mirror of https://github.com/openssl/openssl.git
102 lines
2.8 KiB
Plaintext
102 lines
2.8 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
EVP_MD-SHAKE, EVP_MD-KECCAK-KMAC
|
|
- The SHAKE / KECCAK family EVP_MD implementations
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
Support for computing SHAKE or KECCAK-KMAC digests through the
|
|
B<EVP_MD> API.
|
|
|
|
KECCAK-KMAC is an Extendable Output Function (XOF), with a definition
|
|
similar to SHAKE, used by the KMAC EVP_MAC implementation (see
|
|
L<EVP_MAC-KMAC(7)>).
|
|
|
|
=head2 Identities
|
|
|
|
This implementation is available in the FIPS provider as well as the default
|
|
provider, and includes the following varieties:
|
|
|
|
=over 4
|
|
|
|
=item KECCAK-KMAC-128
|
|
|
|
Known names are "KECCAK-KMAC-128" and "KECCAK-KMAC128". This is used
|
|
by L<EVP_MAC-KMAC128(7)>. Using the notation from NIST FIPS 202
|
|
(Section 6.2), we have S<KECCAK-KMAC-128(M, d)> = S<KECCAK[256](M || 00, d)>
|
|
(see the description of KMAC128 in Appendix A of NIST SP 800-185).
|
|
|
|
=item KECCAK-KMAC-256
|
|
|
|
Known names are "KECCAK-KMAC-256" and "KECCAK-KMAC256". This is used
|
|
by L<EVP_MAC-KMAC256(7)>. Using the notation from NIST FIPS 202
|
|
(Section 6.2), we have S<KECCAK-KMAC-256(M, d)> = S<KECCAK[512](M || 00, d)>
|
|
(see the description of KMAC256 in Appendix A of NIST SP 800-185).
|
|
|
|
=item SHAKE-128
|
|
|
|
Known names are "SHAKE-128" and "SHAKE128".
|
|
|
|
=item SHAKE-256
|
|
|
|
Known names are "SHAKE-256" and "SHAKE256".
|
|
|
|
=back
|
|
|
|
=head2 Parameters
|
|
|
|
This implementation supports the following L<OSSL_PARAM(3)> entries:
|
|
|
|
=over 4
|
|
|
|
=item "xoflen" (B<OSSL_DIGEST_PARAM_XOFLEN>) <unsigned integer>
|
|
|
|
Sets or Gets the digest length for extendable output functions.
|
|
The length of the "xoflen" parameter should not exceed that of a B<size_t>.
|
|
|
|
The SHAKE-128 and SHAKE-256 implementations do not have any default digest
|
|
length.
|
|
|
|
This parameter must be set before calling either EVP_DigestFinal_ex() or
|
|
EVP_DigestFinal(), since these functions were not designed to handle variable
|
|
length output. It is recommended to either use EVP_DigestSqueeze() or
|
|
EVP_DigestFinalXOF() instead.
|
|
|
|
=item "size" (B<OSSL_DIGEST_PARAM_SIZE>) <unsigned integer>
|
|
|
|
An alias of "xoflen".
|
|
|
|
=back
|
|
|
|
See L<EVP_DigestInit(3)/PARAMETERS> for further information related to parameters
|
|
|
|
=head1 NOTES
|
|
|
|
For SHAKE-128, to ensure the maximum security strength of 128 bits, the output
|
|
length passed to EVP_DigestFinalXOF() should be at least 32.
|
|
|
|
For SHAKE-256, to ensure the maximum security strength of 256 bits, the output
|
|
length passed to EVP_DigestFinalXOF() should be at least 64.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
L<EVP_MD_CTX_set_params(3)>, L<provider-digest(7)>, L<OSSL_PROVIDER-default(7)>
|
|
|
|
=head1 HISTORY
|
|
|
|
Since OpenSSL 3.4 the SHAKE-128 and SHAKE-256 implementations have no default
|
|
digest length.
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file LICENSE in the source distribution or at
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
=cut
|