|SUCCESS| [v2] crypto/openssl: update to OpenSSL 3.0 minimum version

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Thu May 28 13:29:59 CEST 2026

Previous message (by thread): |SUCCESS| pw164528 [PATCH] [v5,1/1] net/hinic3: Fix VXLAN TSO issue
Next message (by thread): |PENDING| pw164528 [PATCH] [v5,1/1] net/hinic3: Fix VXLAN TSO issue
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/164526

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-05-28

Reviewing this patch for DPDK compliance...

commit <git-sha-needed>
Author: Emma Finn <emma.finn at intel.com>

    crypto/openssl: update to OpenSSL 3.0 minimum version

[ ... ]

> diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
> index e1814fea8c..14104dbf2e 100644
> --- a/drivers/crypto/openssl/compat.h
> +++ b/drivers/crypto/openssl/compat.h
> @@ -5,7 +5,6 @@
>  #ifndef __RTA_COMPAT_H__
>  #define __RTA_COMPAT_H__
>  
> -#if OPENSSL_VERSION_NUMBER >= 0x30000000L

Does the patch remove all version-specific compatibility code but leave
the compat.h file with only OpenSSL 3.0+ functions? If OpenSSL 3.0 is
now the minimum, should compat.h be simplified further or removed
entirely, moving these functions into the main source files?

[ ... ]

> diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
> index d5a751600a..ab40012d61 100644
> --- a/drivers/crypto/openssl/openssl_pmd_private.h
> +++ b/drivers/crypto/openssl/openssl_pmd_private.h
> @@ -13,10 +13,8 @@
>  #include <openssl/dh.h>
>  #include <openssl/dsa.h>
>  #include <openssl/ec.h>
> -#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
>  #include <openssl/provider.h>
>  #include <openssl/core_names.h>
> -#endif

[ ... ]

> @@ -84,13 +82,8 @@ struct evp_ctx_pair {
>  	EVP_CIPHER_CTX *cipher;
>  	union {
>  		EVP_MD_CTX *auth;
> -#if OPENSSL_VERSION_NUMBER >= 0x30000000L
>  		EVP_MAC_CTX *hmac;
>  		EVP_MAC_CTX *cmac;
> -#else
> -		HMAC_CTX *hmac;
> -		CMAC_CTX *cmac;
> -#endif
>  	};
>  };

[ ... ]

> @@ -153,24 +146,13 @@ struct __rte_cache_aligned openssl_session {
>  				/**< pointer to EVP key */
>  				const EVP_MD *evp_algo;
>  				/**< pointer to EVP algorithm function */
> -# if OPENSSL_VERSION_NUMBER >= 0x30000000L
>  				EVP_MAC_CTX * ctx;

The spacing "EVP_MAC_CTX * ctx" appears inconsistent. According to the
DPDK coding style guide, the asterisk should be adjacent to the
variable name: "EVP_MAC_CTX *ctx". Does this spacing issue exist in
other locations in this patch?

[ ... ]

> diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
> index c34efb8ad0..8748ef6195 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd.c
> @@ -19,35 +19,14 @@
>  #include "openssl_pmd_private.h"
>  #include "compat.h"
>  
> -#define DES_BLOCK_SIZE 8
> -
> -static uint8_t cryptodev_driver_id;
> -
> -#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
> -static HMAC_CTX *HMAC_CTX_new(void)

[ ... ]

> @@ -1298,10 +1228,6 @@ process_openssl_auth_encryption_gcm(struct rte_mbuf *mbuf_src, int offset,
>  		uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx)
>  {
>  	int len = 0;
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -	int unused = 0;
> -	uint8_t empty[] = {};
> -#endif
>  
>  	if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0)
>  		goto process_auth_encryption_gcm_err;

[ ... ]

> @@ -1379,10 +1302,6 @@ process_openssl_auth_decryption_gcm(struct rte_mbuf *mbuf_src, int offset,
>  		uint8_t *dst, uint8_t *tag, EVP_CIPHER_CTX *ctx)
>  {
>  	int len = 0;
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -	int unused = 0;
> -	uint8_t empty[] = {};
> -#endif

