crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms

PR-URL: #62183
Backport-PR-URL: #62539
Refs: https://wicg.github.io/webcrypto-modern-algos/#kangarootwelve
Refs: https://wicg.github.io/webcrypto-modern-algos/#turboshake
Refs: https://www.rfc-editor.org/rfc/rfc9861.html
Refs: https://redirect.github.com/openssl/openssl/issues/30304
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>

Author: panva

doc/api/webcrypto.md

@@ -2,6 +2,10 @@
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/62183
+    description: TurboSHAKE and KangarooTwelve algorithms
+      are now supported.
   - version: v24.8.0
     pr-url: https://github.com/nodejs/node/pull/59647
     description: KMAC algorithms are now supported.
@@ -121,6 +125,8 @@ Algorithms:
 * `'cSHAKE256'`
 * `'KMAC128'`[^openssl30]
 * `'KMAC256'`[^openssl30]
+* `'KT128'`
+* `'KT256'`
 * `'ML-DSA-44'`[^openssl35]
 * `'ML-DSA-65'`[^openssl35]
 * `'ML-DSA-87'`[^openssl35]
@@ -130,6 +136,8 @@ Algorithms:
 * `'SHA3-256'`
 * `'SHA3-384'`
 * `'SHA3-512'`
+* `'TurboSHAKE128'`
+* `'TurboSHAKE256'`
 
 Key Formats:
 
@@ -574,6 +582,8 @@ implementation and the APIs supported for each:
 | `'HMAC'`                             |            | ✔                  |                        |              |                   |        |
 | `'KMAC128'`[^modern-algos]           |            | ✔                  |                        |              |                   |        |
 | `'KMAC256'`[^modern-algos]           |            | ✔                  |                        |              |                   |        |
+| `'KT128'`[^modern-algos]             |            |                    |                        |              |                   | ✔      |
+| `'KT256'`[^modern-algos]             |            |                    |                        |              |                   | ✔      |
 | `'ML-DSA-44'`[^modern-algos]         |            | ✔                  |                        |              |                   |        |
 | `'ML-DSA-65'`[^modern-algos]         |            | ✔                  |                        |              |                   |        |
 | `'ML-DSA-87'`[^modern-algos]         |            | ✔                  |                        |              |                   |        |
@@ -591,6 +601,8 @@ implementation and the APIs supported for each:
 | `'SHA3-256'`[^modern-algos]          |            |                    |                        |              |                   | ✔      |
 | `'SHA3-384'`[^modern-algos]          |            |                    |                        |              |                   | ✔      |
 | `'SHA3-512'`[^modern-algos]          |            |                    |                        |              |                   | ✔      |
+| `'TurboSHAKE128'`[^modern-algos]     |            |                    |                        |              |                   | ✔      |
+| `'TurboSHAKE256'`[^modern-algos]     |            |                    |                        |              |                   | ✔      |
 | `'X25519'`                           |            |                    | ✔                      |              |                   |        |
 | `'X448'`[^secure-curves]             |            |                    | ✔                      |              |                   |        |
 
@@ -998,6 +1010,10 @@ The algorithms currently supported include:
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/62183
+    description: TurboSHAKE and KangarooTwelve algorithms
+      are now supported.
   - version: v24.7.0
     pr-url: https://github.com/nodejs/node/pull/59365
     description: SHA-3 algorithms are now supported.
@@ -1006,7 +1022,7 @@ changes:
     description: SHAKE algorithms are now supported.
 -->
 
-* `algorithm` {string|Algorithm|CShakeParams}
+* `algorithm` {string|Algorithm|CShakeParams|TurboShakeParams|KangarooTwelveParams}
 * `data` {ArrayBuffer|TypedArray|DataView|Buffer}
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
 
@@ -1018,13 +1034,17 @@ If `algorithm` is provided as a {string}, it must be one of:
 
 * `'cSHAKE128'`[^modern-algos]
 * `'cSHAKE256'`[^modern-algos]
+* `'KT128'`[^modern-algos]
+* `'KT256'`[^modern-algos]
 * `'SHA-1'`
 * `'SHA-256'`
 * `'SHA-384'`
 * `'SHA-512'`
 * `'SHA3-256'`[^modern-algos]
 * `'SHA3-384'`[^modern-algos]
 * `'SHA3-512'`[^modern-algos]
+* `'TurboSHAKE128'`[^modern-algos]
+* `'TurboSHAKE256'`[^modern-algos]
 
 If `algorithm` is provided as an {Object}, it must have a `name` property
 whose value is one of the above.
@@ -2311,6 +2331,38 @@ added: v15.0.0
 
 * Type: {string}
 
+### Class: `KangarooTwelveParams`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+#### `kangarooTwelveParams.customization`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {ArrayBuffer|TypedArray|DataView|Buffer|undefined}
+
+The optional customization string for KangarooTwelve.
+
+#### `kangarooTwelveParams.name`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {string} Must be `'KT128'`[^modern-algos] or `'KT256'`[^modern-algos]
+
+#### `kangarooTwelveParams.outputLength`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {number} represents the requested output length in bits.
+
 ### Class: `KmacImportParams`
 
 <!-- YAML
@@ -2681,6 +2733,38 @@ added: v15.0.0
 
 The length (in bytes) of the random salt to use.
 
