|SUCCESS| [v1] crypto/openssl: update to OpenSSL 3.0 minimum version
dpdklab at iol.unh.edu
dpdklab at iol.unh.edu
Wed May 27 23:38:01 CEST 2026
Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/164490
_AI Code Review_
=== Patch Review: series.patch (via Claude) ===
Review date: 2026-05-27
I'll review this patch which updates the OpenSSL PMD to require OpenSSL 3.0 as the minimum version.
**Commit:** Update OpenSSL crypto PMD to require OpenSSL 3.0 minimum version
**Author:** Emma Finn <emma.finn at intel.com>
**Subject:** [v1] crypto/openssl: update to OpenSSL 3.0 minimum version
This patch removes compatibility code for OpenSSL versions 1.0.1, 1.1.0,
and 1.1.1, requiring OpenSSL 3.0.0 as the minimum supported version.
```
> diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
> index e1814fea8c..14104dbf2e 100644
> --- a/drivers/crypto/openssl/compat.h
> +++ b/drivers/crypto/openssl/compat.h
> @@ -5,7 +5,6 @@
> #ifndef __RTA_COMPAT_H__
> #define __RTA_COMPAT_H__
>
> -#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> static __rte_always_inline void
> free_hmac_ctx(EVP_MAC_CTX *ctx)
> {
[ ... ]
> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
> index d5a751600a..ab40012d61 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -13,10 +13,8 @@
> #include <openssl/dh.h>
> #include <openssl/dsa.h>
> #include <openssl/ec.h>
> -#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> #include <openssl/provider.h>
> #include <openssl/core_names.h>
> -#endif
[ ... ]
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
> index c34efb8ad0..8748ef6195 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -19,35 +19,14 @@
> #include "openssl_pmd_private.h"
> #include "compat.h"
>
> -#define DES_BLOCK_SIZE 8
> -
> -static uint8_t cryptodev_driver_id;
> -
> -#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
> -static HMAC_CTX *HMAC_CTX_new(void)
> -{
> - HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
> -
> - if (ctx != NULL)
> - HMAC_CTX_init(ctx);
> - return ctx;
> -}
Does this code leak ctx if HMAC_CTX_init() fails? Since this entire code
block is being removed, it's not a regression in this patch, but it's worth
noting the existing code doesn't check the init result before returning ctx.
> @@ -1695,7 +1498,7 @@ get_local_cipher_ctx(struct openssl_session *sess, struct openssl_qp *qp)
> /* EVP_CIPHER_CTX_dup() added in OSSL 3.2 */
> *lctx = EVP_CIPHER_CTX_dup(sess->cipher.ctx);
> return *lctx;
> -#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
> +#else
> if (sess->chain_order == OPENSSL_CHAIN_COMBINED) {
> /* AESNI special-cased to use openssl_aesni_ctx_clone()
> * to allow for working around lack of
> @@ -1706,10 +1509,10 @@ get_local_cipher_ctx(struct openssl_session *sess, struct openssl_qp *qp)
> *lctx = NULL;
> return *lctx;
> }
> -#endif
>
> *lctx = EVP_CIPHER_CTX_new();
> EVP_CIPHER_CTX_copy(*lctx, sess->cipher.ctx);
> +#endif
> }
Does this code check the return value of EVP_CIPHER_CTX_new() before
calling EVP_CIPHER_CTX_copy()? If EVP_CIPHER_CTX_new() returns NULL, the
copy operation would be called with a NULL pointer.
> @@ -2055,13 +1828,8 @@ process_openssl_auth_op(struct openssl_qp *qp, struct rte_crypto_op *op,
> uint8_t *dst;
> int srclen, status;
> EVP_MD_CTX *ctx_a;
> -# if OPENSSL_VERSION_NUMBER >= 0x30000000L
> EVP_MAC_CTX *ctx_h;
> EVP_MAC_CTX *ctx_c;
> -# else
> - HMAC_CTX *ctx_h;
> - CMAC_CTX *ctx_c;
> -# endif
[ ... ]
> @@ -4590,13 +3968,12 @@ cryptodev_openssl_create(const char *name,
>
> rte_cryptodev_pmd_probing_finish(dev);
>
> -# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> /* Load legacy provider
> * Some algorithms are no longer available in earlier version of openssl,
> * unless the legacy provider explicitly loaded. e.g. DES
> */
> ossl_legacy_provider_load();
> -# endif
> +
> return 0;
The comment text still references "earlier version of openssl" which may be
confusing now that only OpenSSL 3.0+ is supported. Does this comment need
to be updated to clarify which algorithms in OpenSSL 3.0+ require the
legacy provider?
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> index 4e5fb07bb2..d927cc5228 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> @@ -10,11 +10,9 @@
>
> #include "openssl_pmd_private.h"
> #include "compat.h"
> -#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> #include <openssl/provider.h>
> #include <openssl/core_names.h>
> #include <openssl/param_build.h>
> -#endif
[ ... ]
> @@ -1323,79 +1318,7 @@ static int openssl_set_asym_session_parameters(
> OSSL_PARAM_BLD_free(param_bld);
> OSSL_PARAM_free(params);
> ret = 0;
> -#else
> - RSA *rsa = RSA_new();
[ ... large removed block ... ]
> @@ -1727,14 +1547,9 @@ static int openssl_set_asym_session_parameters(
> asym_session->u.ec.curve_id = xform->ec.curve_id;
> asym_session->u.ec.group = ecgrp;
> break;
> -#else
> - OPENSSL_LOG(WARNING, "ECFPM unsupported for OpenSSL Version < 3.0");
> - return -ENOTSUP;
> -#endif
> }
> case RTE_CRYPTO_ASYM_XFORM_SM2:
> {
> -#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
> #ifndef OPENSSL_NO_SM2
> OSSL_PARAM_BLD *param_bld = NULL;
> OSSL_PARAM *params = NULL;
> @@ -1818,10 +1633,6 @@ static int openssl_set_asym_session_parameters(
> #else
> OPENSSL_LOG(WARNING, "SM2 unsupported in current OpenSSL Version");
> return -ENOTSUP;
> -#endif
> -#else
> - OPENSSL_LOG(WARNING, "SM2 unsupported for OpenSSL Version < 3.0");
> - return -ENOTSUP;
> #endif
> }
```
Overall, the patch correctly removes old OpenSSL version compatibility code.
A few questions remain about error handling in the remaining code paths and
one comment that could be clarified.
More information about the test-report
mailing list