Document that SHAKE-128 and SHAKE-256 have no default digest length

Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/24105)
author: Tomas Mraz <tomas@openssl.org> 2024-04-24 18:42:39 +0200
committer: Tomas Mraz <tomas@openssl.org> 2024-05-15 12:10:32 +0200
commit: ad3f28c5fbd5dcbc763a650313fd666b0e339cca (patch)
tree: f6c6b35d270e9a275d1304d15da6ec8d85a04c5c /CHANGES.md
parent: Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256 (diff)
download: openssl-ad3f28c5fbd5dcbc763a650313fd666b0e339cca.tar.xz
openssl-ad3f28c5fbd5dcbc763a650313fd666b0e339cca.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index cf0efe31ba..5615e48a1f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -41,6 +41,16 @@ OpenSSL 3.4
 
    *Tomáš Mráz*
 
+ * SHAKE-128 and SHAKE-256 implementations have no default digest length
+   anymore. That means these algorithms cannot be used with
+   EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
+
+   This change was necessary because the preexisting default lengths were
+   half the size necessary for full collision resistance supported by these
+   algorithms.
+
+   *Tomáš Mráz*
+
  * Setting `config_diagnostics=1` in the config file will cause errors to
    be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
    in the ssl module configuration.
author	Tomas Mraz <tomas@openssl.org>	2024-04-24 18:42:39 +0200
committer	Tomas Mraz <tomas@openssl.org>	2024-05-15 12:10:32 +0200
commit	ad3f28c5fbd5dcbc763a650313fd666b0e339cca (patch)
tree	f6c6b35d270e9a275d1304d15da6ec8d85a04c5c /CHANGES.md
parent	Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256 (diff)
download	openssl-ad3f28c5fbd5dcbc763a650313fd666b0e339cca.tar.xz openssl-ad3f28c5fbd5dcbc763a650313fd666b0e339cca.zip