git.openssl.org Git - openssl.git/commit

author	slontis <shane.lontis@oracle.com>
	Wed, 22 Jun 2022 05:21:13 +0000 (15:21 +1000)
committer	Tomas Mraz <tomas@openssl.org>
	Wed, 17 Aug 2022 14:18:30 +0000 (16:18 +0200)
commit	ba8fd22b358ce0467f4893bc8f925c6272964628
tree	d7e2042360b0c86b17fa211409fb0162bc64fa11	tree \| snapshot
parent	93e5c63ee7a7ef627d234558e850ff962e5dbc71	commit \| diff

SHAKE documentation updates for default output length.

Fixes #18586

In order to not break existing applications the OpenSSL documentation
related to SHAKE has been updated.

Background:

All digests algorithms (including XOF's) use the bitlen as the default output length.
This results in a security strength of bitlen / 2.

This means that SHAKE128 will by default have an output length of 16
bytes and a security strength of 64 bits.

For SHAKE256 the default output length is 32 bytes and has a security
strength of 128 bits.

This behaviour was present in 1.1.1 and has been duplicated in the
provider SHAKE algorithms for 3.0.

The SHAKE XOF algorithms have a security strength of
min(bitlen, output xof length in bits / 2).

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18622)

(cherry picked from commit b7cf9dd2393de8e90a15e83466d9b8b781b18385)

apps/dgst.c		diff \| blob \| history
doc/man1/openssl-dgst.pod.in		diff \| blob \| history
doc/man7/EVP_MD-SHAKE.pod		diff \| blob \| history
test/recipes/20-test_dgst.t		diff \| blob \| history