Skip to content

Set secure defaults for the SHAKE 128/256 digest output length. #23877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
slontis wants to merge 1 commit into from
Closed

Set secure defaults for the SHAKE 128/256 digest output length. #23877

slontis wants to merge 1 commit into from

Conversation

@slontis
Copy link
Member

@slontis slontis commented Mar 18, 2024

This is a breaking change that affects using SHAKE with EVP_DigestFinal().

This should be resolved BEFORE we add support for signing with SHAKE, See (PR #23114) which is currently dependant on PR #22684 (Support for fixed output length SHAKE algorithms). This was going to be used by LMS also.

Leaving the code as it was may allow backwards compatability, but it would not interop nicely with signatures coming from another toolkit, and would be inconsistent with the Fixed output length SHAKE algorithms. Note that the algorithms will also map back to OIDS (so having 2 names for SHAKE-256, (one that mays back to a bad output size and one that is the correct size) does not allow a nice mapping back to a single OID.

Checklist
  • documentation is added or updated
  • tests are added or updated

@slontis
Set secure defaults for the SHAKE 128/256 digest output length.
259b81f 
This is a breaking change that affects using SHAKE with
EVP_DigestFinal().

This should be resolved BEFORE we add support for signing with SHAKE,
See (PR openssl#23114) which is currently dependant on PR openssl#22684 (Support for fixed
output length SHAKE algorithms). This was going to be used by LMS also.

Leaving the code as it was may allow backwards compatability, but it
would not interop nicely with signatures coming from another toolkit,
and would be inconsistent with the Fixed output length SHAKE algorithms.
Note that the algorithms will also map back to OIDS (so having 2 names
for SHAKE-256, (one that mays back to a bad output size and one that is
the correct size) does not allow a nice mapping back to a single OID.
@slontis slontis added branch: master Applies to master branch hold: discussion The community needs to establish a consensus how to move forward with the issue or PR labels Mar 18, 2024
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label Mar 18, 2024
@t8m t8m added the triaged: feature The issue/pr requests/adds a feature label Mar 18, 2024
@t8m t8m mentioned this pull request Apr 11, 2024
Closed
2 tasks
@openssl-machine
Copy link
Collaborator

openssl-machine commented Apr 18, 2024

This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago

@slontis
Copy link
Member Author

slontis commented Apr 23, 2024

Dropping this PR in favor of #24105 (Assuming that the changes discussed will be added to that PR).

@slontis slontis closed this Apr 23, 2024
@panva panva mentioned this pull request Jul 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

branch: master Applies to master branch hold: discussion The community needs to establish a consensus how to move forward with the issue or PR severity: fips change The pull request changes FIPS provider sources triaged: feature The issue/pr requests/adds a feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@slontis @openssl-machine @t8m