From ffa1cf69aaf6a2eeabb96cc1326aa4ac24e7f0d9 Mon Sep 17 00:00:00 2001
From: Ryan Farley <ryan.farley@gmx.com>
Date: Fri, 6 Dec 2024 06:21:45 -0600
Subject: [PATCH] openssl-dgst: Document that xoflen is required for shake

With b911fef216d1386210ec24e201d54d709528abb4, there is no longer a
default xoflen for shake algorithms. Update the manual to reflect this.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26129)
---
 doc/man1/openssl-dgst.pod.in | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/doc/man1/openssl-dgst.pod.in b/doc/man1/openssl-dgst.pod.in
index e50fa55d7b..c5f6872e7d 100644
--- a/doc/man1/openssl-dgst.pod.in
+++ b/doc/man1/openssl-dgst.pod.in
@@ -89,17 +89,19 @@ Output the digest or signature in binary form.
 Set the output length for XOF algorithms, such as B<shake128> and B<shake256>.
 This option is not supported for signing operations.
 
-For OpenSSL providers it is recommended to set this value for shake algorithms,
-since the default values are set to only supply half of the maximum security
-strength.
+For OpenSSL providers it is required to set this value for shake algorithms,
+since the previous default values were only set to supply half of the maximum
+security strength.
 
-For backwards compatibility reasons the default xoflen length for B<shake128> is
-16 (bytes) which results in a security strength of only 64 bits. To ensure the
-maximum security strength of 128 bits, the xoflen should be set to at least 32.
+To ensure the maximum security strength of 128 bits, the xoflen for B<shake128>
+should be set to at least 32 (bytes). For compatibility with previous versions
+of OpenSSL, it may be set to 16, resulting in a security strength of only 64
+bits.
 
-For backwards compatibility reasons the default xoflen length for B<shake256> is
-32 (bytes) which results in a security strength of only 128 bits. To ensure the
-maximum security strength of 256 bits, the xoflen should be set to at least 64.
+To ensure the maximum security strength of 256 bits, the xoflen for B<shake256>
+should be set to at least 64 (bytes). For compatibility with previous versions
+of OpenSSL, it may be set to 32, resulting in a security strength of only 128
+bits.
 
 =item B<-r>