Remove legacy CRYPTO_THREAD_lock usage and update ECX key management for OpenSSL 3.x

bjayanax · Yogaraj-Alamenda · commit 0e3dd5b7632d · 2025-06-24T17:34:23.000+05:30
- Eliminated conditional code for CRYPTO_THREAD_lock allocation and release in ECX key structures and related functions,
   aligning with updated OpenSSL 3.x threading and reference counting.
 - Refactored key management logic in qat_prov_kmgmt_ecx.c to implement direct parameter handling
   for X25519/X448 key types, including get/set/export functionality.
 - Introduced utility macros and constants for X25519/X448 bits and security levels.
 - Updated the OSSL_DISPATCH function tables to use new parameter and context management functions.
 - Improved memory handling and property query support for ECX keys and context structures.
 - Minor code cleanup and removal of compatibility indirection for OpenSSL &lt;3.2.0.

Signed-off-by: Raveesh Vemula &lt;raveeshx.vemula@intel.com&gt;
diff --git a/e_qat.h b/e_qat.h
@@ -941,13 +941,13 @@ static inline int QAT_CRYPTO_GET_REF(QAT_CRYPTO_REF_COUNT *refcnt, int *ret)
     return 1;
 }
 
-static inline int QAT_CRYPTO_UP_REF(QAT_CRYPTO_REF_COUNT* refcnt, int* ret)
+static inline int QAT_CRYPTO_UP_REF(QAT_CRYPTO_REF_COUNT *refcnt, int *ret)
 {
     *ret = atomic_fetch_add_explicit(&refcnt->val, 1, memory_order_relaxed) + 1;
     return 1;
 }
 
-static inline int QAT_CRYPTO_DOWN_REF(QAT_CRYPTO_REF_COUNT* refcnt, int* ret)
+static inline int QAT_CRYPTO_DOWN_REF(QAT_CRYPTO_REF_COUNT *refcnt, int *ret)
 {
     *ret = atomic_fetch_sub_explicit(&refcnt->val, 1, memory_order_release) - 1;
     if (*ret == 0)
diff --git a/qat_common.h b/qat_common.h
@@ -54,6 +54,12 @@
 
 # define MAX_KEYLEN  57
 
+#  define X25519_BITS           253
+#  define X25519_SECURITY_BITS  128
+
+#  define X448_BITS             448
+#  define X448_SECURITY_BITS    224
+
 typedef struct {
     _Atomic int val;
 }QAT_CRYPTO_REF_COUNT;
diff --git a/qat_hw_ecx.c b/qat_hw_ecx.c
@@ -215,9 +215,6 @@ static int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey, int type)
      * count accordingly, otherwise it will trigger openssl's panic.
      */
 #if defined(QAT_OPENSSL_3) && defined(QAT_OPENSSL_PROVIDER)
-# if OPENSSL_VERSION_NUMBER < 0x30200000
-    key->lock = CRYPTO_THREAD_lock_new();
-# endif
     key->references.val = 1;
 # ifdef QAT_OPENSSL_PROVIDER
     key->type = gctx->type;
@@ -265,22 +262,12 @@ static int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey, int type)
     default:
         WARN("Unsupported NID: %d\n", gctx->type);
         QATerr(QAT_F_QAT_PKEY_ECX_KEYGEN, ERR_R_INTERNAL_ERROR);
-#ifdef QAT_OPENSSL_3
-# if OPENSSL_VERSION_NUMBER < 0x30200000
-        CRYPTO_THREAD_lock_free(key->lock);
-# endif
-#endif
         OPENSSL_free(key);
         return 0;
     }
 
     if (qat_get_qat_offload_disabled()) {
         DEBUG("- Switched to software mode.\n");
-#ifdef QAT_OPENSSL_3
-# if OPENSSL_VERSION_NUMBER < 0x30200000
-        CRYPTO_THREAD_lock_free(key->lock);
-# endif
-#endif
         OPENSSL_free(key);
 
         if (!is_ecx_448) {
@@ -303,11 +290,6 @@ static int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey, int type)
             goto err;
         } else {
             QATerr(QAT_F_QAT_PKEY_ECX_KEYGEN, ERR_R_INTERNAL_ERROR);
-#if defined(QAT_OPENSSL_3) && defined(QAT_OPENSSL_PROVIDER)
-# if OPENSSL_VERSION_NUMBER < 0x30200000
-            CRYPTO_THREAD_lock_free(key->lock);
-# endif
-#endif
             OPENSSL_free(key);
             return 0;
         }
@@ -321,11 +303,6 @@ static int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey, int type)
     if (NULL == qat_ecx_op_data) {
         WARN("Failed to allocate memory for qat_ecx_op_data\n");
         QATerr(QAT_F_QAT_PKEY_ECX_KEYGEN, ERR_R_MALLOC_FAILURE);
-#if defined(QAT_OPENSSL_3) && defined(QAT_OPENSSL_PROVIDER)
-# if OPENSSL_VERSION_NUMBER < 0x30200000
-        CRYPTO_THREAD_lock_free(key->lock);
-# endif
-#endif
         OPENSSL_free(key);
         return 0;
     }
@@ -572,11 +549,6 @@ static int qat_pkey_ecx_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey, int type)
             privkey = NULL;
         }
         if (NULL != key) {
-#if defined(QAT_OPENSSL_3) && defined(QAT_OPENSSL_PROVIDER)
-# if OPENSSL_VERSION_NUMBER < 0x30200000
-            CRYPTO_THREAD_lock_free(key->lock);
-# endif
-#endif
             OPENSSL_free(key);
             key = NULL;
         }
diff --git a/qat_prov_ecx.h b/qat_prov_ecx.h
@@ -55,6 +55,10 @@
 # define ED448_KEYLEN          57
 # define MAX_KEYLEN            57
 
