[dpdk-dev v1] crypto/openssl: openssl 3.0 support on asym crypto routine

[Kai Ji <kai.ji@intel.com>]

This patch update the asymmetric RSA and DH routine in crypto
openssl pmd to adopt openssl 3.0 EVP library.

Signed-off-by: Kai Ji <kai.ji@intel.com>
---
 drivers/crypto/openssl/compat.h              |  43 ++-
 drivers/crypto/openssl/openssl_pmd_private.h |  11 +
 drivers/crypto/openssl/rte_openssl_pmd.c     | 288 ++++++++++++++++++-
 drivers/crypto/openssl/rte_openssl_pmd_ops.c | 151 +++++++++-
 4 files changed, 489 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/openssl/compat.h b/drivers/crypto/openssl/compat.h
index eecb7d3698..80b1493a5f 100644
--- a/drivers/crypto/openssl/compat.h
+++ b/drivers/crypto/openssl/compat.h
@@ -104,8 +104,49 @@ get_dsa_priv_key(DSA *dsa, BIGNUM **priv_key)
 	*priv_key = dsa->priv_key;
 }
 
-#else
+#elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+static __rte_always_inline int
+set_dsa_params(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+	return !(DSA_set0_pqg(dsa, p, q, g));
+}
+
+static __rte_always_inline void
+set_dsa_priv_key(DSA *dsa, BIGNUM *priv_key)
+{
+	DSA_set0_key(dsa, NULL, priv_key);
+}
+
+static __rte_always_inline void
+set_dsa_sign(DSA_SIG *sign, BIGNUM *r, BIGNUM *s)
+{
+	DSA_SIG_set0(sign, r, s);
+}
+
+static __rte_always_inline void
+get_dsa_sign(DSA_SIG *sign, const BIGNUM **r, const BIGNUM **s)
+{
+	DSA_SIG_get0(sign, r, s);
+}
 
+static __rte_always_inline int
+set_dsa_keys(DSA *dsa, BIGNUM *pub, BIGNUM *priv)
+{
+	return !(DSA_set0_key(dsa, pub, priv));
+}
+
+static __rte_always_inline void
+set_dsa_pub_key(DSA *dsa, BIGNUM *pub_key)
+{
+	DSA_set0_key(dsa, pub_key, NULL);
+}
+
+static __rte_always_inline void
+get_dsa_priv_key(DSA *dsa, const BIGNUM **priv_key)
+{
+	DSA_get0_key(dsa, NULL, priv_key);
+}
+#else
 static __rte_always_inline int
 set_rsa_params(RSA *rsa, BIGNUM *p, BIGNUM *q)
 {
diff --git a/drivers/crypto/openssl/openssl_pmd_private.h b/drivers/crypto/openssl/openssl_pmd_private.h
index 86dc169aaf..aef12c3e21 100644
--- a/drivers/crypto/openssl/openssl_pmd_private.h
+++ b/drivers/crypto/openssl/openssl_pmd_private.h
@@ -12,6 +12,11 @@
 #include <openssl/dh.h>
 #include <openssl/dsa.h>
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#endif
+
 #define CRYPTODEV_NAME_OPENSSL_PMD	crypto_openssl
 /**< Open SSL Crypto PMD device name */
 
@@ -157,6 +162,9 @@ struct openssl_asym_session {
 	union {
 		struct rsa {
 			RSA *rsa;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+			EVP_PKEY_CTX * ctx;
+#endif
 		} r;
 		struct exp {
 			BIGNUM *exp;
@@ -170,6 +178,9 @@ struct openssl_asym_session {
 		struct dh {
 			DH *dh_key;
 			uint32_t key_op;
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+			OSSL_PARAM_BLD * param_bld;
+#endif
 		} dh;
 		struct {
 			DSA *dsa;
diff --git a/drivers/crypto/openssl/rte_openssl_pmd.c b/drivers/crypto/openssl/rte_openssl_pmd.c
index 5840ab472e..e423114c08 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd.c
@@ -43,6 +43,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
 
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
+#include <openssl/param_build.h>
 
