Mention that SHA2 is vulnerable to length extension attacks.

src/libsodium/include/sodium/crypto_hash.h

@@ -1,6 +1,13 @@
 #ifndef crypto_hash_H
 #define crypto_hash_H
 
+/*
+ * WARNING: Unless you absolutely need to use SHA512 for interoperatibility,
+ * purposes, you might want to consider crypto_generichash() instead.
+ * Unlike SHA512, crypto_generichash() is not vulnerable to length
+ * extension attacks.
+ */
+
 #include <stddef.h>
 
 #include "crypto_hash_sha512.h"

src/libsodium/include/sodium/crypto_hash_sha256.h

@@ -1,6 +1,13 @@
 #ifndef crypto_hash_sha256_H
 #define crypto_hash_sha256_H
 
+/*
+ * WARNING: Unless you absolutely need to use SHA256 for interoperatibility,
+ * purposes, you might want to consider crypto_generichash() instead.
+ * Unlike SHA256, crypto_generichash() is not vulnerable to length
+ * extension attacks.
+ */
+
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>

src/libsodium/include/sodium/crypto_hash_sha512.h

@@ -1,6 +1,13 @@
 #ifndef crypto_hash_sha512_H
 #define crypto_hash_sha512_H
 
+/*
+ * WARNING: Unless you absolutely need to use SHA512 for interoperatibility,
+ * purposes, you might want to consider crypto_generichash() instead.
+ * Unlike SHA512, crypto_generichash() is not vulnerable to length
+ * extension attacks.
+ */
+
 #include <stddef.h>
 #include <stdint.h>
 #include <stdlib.h>