256,
+					.increment = 1
+				},
+				.iv_size = { 0 }
+			}, }
+		}, }
+	},
+	{   /* SHAKE_256 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
</code_context>

<issue_to_address>
**issue (bug_risk):** SHAKE capabilities are advertised even when runtime support is compiled out for OpenSSL < 3.0, which can cause consistent runtime failures.

The capabilities table now lists SHAKE_128/256 unconditionally, but `process_openssl_auth()` always rejects SHAKE for OpenSSL < 3.0 (log + error path). So the PMD advertises SHAKE, yet all such ops fail on older OpenSSL. Please either conditionally expose these capabilities only for `OPENSSL_VERSION_NUMBER >= 0x30000000L` or add a fallback implementation for older versions, so advertised features match actual runtime support.
</issue_to_address>

### Comment 2
<location> `drivers/crypto/openssl/rte_openssl_pmd.c:273-277` </location>
<code_context>
 		case RTE_CRYPTO_AUTH_SHA512_HMAC:
 			*algo = EVP_sha512();
 			break;
+		case RTE_CRYPTO_AUTH_SHAKE_128:
+			*algo = EVP_shake128();
+			break;
+		case RTE_CRYPTO_AUTH_SHAKE_256:
+			*algo = EVP_shake256();
+			break;
 		default:
</code_context>

<issue_to_address>
**issue (bug_risk):** Using EVP_shake128/256 without version guards may break builds with older OpenSSL headers.

These new `get_auth_algo()` cases call `EVP_shake128()`/`EVP_shake256()` unconditionally, which will fail to compile with OpenSSL versions that don’t declare them. Please wrap these cases in the same `OPENSSL_VERSION_NUMBER` checks you use for SHAKE elsewhere, and return `-EINVAL` on unsupported versions to keep builds working across the supported OpenSSL range.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @drivers/crypto/openssl/rte_openssl_pmd.c:
- Around line 273-278: The SHAKE algorithm cases must be guarded by OpenSSL
version checks: wrap the RTE_CRYPTO_AUTH_SHAKE_128 and RTE_CRYPTO_AUTH_SHAKE_256
handling in get_auth_algo() and the corresponding registration in
openssl_set_session_auth_parameters() with a compile-time guard (e.g., #if
(OPENSSL_VERSION_NUMBER >= 0x30000000L)) so these cases are omitted when
building against pre-3.0 OpenSSL; update both switch-case locations (symbols
get_auth_algo and openssl_set_session_auth_parameters, specifically the cases
for RTE_CRYPTO_AUTH_SHAKE_128 and RTE_CRYPTO_AUTH_SHAKE_256) to prevent
selecting/registering SHAKE on unsupported versions.

🧹 Nitpick comments (1)

drivers/crypto/openssl/rte_openssl_pmd.c (1)

1448-1464: The EVP_MD_CTRL_XOF_LEN control approach is valid, but redundant.

Both EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) and passing the length directly to EVP_DigestFinalXOF(ctx, dst, digest_length) are supported methods in OpenSSL 3.0+. The current code uses both simultaneously, which is redundant. Since EVP_DigestFinalXOF already accepts the output length as a parameter, the preceding EVP_MD_CTX_ctrl call can be removed for simplicity.

♻️ Optional simplification

 	/* SHAKE algorithms are XOFs and require EVP_DigestFinalXOF */
 	if (algo == EVP_shake128() || algo == EVP_shake256()) {
 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-		/* Set XOF output length before calling EVP_DigestFinalXOF */
-		if (EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) <= 0)
-			goto process_auth_err;
 		if (EVP_DigestFinalXOF(ctx, dst, digest_length) <= 0)
 			goto process_auth_err;
 #else

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd60dcd and a2f3737.

📒 Files selected for processing (3)

• app/test/test_cryptodev_blockcipher.c
• drivers/crypto/openssl/rte_openssl_pmd.c
• drivers/crypto/openssl/rte_openssl_pmd_ops.c

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Sourcery review

🔇 Additional comments (4)

drivers/crypto/openssl/rte_openssl_pmd_ops.c (1)

272-313: LGTM! SHAKE capability definitions are correct.

The block sizes are accurate (SHAKE-128 rate = 168 bytes, SHAKE-256 rate = 136 bytes), and the variable digest size range (1-256) is appropriate for XOF algorithms. The keyless and IV-less configuration is correct for these hash functions.

drivers/crypto/openssl/rte_openssl_pmd.c (2)

668-669: LGTM!

SHAKE algorithms are correctly added to the digest authentication path using OPENSSL_AUTH_AS_AUTH mode.

---

2019-2023: LGTM!

The digest_length parameter is correctly passed from the session configuration to enable variable-length XOF output for SHAKE algorithms.

app/test/test_cryptodev_blockcipher.c (1)

1177-1179: SHAKE algorithms properly added to auth capability checks with existing test vectors.