[ ... ]

> @@ -1500,17 +1413,11 @@ process_openssl_auth(struct rte_mbuf *mbuf_src, uint8_t *dst, int offset,
>  process_auth_final:
>  	/* SHAKE algorithms are XOFs and require EVP_DigestFinalXOF */
>  	if (algo == EVP_shake128() || algo == EVP_shake256()) {
> -#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
>  		/* Set XOF output length before calling EVP_DigestFinalXOF */
>  		if (EVP_MD_CTX_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, digest_length, NULL) <= 0)
>  			goto process_auth_err;
>  		if (EVP_DigestFinalXOF(ctx, dst, digest_length) <= 0)
>  			goto process_auth_err;
> -#else
> -		RTE_SET_USED(digest_length);
> -		OPENSSL_LOG(ERR, "SHAKE algorithms require OpenSSL 3.0+");
> -		goto process_auth_err;
> -#endif
>  	} else {
>  		if (EVP_DigestFinal_ex(ctx, dst, (unsigned int *)&dstlen) <= 0)
>  			goto process_auth_err;

[ ... ]

> @@ -1695,7 +1498,7 @@ get_local_cipher_ctx(struct openssl_session *sess, struct openssl_qp *qp)
>  		/* EVP_CIPHER_CTX_dup() added in OSSL 3.2 */
>  		*lctx = EVP_CIPHER_CTX_dup(sess->cipher.ctx);
>  		return *lctx;
> -#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
> +#else
>  		if (sess->chain_order == OPENSSL_CHAIN_COMBINED) {
>  			/* AESNI special-cased to use openssl_aesni_ctx_clone()
>  			 * to allow for working around lack of
> @@ -1706,10 +1509,10 @@ get_local_cipher_ctx(struct openssl_session *sess, struct openssl_qp *qp)
>  				*lctx = NULL;
>  			return *lctx;
>  		}
> -#endif
>  
>  		*lctx = EVP_CIPHER_CTX_new();
>  		EVP_CIPHER_CTX_copy(*lctx, sess->cipher.ctx);
> +#endif
>  	}
>  
>  	return *lctx;

Does this restructured conditional still maintain the intended logic
flow? The previous code had three branches (3.2+, 3.0-3.2, <3.0), and
now it appears to have two branches (3.2+, else). Can this code
function correctly for all OpenSSL 3.x versions?

[ ... ]

> @@ -4085,14 +3494,12 @@ mldsa_sign_op_evp(struct rte_crypto_op *cop,
>  	case RTE_CRYPTO_AUTH_SHA3_512:
>  		check_md = EVP_sha3_512();
>  		break;
> -#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
>  	case RTE_CRYPTO_AUTH_SHAKE_128:
>  		check_md = EVP_shake128();
>  		break;
>  	case RTE_CRYPTO_AUTH_SHAKE_256:
>  		check_md = EVP_shake256();
>  		break;
> -#endif
>  	default:
>  		break;
>  	}

[ ... ]

> @@ -4590,13 +3968,12 @@ cryptodev_openssl_create(const char *name,
>  
>  	rte_cryptodev_pmd_probing_finish(dev);
>  
> -# if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
>  	/* Load legacy provider
>  	 * Some algorithms are no longer available in earlier version of openssl,
>  	 * unless the legacy provider explicitly loaded. e.g. DES
>  	 */
>  	ossl_legacy_provider_load();
> -# endif
> +

Does the comment text "in earlier version of openssl" need updating
since the patch is explicitly removing support for earlier versions?
Should it read "in earlier versions of OpenSSL" or be updated to
reflect that DES requires the legacy provider in OpenSSL 3.x?

Previous message (by thread): |SUCCESS| pw164528 [PATCH] [v5,1/1] net/hinic3: Fix VXLAN TSO issue
Next message (by thread): |PENDING| pw164528 [PATCH] [v5,1/1] net/hinic3: Fix VXLAN TSO issue
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the test-report mailing list