Skip to content

Make SHA-3 required with OpenSSL #121056

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 24, 2025
Merged

Make SHA-3 required with OpenSSL #121056

merged 2 commits into from
Oct 24, 2025
+57 −165

Conversation

@vcsjones
Copy link
Member

This is an alternative to #120989.

This makes SHA-3 required for OpenSSL, effectively making our OpenSSL minimum 1.1.1.

@vcsjones vcsjones requested a review from bartonjs October 24, 2025 01:16
@vcsjones vcsjones self-assigned this Oct 24, 2025
@Copilot Copilot AI review requested due to automatic review settings October 24, 2025 01:16
Copilot
Copilot AI reviewed Oct 24, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR makes SHA-3 support required when using OpenSSL, effectively establishing OpenSSL 1.1.1 as the minimum supported version. Previously, SHA-3 was treated as an optional "light-up" feature that was conditionally available.

Key changes:

  • Removes conditional compilation and runtime checks for SHA-3 availability
  • Simplifies code by treating SHA-3 algorithms (SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256) as always available
  • Converts SHA-3 functions from LIGHTUP_FUNCTION to REQUIRED_FUNCTION in the OpenSSL shim layer

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pal_evp.c Removes BUILD_MD_FETCH_LIGHTUP_SHA3 macro and conditional SHA-3 support; converts SHA-3 digest functions to use standard BUILD_MD_FETCH macro
pal_crypto_config.h.in Removes HAVE_OPENSSL_SHA3 configuration option
opensslshim.h Removes SHA-3 function declarations for older OpenSSL versions; changes SHA-3 functions from LIGHTUP to REQUIRED
configure.cmake Removes CMake check for EVP_sha3_256 function existence
Interop.EVP.DigestAlgs.cs Simplifies SHA-3 caching logic and removes platform availability checks; converts switch to switch expression

@dotnet-policy-service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@vcsjones
Copy link
Member Author

vcsjones commented Oct 24, 2025
edited
Loading

n.b. there is still a lot of cleanup that can be done if we remove all of the 1.1.0 and 1.0.x compatibility. However this PR is partially serving to gauge appetite for this change before I invest too much in cleanup.

This was referenced Oct 24, 2025
Open
Open
Open
@vcsjones vcsjones merged commit 4562739 into dotnet:main Oct 24, 2025
102 checks passed
@vcsjones vcsjones deleted the openssl-req-sha3 branch October 24, 2025 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

@PranavSenthilnathan PranavSenthilnathan Awaiting requested review from PranavSenthilnathan

Assignees

@vcsjones vcsjones

Labels

area-System.Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vcsjones @bartonjs