 #define MAX_OSSL_ALGO_NAME_SIZE		16
 
@@ -1845,6 +1846,134 @@ process_openssl_dsa_verify_op(struct rte_crypto_op *cop,
 	return 0;
 }
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+/* process dh operation */
+static int
+process_openssl_dh_op_evp(struct rte_crypto_op *cop,
+		struct openssl_asym_session *sess)
+{
+	struct rte_crypto_dh_op_param *op = &cop->asym->dh;
+	OSSL_PARAM_BLD *param_bld = sess->u.dh.param_bld;
+	OSSL_PARAM *params = NULL;
+	EVP_PKEY *dhpkey = NULL;
+	BIGNUM *priv_key = NULL;
+	BIGNUM *pub_key = NULL;
+
+	EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
+	if (dh_ctx == NULL || param_bld == NULL) {
+		cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+		return -1;
+	}
+
+	params = OSSL_PARAM_BLD_to_param(param_bld);
+	if (params == NULL) {
+		EVP_PKEY_CTX_free(dh_ctx);
+		cop->status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
+		return -1;
+	}
+
+	if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+		pub_key = BN_bin2bn(op->pub_key.data, op->pub_key.length,
+					pub_key);
+		if (pub_key == NULL)
+			goto err;
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PUB_KEY,
+			pub_key)) {
+			OPENSSL_LOG(ERR, "Failed to set public key\n");
+			BN_free(pub_key);
+			goto err;
+		}
+	}
+
+	if ((sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) &&
+			!(sess->u.dh.key_op &
+			(1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE))) {
+
+		priv_key = BN_bin2bn(op->priv_key.data, op->priv_key.length,
+					priv_key);
+		if (priv_key == NULL)
+			goto err;
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_PRIV_KEY,
+				priv_key)) {
+			OPENSSL_LOG(ERR, "Failed to set private key\n");
+			BN_free(priv_key);
+			goto err;
+		}
+	}
+
+	if (EVP_PKEY_keygen_init(dh_ctx) != 1)
+		goto err;
+
+	if (EVP_PKEY_CTX_set_params(dh_ctx, params) != 1)
+		goto err;
+
+	if (EVP_PKEY_keygen(dh_ctx, &dhpkey) != 1)
+		goto err;
+
+	if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PUBLIC_KEY_GENERATE)) {
+		OPENSSL_LOG(DEBUG, "%s:%d updated pub key\n", __func__, __LINE__);
+		if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key))
+			goto err;
+				/* output public key */
+		op->pub_key.length = BN_bn2bin(pub_key, op->pub_key.data);
+	}
+
+	if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_PRIVATE_KEY_GENERATE)) {
+
+		OPENSSL_LOG(DEBUG, "%s:%d updated priv key\n", __func__, __LINE__);
+		if (!EVP_PKEY_get_bn_param(dhpkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key))
+			goto err;
+
+		/* provide generated private key back to user */
+		op->priv_key.length = BN_bn2bin(priv_key, op->priv_key.data);
+	}
+
+	if (sess->u.dh.key_op & (1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+		size_t skey_len;
+		EVP_PKEY *peerkey = dhpkey;
+		EVP_PKEY_CTX *sc_ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
+
+		if (EVP_PKEY_derive_init(sc_ctx) <= 0)
+			goto err;
+
+		if (EVP_PKEY_CTX_set_params(sc_ctx, params) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err;
+		}
+
+		if (EVP_PKEY_derive_set_peer(sc_ctx, peerkey) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err;
+		}
+		/* Determine buffer length */
+		if (EVP_PKEY_derive(sc_ctx, NULL, &skey_len) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err;
+		}
+
+		if (EVP_PKEY_derive(sc_ctx, op->shared_secret.data, &skey_len) <= 0) {
+			EVP_PKEY_CTX_free(sc_ctx);
+			goto err;
+		}
+
+		op->shared_secret.length = skey_len;
+		EVP_PKEY_free(peerkey);
+		EVP_PKEY_CTX_free(sc_ctx);
+	}
+
+	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+	return 0;
+
+ err:
+	EVP_PKEY_CTX_free(dh_ctx);
+	OSSL_PARAM_free(params);
+	OSSL_PARAM_BLD_free(param_bld);
+	cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+	return -1;
+}
+# else
 /* process dh operation */
 static int
 process_openssl_dh_op(struct rte_crypto_op *cop,
@@ -1857,6 +1986,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
 
 	if (sess->u.dh.key_op &
 			(1 << RTE_CRYPTO_ASYM_OP_SHARED_SECRET_COMPUTE)) {
+
 		/* compute shared secret using peer public key
 		 * and current private key
 		 * shared secret = peer_key ^ priv_key mod p
@@ -1887,7 +2017,6 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
 			BN_free(priv_key);
 			return 0;
 		}
-
 		ret = DH_compute_key(
 				op->shared_secret.data,
 				peer_key, dh_key);
@@ -1983,6 +2112,7 @@ process_openssl_dh_op(struct rte_crypto_op *cop,
 	return 0;
 }
 
