From 830f9d7501572386be5d059ab049fc0141cea745 Mon Sep 17 00:00:00 2001
From: Erik Conijn <egc112@msn.com>
Date: Mon, 8 Jun 2026 17:29:00 +0200
Subject: [PATCH 1/2] openvpn: add kmod-ovpn-backports dependency if dco is
 enabled

Maintainer: Alexandru Ardelean ardeleanalex@gmail.com

ping @feckert @commodo

A dependency of kmod-ovpn-backports seems missing this patch adds that dependency.

Backport from: https://github.com/openwrt/packages/commit/c53d53ff93a126df96169cbcf7d84687b83b0c8c

I have compile and run tested it on X86-25.12

Please have a look and consider implementing.

Thanks

Signed-off-by: Erik Conijn <egc112@msn.com>
---
 net/openvpn/Makefile | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile
index 0c7195a1f3ba6..ee1f3160ee35f 100644
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=openvpn
 
 PKG_VERSION:=2.7.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
@@ -36,8 +36,14 @@ define Package/openvpn/Default
   URL:=http://openvpn.net
   SUBMENU:=VPN
   MENU:=1
-  DEPENDS:=+kmod-tun +libcap-ng +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_LZ4:liblz4 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip \
-	+OPENVPN_$(1)_ENABLE_DCO:libnl-genl $(3)
+  DEPENDS:=+kmod-tun \
+	 +libcap-ng \
+	 +OPENVPN_$(1)_ENABLE_LZO:liblzo \
+	 +OPENVPN_$(1)_ENABLE_LZ4:liblz4 \
+	 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip \
+	 +OPENVPN_$(1)_ENABLE_DCO:libnl-genl \
+	 +OPENVPN_$(1)_ENABLE_DCO:kmod-ovpn-backports \
+	 $(3)
   VARIANT:=$(1)
   PROVIDES:=openvpn openvpn-crypto
 endef

From f0e7f8a29dbdf942fd9031164e3b7858c15040e8 Mon Sep 17 00:00:00 2001
From: Erik Conijn <egc112@msn.com>
Date: Tue, 9 Jun 2026 11:20:53 +0200
Subject: [PATCH 2/2] openvpn: work around EIP-197 incompatibility backport to
 25.12

This backports https://github.com/openwrt/packages/commit/974c2be6b8eaa4bb2d21bafa1f5a1cb9e7cd281e

To make ovpn-dco compatible with the SafeXcel EIP-197 cryptographic engine.

Signed-off-by: Erik Conijn <egc112@msn.com>
---
 kernel/ovpn-dco/Makefile                      |   2 +-
 .../patches/0001-do-not-use-EIP-197.patch     | 131 ++++++++++++++++++
 2 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch

