ovpn-dco: work around EIP-197 incompatibility

ovpn-dco is currently incompatible with the SafeXcel EIP-197
cryptographic engine. Disable async until this is fixed.

Signed-off-by: Qingfang Deng <redacted>

diff --git a/kernel/ovpn-dco/Makefile b/kernel/ovpn-dco/Makefile
index d8a1b7706a2fbbf4dcb5331ce5ec0a6346007db5..1e3bb319877719eaf529e53dc08ad7953e5be46e 100644 (file)
--- a/kernel/ovpn-dco/Makefile
+++ b/kernel/ovpn-dco/Makefile
@@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ovpn-backports
 PKG_VERSION:=7.0.0.2026032400
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL= \

diff --git a/kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch b/kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch
new file mode 100644 (file)
index 0000000..ceeca23
--- /dev/null
+++ b/kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch
@@ -0,0 +1,131 @@
+Subject: [PATCH] do not use EIP-197
+
+ovpn-dco is currently incompatible with the SafeXcel EIP-197
+cryptographic engine [1]. Disable async until this is fixed.
+
+[1] https://github.com/openwrt/packages/pull/27421
+---
+ drivers/net/ovpn/crypto_aead.c | 10 +++++++---
+ drivers/net/ovpn/io.c          | 10 ++++++++++
+ drivers/net/ovpn/io.h          |  2 ++
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ovpn/crypto_aead.c
++++ b/drivers/net/ovpn/crypto_aead.c
+@@ -134,7 +134,7 @@ static struct scatterlist *ovpn_aead_cry
+                            __alignof__(struct scatterlist));
+ }
+ 
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0) && !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ static inline void ovpn_encrypt_post_compl(struct crypto_async_request *req, int ret)
+ {
+       ovpn_encrypt_post(req->data, ret);
+@@ -235,11 +235,13 @@ int ovpn_aead_encrypt(struct ovpn_peer *
+ 
+       /* setup async crypto operation */
+       aead_request_set_tfm(req, ks->encrypt);
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
+       aead_request_set_callback(req, 0, ovpn_encrypt_post_compl, skb);
+ #else
+       aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
+ #endif
++#endif
+       aead_request_set_crypt(req, sg, sg,
+                              skb->len - ovpn_aead_encap_overhead(ks), iv);
+       aead_request_set_ad(req, OVPN_AAD_SIZE);
+@@ -248,7 +250,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *
+       return crypto_aead_encrypt(req);
+ }
+ 
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0) && !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ static inline void ovpn_decrypt_post_compl(struct crypto_async_request *req, int ret)
+ {
+       ovpn_decrypt_post(req->data, ret);
+@@ -333,11 +335,13 @@ int ovpn_aead_decrypt(struct ovpn_peer *
+ 
+       /* setup async crypto operation */
+       aead_request_set_tfm(req, ks->decrypt);
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
+       aead_request_set_callback(req, 0, ovpn_decrypt_post_compl, skb);
+ #else
+       aead_request_set_callback(req, 0, ovpn_decrypt_post, skb);
+ #endif
++#endif
+       aead_request_set_crypt(req, sg, sg, payload_len + tag_size, iv);
+ 
+       aead_request_set_ad(req, OVPN_AAD_SIZE);
+@@ -355,7 +359,7 @@ static struct crypto_aead *ovpn_aead_ini
+       struct crypto_aead *aead;
+       int ret;
+ 
+-      aead = crypto_alloc_aead(alg_name, 0, 0);
++      aead = crypto_alloc_aead(alg_name, 0, IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL) ? CRYPTO_ALG_ASYNC : 0);
+       if (IS_ERR(aead)) {
+               ret = PTR_ERR(aead);
+               pr_err("%s crypto_alloc_aead failed, err=%d\n", title, ret);
+--- a/drivers/net/ovpn/io.c
++++ b/drivers/net/ovpn/io.c
+@@ -98,6 +98,9 @@ static void ovpn_netdev_write(struct ovp
+       }
+ }
+ 
++#if IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
++static
++#endif
+ void ovpn_decrypt_post(void *data, int ret)
+ {
+       struct ovpn_crypto_key_slot *ks;
+@@ -108,11 +111,13 @@ void ovpn_decrypt_post(void *data, int r
+       __be16 proto;
+       __be32 *pid;
+ 
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+       /* crypto is happening asynchronously. this function will be called
+        * again later by the crypto callback with a proper return code
+        */
+       if (unlikely(ret == -EINPROGRESS))
+               return;
++#endif
+ 
+       payload_offset = ovpn_skb_cb(skb)->payload_offset;
+       ks = ovpn_skb_cb(skb)->ks;
+@@ -228,6 +233,9 @@ void ovpn_recv(struct ovpn_peer *peer, s
+       ovpn_decrypt_post(skb, ovpn_aead_decrypt(peer, ks, skb));
+ }
+ 
++#if IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
++static
++#endif
+ void ovpn_encrypt_post(void *data, int ret)
+ {
+       struct ovpn_crypto_key_slot *ks;
+@@ -236,11 +244,13 @@ void ovpn_encrypt_post(void *data, int r
+       struct ovpn_peer *peer;
+       unsigned int orig_len;
+ 
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+       /* encryption is happening asynchronously. This function will be
+        * called later by the crypto callback with a proper return value
+        */
+       if (unlikely(ret == -EINPROGRESS))
+               return;
++#endif
+ 
+       ks = ovpn_skb_cb(skb)->ks;
+       peer = ovpn_skb_cb(skb)->peer;
+--- a/drivers/net/ovpn/io.h
++++ b/drivers/net/ovpn/io.h
+@@ -28,7 +28,9 @@ void ovpn_recv(struct ovpn_peer *peer, s
+ void ovpn_xmit_special(struct ovpn_peer *peer, const void *data,
+                      const unsigned int len);
+ 
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ void ovpn_encrypt_post(void *data, int ret);
+ void ovpn_decrypt_post(void *data, int ret);
++#endif
+ 
+ #endif /* _NET_OVPN_OVPN_H_ */