+#endif
 /* process modinv operation */
 static int
 process_openssl_modinv_op(struct rte_crypto_op *cop,
@@ -2048,6 +2178,153 @@ process_openssl_modexp_op(struct rte_crypto_op *cop,
 	return 0;
 }
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+/* process rsa operations */
+static int
+process_openssl_rsa_op_evp(struct rte_crypto_op *cop,
+		struct openssl_asym_session *sess)
+{
+	struct rte_crypto_asym_op *op = cop->asym;
+	uint32_t pad = (op->rsa.pad);
+	uint8_t *tmp;
+
+	size_t outlen = 0;
+	EVP_PKEY_CTX *rsa_ctx = sess->u.r.ctx;
+	if (!rsa_ctx)
+		return -1;
+
+	cop->status = RTE_CRYPTO_OP_STATUS_SUCCESS;
+
+	switch (pad) {
+	case RTE_CRYPTO_RSA_PADDING_PKCS1_5:
+		pad = RSA_PKCS1_PADDING;
+		break;
+	case RTE_CRYPTO_RSA_PADDING_NONE:
+		pad = RSA_NO_PADDING;
+		break;
+	default:
+		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+		OPENSSL_LOG(ERR,
+				"rsa pad type not supported %d\n", pad);
+		return -1;
+	}
+
+	switch (op->rsa.op_type) {
+	case RTE_CRYPTO_ASYM_OP_ENCRYPT:
+		if (EVP_PKEY_encrypt_init(rsa_ctx) != 1)
+			goto err;
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+			goto err;
+
+		if (EVP_PKEY_encrypt(rsa_ctx, NULL, &outlen,
+							op->rsa.message.data,
+							op->rsa.message.length) <= 0)
+			goto err;
+
+		if (outlen <= 0)
+			goto err;
+
+		if (EVP_PKEY_encrypt(rsa_ctx, op->rsa.cipher.data, &outlen,
+							op->rsa.message.data,
+							op->rsa.message.length) <= 0)
+			goto err;
+		op->rsa.cipher.length = outlen;
+
+		OPENSSL_LOG(DEBUG,
+				"length of encrypted text %zu\n", outlen);
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_DECRYPT:
+		if (EVP_PKEY_decrypt_init(rsa_ctx) != 1)
+			goto err;
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+			goto err;
+
+		if (EVP_PKEY_decrypt(rsa_ctx, NULL, &outlen,
+							op->rsa.cipher.data,
+							op->rsa.cipher.length) <= 0)
+			goto err;
+
+		if (outlen <= 0)
+			goto err;
+
+		if (EVP_PKEY_decrypt(rsa_ctx, op->rsa.message.data, &outlen,
+							op->rsa.cipher.data,
+							op->rsa.cipher.length) <= 0)
+			goto err;
+		op->rsa.message.length = outlen;
+
+		OPENSSL_LOG(DEBUG,
+				"length of decrypted text %zu\n", outlen);
+		break;
+	case RTE_CRYPTO_ASYM_OP_SIGN:
+		if (EVP_PKEY_sign_init(rsa_ctx) <= 0)
+			goto err;
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0)
+			goto err;
+
+		if (EVP_PKEY_sign(rsa_ctx, op->rsa.sign.data, &outlen,
+							op->rsa.message.data,
+							op->rsa.message.length) <= 0)
+			goto err;
+		op->rsa.sign.length = outlen;
+		break;
+
+	case RTE_CRYPTO_ASYM_OP_VERIFY:
+		tmp = rte_malloc(NULL, op->rsa.sign.length, 0);
+		if (tmp == NULL) {
+			OPENSSL_LOG(ERR, "Memory allocation failed");
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+		}
+
+		if (EVP_PKEY_verify_recover_init(rsa_ctx) <= 0) {
+			rte_free(tmp);
+			goto err;
+		}
+
+		if (EVP_PKEY_CTX_set_rsa_padding(rsa_ctx, pad) <= 0) {
+			rte_free(tmp);
+			goto err;
+		}
+
+
+		if (EVP_PKEY_verify_recover(rsa_ctx, tmp, &outlen,
+							op->rsa.sign.data,
+							op->rsa.sign.length) <= 0) {
+			rte_free(tmp);
+			goto err;
+		}
+
+		OPENSSL_LOG(DEBUG,
+				"Length of public_decrypt %zu "
+				"length of message %zd\n",
+				outlen, op->rsa.message.length);
+		if (CRYPTO_memcmp(tmp, op->rsa.message.data,
+				op->rsa.message.length)) {
+			OPENSSL_LOG(ERR, "RSA sign Verification failed");
+			cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+		}
+		rte_free(tmp);
+		break;
+
+	default:
+		/* allow ops with invalid args to be pushed to
+		 * completion queue
+		 */
+		cop->status = RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+		break;
+	}
+
+	return 0;
+err:
+	cop->status = RTE_CRYPTO_OP_STATUS_ERROR;
+	return -1;
+
+}
+#else
 /* process rsa operations */
 static int
 process_openssl_rsa_op(struct rte_crypto_op *cop,
@@ -2147,6 +2424,7 @@ process_openssl_rsa_op(struct rte_crypto_op *cop,
 
