crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4

Update doc/api/deprecations.md

Update doc/api/deprecations.md

Author: panva

doc/api/deprecations.md

@@ -4061,6 +4061,19 @@ Type: Documentation-only
 
 The [`util.types.isNativeError`][] API is deprecated. Please use [`Error.isError`][] instead.
 
+### DEP0198: Creating SHAKE-128 and SHAKE-256 digests without an explicit `options.outputLength`
+
+<!-- YAML
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/58942
+    description: Documentation-only deprecation with support for `--pending-deprecation`.
+-->
+
+Type: Documentation-only (supports [`--pending-deprecation`][])
+
+Creating SHAKE-128 and SHAKE-256 digests without an explicit `options.outputLength` is deprecated.
+
 [DEP0142]: #dep0142-repl_builtinlibs
 [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3

lib/internal/crypto/hash.js

@@ -58,11 +58,24 @@ const {
   isArrayBufferView,
 } = require('internal/util/types');
 
+const { getOptionValue } = require('internal/options');
+
 const LazyTransform = require('internal/streams/lazy_transform');
 
 const kState = Symbol('kState');
 const kFinalized = Symbol('kFinalized');
 
+/**
+ * @param {string} name
+ */
+function normalizeAlgorithm(name) {
+  return name.toLowerCase().replace('-', '');
+}
+
+const pendingDeprecation = getOptionValue('--pending-deprecation');
+let shakeWarningEmitted = false;
+const shakeWarning = 'Creating SHAKE-128 and SHAKE-256 digests without an explicit options.outputLength is deprecated.';
+
 function Hash(algorithm, options) {
   if (!new.target)
     return new Hash(algorithm, options);
@@ -80,6 +93,13 @@ function Hash(algorithm, options) {
   this[kState] = {
     [kFinalized]: false,
   };
+  if (pendingDeprecation && !shakeWarningEmitted && !isCopy && xofLen === undefined) {
+    const normalized = normalizeAlgorithm(algorithm);
+    if (normalized === 'shake128' || normalized === 'shake256') {
+      process.emitWarning(shakeWarning, 'DeprecationWarning', 'DEP0198');
+      shakeWarningEmitted = true;
+    }
+  }
   ReflectApply(LazyTransform, this, [options]);
 }
 
@@ -213,6 +233,12 @@ function hash(algorithm, input, outputEncoding = 'hex') {
       }
     }
   }
+  // TODO: ideally we have to ship https://github.com/nodejs/node/pull/58121 so
+  // that a proper DEP0198 deprecation can be done here as well.
+  const normalizedAlgorithm = normalizeAlgorithm(algorithm);
+  if (normalizedAlgorithm === 'shake128' || normalizedAlgorithm === 'shake256') {
+    return new Hash(algorithm).update(input).digest(outputEncoding);
+  }
   return oneShotDigest(algorithm, getCachedHashId(algorithm), getHashCache(),
                        input, normalized, encodingsMap[normalized]);
 }

src/crypto/crypto_hash.cc

@@ -331,6 +331,18 @@ bool Hash::HashInit(const EVP_MD* md, Maybe<unsigned int> xof_md_len) {
   }
 
   md_len_ = mdctx_.getDigestSize();
+  // TODO(@panva): remove this behaviour when DEP0198 is End-Of-Life
+  if (mdctx_.hasXofFlag() && !xof_md_len.IsJust() && md_len_ == 0) {
+    const char* name = OBJ_nid2sn(EVP_MD_type(md));
+    if (name != nullptr) {
+      if (strcmp(name, "SHAKE128") == 0) {
+        md_len_ = 16;
+      } else if (strcmp(name, "SHAKE256") == 0) {
+        md_len_ = 32;
+      }
+    }
+  }
+
   if (xof_md_len.IsJust() && xof_md_len.FromJust() != md_len_) {
     // This is a little hack to cause createHash to fail when an incorrect
     // hashSize option was passed for a non-XOF hash function.

test/parallel/test-crypto-default-shake-lengths.js

@@ -0,0 +1,18 @@
+// Flags: --pending-deprecation
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const { createHash } = require('crypto');
+
+common.expectWarning({
+  DeprecationWarning: {
+    DEP0198: 'Creating SHAKE-128 and SHAKE-256 digests without an explicit options.outputLength is deprecated.',
+  }
+});
+
+{
+  createHash('shake128').update('test').digest();
+}