The additions correctly extend the Auth Only test suite to check for SHAKE-128 and SHAKE-256 capabilities. Test vectors for both algorithms are properly defined in test_cryptodev_hash_test_vectors.h with comprehensive test cases including Digest and Verify operations.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

OpenSSL EVP_shake128 EVP_shake256 version introduced history

💡 Result:

Short answer

• EVP_shake128 and EVP_shake256 were added as part of OpenSSL's SHA‑3 support in OpenSSL 1.1.1 (released 11 Sept 2018). [1][2]

Relevant details / later changes

• OpenSSL 1.1.1 release notes list “SHA3” (which includes SHAKE) among new algorithms. [1]
• The EVP SHAKE manpages document these functions (EVP_shake128 / EVP_shake256) in the OpenSSL docs. [2]
• Later OpenSSL 3.x work added XOF-related APIs/behavior (e.g. EVP_MD_CTRL_XOF_LEN / EVP_DigestFinalXOF and EVP_DigestSqueeze) and changes to default XOF handling in the 3.x series (notes in 3.3 / 3.4 documentation). [3][4]

Sources
[1] OpenSSL 1.1.1 release notes (SHA3 added).
[2] OpenSSL EVP SHA-3 / EVP_shake128 / EVP_shake256 manpage.
[3] OpenSSL 3.3 release announcement (EVP_DigestSqueeze etc.).
[4] EVP_MD-SHAKE manpage (notes about XOF defaults / history).

---

🏁 Script executed:

# Find version checks and OPENSSL_VERSION requirements in the codebase
rg -B2 -A2 "OPENSSL_VERSION_NUMBER" drivers/crypto/openssl/rte_openssl_pmd.c | head -50

Repository: ovsrobot/dpdk

Length of output: 1189

---

🏁 Script executed:

# Check for any documentation about minimum OpenSSL version
find . -type f \( -name "*.txt" -o -name "*.md" -o -name "*.rst" -o -name "*.cfg" \) | xargs grep -l "openssl.*version\|minimum.*openssl" 2>/dev/null | head -5

Repository: ovsrobot/dpdk

Length of output: 39

---

🏁 Script executed:

# Check meson.build or CMakeLists for OpenSSL version requirements
find . -type f \( -name "meson.build" -o -name "CMakeLists.txt" \) | xargs grep -i "openssl" 2>/dev/null | head -20

Repository: ovsrobot/dpdk

Length of output: 900

---

🏁 Script executed:

# Get context around lines 273-278 and check for version guards
sed -n '260,290p' drivers/crypto/openssl/rte_openssl_pmd.c

Repository: ovsrobot/dpdk

Length of output: 668

---

🏁 Script executed:

# Check the broader function context and any guards
sed -n '240,300p' drivers/crypto/openssl/rte_openssl_pmd.c

Repository: ovsrobot/dpdk

Length of output: 1391

---

🏁 Script executed:

# Check lines 668-669 for the auth parameters handling
sed -n '660,680p' drivers/crypto/openssl/rte_openssl_pmd.c

Repository: ovsrobot/dpdk

Length of output: 637

---

🏁 Script executed:

# Check the XOF finalization at 1448-1465
sed -n '1440,1470p' drivers/crypto/openssl/rte_openssl_pmd.c

Repository: ovsrobot/dpdk

Length of output: 1016

---

Add version guards for SHAKE algorithm registration on pre-3.0 OpenSSL.

While EVP_shake128() and EVP_shake256() are available in OpenSSL 1.1.1+, the code allows SHAKE algorithms to be registered unconditionally at lines 668-669, but finalization fails at runtime on OpenSSL versions prior to 3.0 with an error message. This creates a broken user experience where the algorithm can be selected but fails during operation.

Add version guards (e.g., #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)) around the RTE_CRYPTO_AUTH_SHAKE_128 and RTE_CRYPTO_AUTH_SHAKE_256 cases in both get_auth_algo() (lines 273-278) and openssl_set_session_auth_parameters() (lines 668-669) to prevent registration on unsupported OpenSSL versions, or ensure minimum OpenSSL version requirements are documented.

🤖 Prompt for AI Agents

In @drivers/crypto/openssl/rte_openssl_pmd.c around lines 273 - 278, The SHAKE
algorithm cases must be guarded by OpenSSL version checks: wrap the
RTE_CRYPTO_AUTH_SHAKE_128 and RTE_CRYPTO_AUTH_SHAKE_256 handling in
get_auth_algo() and the corresponding registration in
openssl_set_session_auth_parameters() with a compile-time guard (e.g., #if
(OPENSSL_VERSION_NUMBER >= 0x30000000L)) so these cases are omitted when
building against pre-3.0 OpenSSL; update both switch-case locations (symbols
get_auth_algo and openssl_set_session_auth_parameters, specifically the cases
for RTE_CRYPTO_AUTH_SHAKE_128 and RTE_CRYPTO_AUTH_SHAKE_256) to prevent
selecting/registering SHAKE on unsupported versions.