 	return 0;
 }
+#endif
 
 static int
 process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
@@ -2158,7 +2436,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 
 	switch (sess->xfrm_type) {
 	case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		retval = process_openssl_rsa_op_evp(op, sess);
+# else
 		retval = process_openssl_rsa_op(op, sess);
+#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_MODEX:
 		retval = process_openssl_modexp_op(op, sess);
@@ -2167,7 +2449,11 @@ process_asym_op(struct openssl_qp *qp, struct rte_crypto_op *op,
 		retval = process_openssl_modinv_op(op, sess);
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DH:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		retval = process_openssl_dh_op_evp(op, sess);
+# else
 		retval = process_openssl_dh_op(op, sess);
+#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_DSA:
 		if (op->asym->dsa.op_type == RTE_CRYPTO_ASYM_OP_SIGN)
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 52715f86f8..26ca680661 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -11,6 +11,13 @@
 #include "openssl_pmd_private.h"
 #include "compat.h"
 
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
+
+#endif
 
 static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 	{	/* MD5 HMAC */
@@ -820,6 +827,117 @@ static int openssl_set_asym_session_parameters(
 	switch (xform->xform_type) {
 	case RTE_CRYPTO_ASYM_XFORM_RSA:
 	{
+
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		BIGNUM *n = NULL;
+		BIGNUM *e = NULL;
+		BIGNUM *d = NULL;
+		BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL;
+		BIGNUM *iqmp = NULL, *dmq1 = NULL;
+		OSSL_PARAM_BLD *param_bld = NULL;
+
+		/* copy xfrm data into rsa struct */
+		n = BN_bin2bn((const unsigned char *)xform->rsa.n.data,
+				xform->rsa.n.length, n);
+		e = BN_bin2bn((const unsigned char *)xform->rsa.e.data,
+				xform->rsa.e.length, e);
+
+		param_bld = OSSL_PARAM_BLD_new();
+		if (!param_bld) {
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			goto err_rsa;
+		}
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+			|| !OSSL_PARAM_BLD_push_BN(param_bld,
+					OSSL_PKEY_PARAM_RSA_E, e)) {
+			OSSL_PARAM_BLD_free(param_bld);
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			goto err_rsa;
+		}
+
+		if (xform->rsa.key_type == RTE_RSA_KEY_TYPE_EXP) {
+			d = BN_bin2bn(
+			(const unsigned char *)xform->rsa.d.data,
+			xform->rsa.d.length,
+			d);
+			if (!d) {
+				OSSL_PARAM_BLD_free(param_bld);
+				goto err_rsa;
+			}
+		} else {
+			p = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.p.data,
+					xform->rsa.qt.p.length,
+					p);
+			q = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.q.data,
+					xform->rsa.qt.q.length,
+					q);
+			dmp1 = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.dP.data,
+					xform->rsa.qt.dP.length,
+					dmp1);
+			dmq1 = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.dQ.data,
+					xform->rsa.qt.dQ.length,
+					dmq1);
+			iqmp = BN_bin2bn((const unsigned char *)
+					xform->rsa.qt.qInv.data,
+					xform->rsa.qt.qInv.length,
+					iqmp);
+
+			if (!p || !q || !dmp1 || !dmq1 || !iqmp) {
+				OSSL_PARAM_BLD_free(param_bld);
+				goto err_rsa;
+			}
+
