Intentionally break EVP_DigestFinal for SHAKE128 and SHAKE256

It will work only if OSSL_DIGEST_PARAM_XOFLEN is set.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24105)

2 files changed, 4 insertions, 2 deletions

diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index ab670a8f49..4c61ca4c42 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -454,6 +454,8 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize)
     if (ctx->digest->prov == NULL)
         goto legacy;
 
+    if (sz == 0) /* Assuming a xoflen must have been set. */
+        mdsize = SIZE_MAX;
     if (ctx->digest->gettable_ctx_params != NULL) {
         OSSL_PARAM params[] = { OSSL_PARAM_END, OSSL_PARAM_END };
 
diff --git a/crypto/sha/sha3.c b/crypto/sha/sha3.c
index 2411b3f1f8..4d54712168 100644
--- a/crypto/sha/sha3.c
+++ b/crypto/sha/sha3.c
@@ -34,12 +34,12 @@ int ossl_sha3_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen)
     return 0;
 }
 
-int ossl_keccak_kmac_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen)
+int ossl_keccak_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen, size_t mdlen)
 {
     int ret = ossl_sha3_init(ctx, pad, bitlen);
 
     if (ret)
-        ctx->md_size *= 2;
+        ctx->md_size = mdlen / 8;
     return ret;
 }