+#define QAT_ECX_KEY_TYPES()                                                        \
+OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0),                     \
+OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
+
 typedef struct{
     int id; /* libcrypto internal */
     int name_id;
@@ -145,9 +149,6 @@ typedef struct qat_ecx_key_st {
     size_t keylen;
     ECX_KEY_TYPE type;
     QAT_CRYPTO_REF_COUNT references;
-#if OPENSSL_VERSION_NUMBER < 0x30200000
-    CRYPTO_RWLOCK *lock;
-#endif
 }ECX_KEY;
 
 typedef struct {
diff --git a/qat_prov_exch_ecx.c b/qat_prov_exch_ecx.c
@@ -166,12 +166,12 @@ int qat_ecx_key_up_ref(ECX_KEY *key)
     if (QAT_CRYPTO_UP_REF(&key->references, &i) <= 0)
         return 0;
 
-    if(i < 2) {
+    if (i < 2) {
         WARN("refcount error");
         return 0;
     }
 
-    return ((i >1) ? 1 : 0);
+    return ((i > 1) ? 1 : 0);
 }
 
 void qat_ecx_key_free(ECX_KEY *key)
@@ -195,9 +195,6 @@ void qat_ecx_key_free(ECX_KEY *key)
 
     OPENSSL_free(key->propq);
     OPENSSL_secure_clear_free(key->privkey, key->keylen);
-#if OPENSSL_VERSION_NUMBER < 0x30200000
-    CRYPTO_THREAD_lock_free(key->lock);
-#endif
     OPENSSL_free(key);
 #ifdef ENABLE_QAT_FIPS
     qat_fips_key_zeroize = 1;
@@ -260,11 +257,31 @@ static void qat_ecx_freectx(void *vecxctx)
 
 static void *qat_ecx_dupctx(void *vecxctx)
 {
-    typedef void * (*fun_ptr)(void *vecxctx);
-    fun_ptr fun = get_default_x25519_keyexch().dupctx;
-    if (!fun)
+    QAT_ECX_CTX *srcctx = (QAT_ECX_CTX *)vecxctx;
+    QAT_ECX_CTX *dstctx;
+
+    if (!qat_prov_is_running())
+        return NULL;
+
+    dstctx = OPENSSL_zalloc(sizeof(*srcctx));
+    if (dstctx == NULL)
+        return NULL;
+
+    *dstctx = *srcctx;
+    if (dstctx->key != NULL && !qat_ecx_key_up_ref(dstctx->key)) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+        OPENSSL_free(dstctx);
+        return NULL;
+    }
+
+    if (dstctx->peerkey != NULL && !qat_ecx_key_up_ref(dstctx->peerkey)) {
+        ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
+        qat_ecx_key_free(dstctx->key);
+        OPENSSL_free(dstctx);
         return NULL;
-    return fun(vecxctx);
+    }
+
+    return dstctx;
 }
 
 const OSSL_DISPATCH qat_X25519_keyexch_functions[] = {
diff --git a/qat_prov_kmgmt_ecx.c b/qat_prov_kmgmt_ecx.c

Original file line number	Diff line number	Diff line change
`@@ -941,13 +941,13 @@ static inline int QAT_CRYPTO_GET_REF(QAT_CRYPTO_REF_COUNT refcnt, int ret)`
`941`	`941`	`return 1;`
`942`	`942`	`}`
`943`	`943`
`944`		`-static inline int QAT_CRYPTO_UP_REF(QAT_CRYPTO_REF_COUNT* refcnt, int* ret)`
	`944`	`+static inline int QAT_CRYPTO_UP_REF(QAT_CRYPTO_REF_COUNT refcnt, int ret)`
`945`	`945`	`{`
`946`	`946`	`*ret = atomic_fetch_add_explicit(&refcnt->val, 1, memory_order_relaxed) + 1;`
`947`	`947`	`return 1;`
`948`	`948`	`}`
`949`	`949`
`950`		`-static inline int QAT_CRYPTO_DOWN_REF(QAT_CRYPTO_REF_COUNT* refcnt, int* ret)`
	`950`	`+static inline int QAT_CRYPTO_DOWN_REF(QAT_CRYPTO_REF_COUNT refcnt, int ret)`
`951`	`951`	`{`
`952`	`952`	`*ret = atomic_fetch_sub_explicit(&refcnt->val, 1, memory_order_release) - 1;`
`953`	`953`	`if (*ret == 0)`