+			if (!OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_FACTOR1, p)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_FACTOR2, q)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1)
+				|| !OSSL_PARAM_BLD_push_BN(param_bld,
+							OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp)) {
+				OSSL_PARAM_BLD_free(param_bld);
+				OPENSSL_LOG(ERR, "failed to allocate resources\n");
+				goto err_rsa;
+			}
+		}
+
+		if (!OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n)
+			|| !OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e)
+			|| !OSSL_PARAM_BLD_push_BN(param_bld,
+						OSSL_PKEY_PARAM_RSA_D, d)) {
+			OSSL_PARAM_BLD_free(param_bld);
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			goto err_rsa;
+		}
+
+		EVP_PKEY_CTX *key_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
+		EVP_PKEY *pkey = NULL;
+		EVP_PKEY_CTX *rsa_ctx = NULL;
+		OSSL_PARAM *params = NULL;
+
+		params = OSSL_PARAM_BLD_to_param(param_bld);
+		if (!params)
+			return -1;
+
+		if (key_ctx == NULL
+			|| EVP_PKEY_fromdata_init(key_ctx) <= 0
+			|| EVP_PKEY_fromdata(key_ctx, &pkey,
+					EVP_PKEY_KEYPAIR, params) <= 0) {
+			OSSL_PARAM_BLD_free(param_bld);
+			return -1;
+		}
+		rsa_ctx = EVP_PKEY_CTX_new(pkey, NULL);
+		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
+		asym_session->u.r.ctx = rsa_ctx;
+		break;
+#else
 		BIGNUM *n = NULL;
 		BIGNUM *e = NULL;
 		BIGNUM *d = NULL;
@@ -904,6 +1022,7 @@ static int openssl_set_asym_session_parameters(
 		asym_session->u.r.rsa = rsa;
 		asym_session->xfrm_type = RTE_CRYPTO_ASYM_XFORM_RSA;
 		break;
+#endif
 err_rsa:
 		BN_clear_free(n);
 		BN_clear_free(e);
@@ -990,7 +1109,29 @@ static int openssl_set_asym_session_parameters(
 		if (!p || !g)
 			goto err_dh;
 
-		DH *dh = DH_new();
+		DH *dh = NULL;
+
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		OSSL_PARAM_BLD *param_bld = NULL;
+		param_bld = OSSL_PARAM_BLD_new();
+		if (!param_bld) {
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			return -1;
+		}
+		if ((!OSSL_PARAM_BLD_push_utf8_string(param_bld,
+					"group", "ffdhe2048", 0))
+			|| (!OSSL_PARAM_BLD_push_BN(param_bld,
+					OSSL_PKEY_PARAM_FFC_P, p))
+			|| (!OSSL_PARAM_BLD_push_BN(param_bld,
+					OSSL_PKEY_PARAM_FFC_G, g))) {
+			OSSL_PARAM_BLD_free(param_bld);
+			OPENSSL_LOG(ERR, "failed to allocate resources\n");
+			return -1;
+		}
+
+		asym_session->u.dh.param_bld = param_bld;
+#else
+		dh = DH_new();
 		if (dh == NULL) {
 			OPENSSL_LOG(ERR,
 				"failed to allocate resources\n");
@@ -1001,7 +1142,7 @@ static int openssl_set_asym_session_parameters(
 			DH_free(dh);
 			goto err_dh;
 		}
-
+#endif
 		/*
 		 * setup xfrom for
 		 * public key generate, or
@@ -1037,6 +1178,7 @@ static int openssl_set_asym_session_parameters(
 		BN_free(p);
 		BN_free(g);
 		return -1;
+
 	}
 	case RTE_CRYPTO_ASYM_XFORM_DSA:
 	{
@@ -1174,8 +1316,13 @@ static void openssl_reset_asym_session(struct openssl_asym_session *sess)
 {
 	switch (sess->xfrm_type) {
 	case RTE_CRYPTO_ASYM_XFORM_RSA:
+#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
+		if (sess->u.r.ctx)
+			EVP_PKEY_CTX_free(sess->u.r.ctx);
+#else
 		if (sess->u.r.rsa)
 			RSA_free(sess->u.r.rsa);
+#endif
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_MODEX:
 		if (sess->u.e.ctx) {
-- 
2.17.1