Use a bit-size in the algorithm name

Call it “SHAKE256-512”, just like SHA3-512 has 512 bits of output.
SHAKE256-64 looks like it's 64 bits of output, but this is 64 bytes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

include/psa/crypto_values.h

@@ -803,13 +803,13 @@
 #define PSA_ALG_SHA3_384                        ((psa_algorithm_t)0x02000012)
 /** SHA3-512 */
 #define PSA_ALG_SHA3_512                        ((psa_algorithm_t)0x02000013)
-/** The first 64 bytes of the SHAKE256 output.
+/** The first 512 bits (64 bytes) of the SHAKE256 output.
  *
  * This is the prehashing for Ed448ph (see #PSA_ALG_ED448PH). For other
  * scenarios where a hash function based on SHA3/SHAKE is desired, SHA3-512
  * has the same output size and a (theoretically) higher security strength.
  */
-#define PSA_ALG_SHAKE256_64                     ((psa_algorithm_t)0x02000015)
+#define PSA_ALG_SHAKE256_512                    ((psa_algorithm_t)0x02000015)
 
 /** In a hash-and-sign algorithm policy, allow any hash algorithm.
  *
@@ -1448,13 +1448,13 @@
  * - or calculate the first 64 bytes of the SHAKE256 output of the message
  *   with psa_hash_compute()
  *   or with a multi-part hash operation started with psa_hash_setup(),
- *   using the hash algorithm #PSA_ALG_SHAKE256_64,
+ *   using the hash algorithm #PSA_ALG_SHAKE256_512,
  *   then sign the calculated hash with psa_sign_hash().
  * Verifying a signature is similar, using psa_verify_message() or
  * psa_verify_hash() instead of the signature function.
  */
 #define PSA_ALG_ED448PH                                 \
-    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_64 & PSA_ALG_HASH_MASK))
+    (PSA_ALG_HASH_EDDSA_BASE | (PSA_ALG_SHAKE256_512 & PSA_ALG_HASH_MASK))
 
 /* Default definition, to be overridden if the library is extended with
  * more hash-and-sign algorithms that we want to keep out of this header

programs/psa/psa_constant_names_generated.c

@@ -67,7 +67,7 @@ static const char *psa_hash_algorithm_name(psa_algorithm_t hash_alg)
     case PSA_ALG_SHA3_256: return "PSA_ALG_SHA3_256";
     case PSA_ALG_SHA3_384: return "PSA_ALG_SHA3_384";
     case PSA_ALG_SHA3_512: return "PSA_ALG_SHA3_512";
-    case PSA_ALG_SHAKE256_64: return "PSA_ALG_SHAKE256_64";
+    case PSA_ALG_SHAKE256_512: return "PSA_ALG_SHAKE256_512";
     case PSA_ALG_SHA_1: return "PSA_ALG_SHA_1";
     case PSA_ALG_SHA_224: return "PSA_ALG_SHA_224";
     case PSA_ALG_SHA_256: return "PSA_ALG_SHA_256";
@@ -231,7 +231,7 @@ static int psa_snprint_algorithm(char *buffer, size_t buffer_size,
     case PSA_ALG_SHA3_256: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_256", 16); break;
     case PSA_ALG_SHA3_384: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_384", 16); break;
     case PSA_ALG_SHA3_512: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA3_512", 16); break;
-    case PSA_ALG_SHAKE256_64: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHAKE256_64", 19); break;
+    case PSA_ALG_SHAKE256_512: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHAKE256_512", 20); break;
     case PSA_ALG_SHA_1: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_1", 13); break;
     case PSA_ALG_SHA_224: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_224", 15); break;
     case PSA_ALG_SHA_256: append(&buffer, buffer_size, &required_size, "PSA_ALG_SHA_256", 15); break;