diff --git a/kernel/ovpn-dco/Makefile b/kernel/ovpn-dco/Makefile
index d8a1b7706a2fb..1e3bb31987771 100644
--- a/kernel/ovpn-dco/Makefile
+++ b/kernel/ovpn-dco/Makefile
@@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ovpn-backports
 PKG_VERSION:=7.0.0.2026032400
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL= \
diff --git a/kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch b/kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch
new file mode 100644
index 0000000000000..ceeca233089b4
--- /dev/null
+++ b/kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch
@@ -0,0 +1,131 @@
+Subject: [PATCH] do not use EIP-197
+
+ovpn-dco is currently incompatible with the SafeXcel EIP-197
+cryptographic engine [1]. Disable async until this is fixed.
+
+[1] https://github.com/openwrt/packages/pull/27421
+---
+ drivers/net/ovpn/crypto_aead.c | 10 +++++++---
+ drivers/net/ovpn/io.c          | 10 ++++++++++
+ drivers/net/ovpn/io.h          |  2 ++
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ovpn/crypto_aead.c
++++ b/drivers/net/ovpn/crypto_aead.c
+@@ -134,7 +134,7 @@ static struct scatterlist *ovpn_aead_cry
+ 			     __alignof__(struct scatterlist));
+ }
+ 
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0) && !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ static inline void ovpn_encrypt_post_compl(struct crypto_async_request *req, int ret)
+ {
+ 	ovpn_encrypt_post(req->data, ret);
+@@ -235,11 +235,13 @@ int ovpn_aead_encrypt(struct ovpn_peer *
+ 
+ 	/* setup async crypto operation */
+ 	aead_request_set_tfm(req, ks->encrypt);
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
+ 	aead_request_set_callback(req, 0, ovpn_encrypt_post_compl, skb);
+ #else
+ 	aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
+ #endif
++#endif
+ 	aead_request_set_crypt(req, sg, sg,
+ 			       skb->len - ovpn_aead_encap_overhead(ks), iv);
+ 	aead_request_set_ad(req, OVPN_AAD_SIZE);
+@@ -248,7 +250,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *
+ 	return crypto_aead_encrypt(req);
+ }
+ 
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0) && !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ static inline void ovpn_decrypt_post_compl(struct crypto_async_request *req, int ret)
+ {
+ 	ovpn_decrypt_post(req->data, ret);
+@@ -333,11 +335,13 @@ int ovpn_aead_decrypt(struct ovpn_peer *
+ 
+ 	/* setup async crypto operation */
+ 	aead_request_set_tfm(req, ks->decrypt);
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
+ 	aead_request_set_callback(req, 0, ovpn_decrypt_post_compl, skb);
+ #else
+ 	aead_request_set_callback(req, 0, ovpn_decrypt_post, skb);
+ #endif
++#endif
+ 	aead_request_set_crypt(req, sg, sg, payload_len + tag_size, iv);
+ 
+ 	aead_request_set_ad(req, OVPN_AAD_SIZE);
+@@ -355,7 +359,7 @@ static struct crypto_aead *ovpn_aead_ini
+ 	struct crypto_aead *aead;
+ 	int ret;
+ 
+-	aead = crypto_alloc_aead(alg_name, 0, 0);
++	aead = crypto_alloc_aead(alg_name, 0, IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL) ? CRYPTO_ALG_ASYNC : 0);
+ 	if (IS_ERR(aead)) {
+ 		ret = PTR_ERR(aead);
+ 		pr_err("%s crypto_alloc_aead failed, err=%d\n", title, ret);
+--- a/drivers/net/ovpn/io.c
++++ b/drivers/net/ovpn/io.c
+@@ -98,6 +98,9 @@ static void ovpn_netdev_write(struct ovp
+ 	}
+ }
+ 
++#if IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
++static
++#endif
+ void ovpn_decrypt_post(void *data, int ret)
+ {
+ 	struct ovpn_crypto_key_slot *ks;
+@@ -108,11 +111,13 @@ void ovpn_decrypt_post(void *data, int r
+ 	__be16 proto;
+ 	__be32 *pid;
+ 
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ 	/* crypto is happening asynchronously. this function will be called
+ 	 * again later by the crypto callback with a proper return code
+ 	 */
+ 	if (unlikely(ret == -EINPROGRESS))
+ 		return;
++#endif
+ 
+ 	payload_offset = ovpn_skb_cb(skb)->payload_offset;
+ 	ks = ovpn_skb_cb(skb)->ks;
+@@ -228,6 +233,9 @@ void ovpn_recv(struct ovpn_peer *peer, s
+ 	ovpn_decrypt_post(skb, ovpn_aead_decrypt(peer, ks, skb));
+ }
+ 
++#if IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
++static
++#endif
+ void ovpn_encrypt_post(void *data, int ret)
+ {
+ 	struct ovpn_crypto_key_slot *ks;
+@@ -236,11 +244,13 @@ void ovpn_encrypt_post(void *data, int r
+ 	struct ovpn_peer *peer;
+ 	unsigned int orig_len;
+ 
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ 	/* encryption is happening asynchronously. This function will be
+ 	 * called later by the crypto callback with a proper return value
+ 	 */
+ 	if (unlikely(ret == -EINPROGRESS))
+ 		return;
++#endif
+ 
+ 	ks = ovpn_skb_cb(skb)->ks;
+ 	peer = ovpn_skb_cb(skb)->peer;
+--- a/drivers/net/ovpn/io.h
++++ b/drivers/net/ovpn/io.h
+@@ -28,7 +28,9 @@ void ovpn_recv(struct ovpn_peer *peer, s
+ void ovpn_xmit_special(struct ovpn_peer *peer, const void *data,
+ 		       const unsigned int len);
+ 
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ void ovpn_encrypt_post(void *data, int ret);
+ void ovpn_decrypt_post(void *data, int ret);
++#endif
+ 
+ #endif /* _NET_OVPN_OVPN_H_ */