+### Class: `TurboShakeParams`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+#### `turboShakeParams.domainSeparation`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {number|undefined}
+
+The optional domain separation byte (0x01-0x7f). Defaults to `0x1f`.
+
+#### `turboShakeParams.name`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {string} Must be `'TurboSHAKE128'`[^modern-algos] or `'TurboSHAKE256'`[^modern-algos]
+
+#### `turboShakeParams.outputLength`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type: {number} represents the requested output length in bits.
+
 [^secure-curves]: See [Secure Curves in the Web Cryptography API][]
 
 [^modern-algos]: See [Modern Algorithms in the Web Cryptography API][]

lib/internal/crypto/hash.js

@@ -14,6 +14,8 @@ const {
   Hmac: _Hmac,
   kCryptoJobAsync,
   oneShotDigest,
+  TurboShakeJob,
+  KangarooTwelveJob,
 } = internalBinding('crypto');
 
 const {
@@ -226,6 +228,24 @@ async function asyncDigest(algorithm, data) {
         normalizeHashName(algorithm.name),
         data,
         algorithm.outputLength));
+    case 'TurboSHAKE128':
+      // Fall through
+    case 'TurboSHAKE256':
+      return await jobPromise(() => new TurboShakeJob(
+        kCryptoJobAsync,
+        algorithm.name,
+        algorithm.domainSeparation ?? 0x1f,
+        algorithm.outputLength / 8,
+        data));
+    case 'KT128':
+      // Fall through
+    case 'KT256':
+      return await jobPromise(() => new KangarooTwelveJob(
+        kCryptoJobAsync,
+        algorithm.name,
+        algorithm.customization,
+        algorithm.outputLength / 8,
+        data));
   }
 
   throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');

lib/internal/crypto/util.js

@@ -244,6 +244,10 @@ const kAlgorithmDefinitions = {
   },
   'cSHAKE128': { 'digest': 'CShakeParams' },
   'cSHAKE256': { 'digest': 'CShakeParams' },
+  'KT128': { 'digest': 'KangarooTwelveParams' },
+  'KT256': { 'digest': 'KangarooTwelveParams' },
+  'TurboSHAKE128': { 'digest': 'TurboShakeParams' },
+  'TurboSHAKE256': { 'digest': 'TurboShakeParams' },
   'ECDH': {
     'generateKey': 'EcKeyGenParams',
     'exportKey': null,
@@ -441,6 +445,10 @@ const experimentalAlgorithms = [
   'SHA3-256',
   'SHA3-384',
   'SHA3-512',
+  'TurboSHAKE128',
+  'TurboSHAKE256',
+  'KT128',
+  'KT256',
   'X448',
 ];
 
@@ -511,6 +519,10 @@ const simpleAlgorithmDictionaries = {
   KmacParams: {
     customization: 'BufferSource',
   },
+  KangarooTwelveParams: {
+    customization: 'BufferSource',
+  },
+  TurboShakeParams: {},
 };
 
 function validateMaxBufferLength(data, name) {

lib/internal/crypto/webidl.js

@@ -895,6 +895,52 @@ converters.KmacParams = createDictionaryConverter(
     },
   ]);
 
+converters.KangarooTwelveParams = createDictionaryConverter(
+  'KangarooTwelveParams', [
+    ...new SafeArrayIterator(dictAlgorithm),
+    {
+      key: 'outputLength',
+      converter: (V, opts) =>
+        converters['unsigned long'](V, { ...opts, enforceRange: true }),
+      validator: (V, opts) => {
+        if (V === 0 || V % 8)
+          throw lazyDOMException('Invalid KangarooTwelveParams outputLength', 'OperationError');
+      },
+      required: true,
+    },
+    {
+      key: 'customization',
+      converter: converters.BufferSource,
+    },
+  ]);
+
+converters.TurboShakeParams = createDictionaryConverter(
+  'TurboShakeParams', [
+    ...new SafeArrayIterator(dictAlgorithm),
+    {
+      key: 'outputLength',
+      converter: (V, opts) =>
+        converters['unsigned long'](V, { ...opts, enforceRange: true }),
+      validator: (V, opts) => {
+        if (V === 0 || V % 8)
+          throw lazyDOMException('Invalid TurboShakeParams outputLength', 'OperationError');
+      },
+      required: true,
+    },
+    {
+      key: 'domainSeparation',
+      converter: (V, opts) =>
+        converters.octet(V, { ...opts, enforceRange: true }),
+      validator: (V) => {
+        if (V < 0x01 || V > 0x7F) {
+          throw lazyDOMException(
+            'TurboShakeParams.domainSeparation must be in range 0x01-0x7f',
+            'OperationError');
+        }
+      },
+    },
+  ]);
+
 module.exports = {
   converters,
   requiredArguments,

node.gyp

@@ -344,6 +344,7 @@
       'src/crypto/crypto_kem.cc',
       'src/crypto/crypto_hmac.cc',
       'src/crypto/crypto_kmac.cc',
+      'src/crypto/crypto_turboshake.cc',
       'src/crypto/crypto_random.cc',
       'src/crypto/crypto_rsa.cc',
       'src/crypto/crypto_spkac.cc',
@@ -362,6 +363,7 @@
       'src/crypto/crypto_dh.h',
       'src/crypto/crypto_hmac.h',
       'src/crypto/crypto_kmac.h',
+      'src/crypto/crypto_turboshake.h',
       'src/crypto/crypto_rsa.h',
       'src/crypto/crypto_spkac.h',
       'src/crypto/crypto_util.h',