openvpn: add kmod-ovpn-backports dependency if dco is enabled

kernel/ovpn-dco/Makefile

@@ -10,7 +10,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ovpn-backports
 PKG_VERSION:=7.0.0.2026032400
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL= \

kernel/ovpn-dco/patches/0001-do-not-use-EIP-197.patch

@@ -0,0 +1,131 @@
+Subject: [PATCH] do not use EIP-197
+
+ovpn-dco is currently incompatible with the SafeXcel EIP-197
+cryptographic engine [1]. Disable async until this is fixed.
+
+[1] https://github.com/openwrt/packages/pull/27421
+---
+ drivers/net/ovpn/crypto_aead.c | 10 +++++++---
+ drivers/net/ovpn/io.c          | 10 ++++++++++
+ drivers/net/ovpn/io.h          |  2 ++
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ovpn/crypto_aead.c
++++ b/drivers/net/ovpn/crypto_aead.c
+@@ -134,7 +134,7 @@ static struct scatterlist *ovpn_aead_cry
+ 			     __alignof__(struct scatterlist));
+ }
+
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0) && !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ static inline void ovpn_encrypt_post_compl(struct crypto_async_request *req, int ret)
+ {
+ 	ovpn_encrypt_post(req->data, ret);
+@@ -235,11 +235,13 @@ int ovpn_aead_encrypt(struct ovpn_peer *
+
+ 	/* setup async crypto operation */
+ 	aead_request_set_tfm(req, ks->encrypt);
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
+ 	aead_request_set_callback(req, 0, ovpn_encrypt_post_compl, skb);
+ #else
+ 	aead_request_set_callback(req, 0, ovpn_encrypt_post, skb);
+ #endif
++#endif
+ 	aead_request_set_crypt(req, sg, sg,
+ 			       skb->len - ovpn_aead_encap_overhead(ks), iv);
+ 	aead_request_set_ad(req, OVPN_AAD_SIZE);
+@@ -248,7 +250,7 @@ int ovpn_aead_encrypt(struct ovpn_peer *
+ 	return crypto_aead_encrypt(req);
+ }
+
+-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
++#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0) && !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ static inline void ovpn_decrypt_post_compl(struct crypto_async_request *req, int ret)
+ {
+ 	ovpn_decrypt_post(req->data, ret);
+@@ -333,11 +335,13 @@ int ovpn_aead_decrypt(struct ovpn_peer *
+
+ 	/* setup async crypto operation */
+ 	aead_request_set_tfm(req, ks->decrypt);
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 3, 0)
+ 	aead_request_set_callback(req, 0, ovpn_decrypt_post_compl, skb);
+ #else
+ 	aead_request_set_callback(req, 0, ovpn_decrypt_post, skb);
+ #endif
++#endif
+ 	aead_request_set_crypt(req, sg, sg, payload_len + tag_size, iv);
+
+ 	aead_request_set_ad(req, OVPN_AAD_SIZE);
+@@ -355,7 +359,7 @@ static struct crypto_aead *ovpn_aead_ini
+ 	struct crypto_aead *aead;
+ 	int ret;
+
+-	aead = crypto_alloc_aead(alg_name, 0, 0);
++	aead = crypto_alloc_aead(alg_name, 0, IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL) ? CRYPTO_ALG_ASYNC : 0);
+ 	if (IS_ERR(aead)) {
+ 		ret = PTR_ERR(aead);
+ 		pr_err("%s crypto_alloc_aead failed, err=%d\n", title, ret);
+--- a/drivers/net/ovpn/io.c
++++ b/drivers/net/ovpn/io.c
+@@ -98,6 +98,9 @@ static void ovpn_netdev_write(struct ovp
+ 	}
+ }
+
++#if IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
++static
++#endif
+ void ovpn_decrypt_post(void *data, int ret)
+ {
+ 	struct ovpn_crypto_key_slot *ks;
+@@ -108,11 +111,13 @@ void ovpn_decrypt_post(void *data, int r
+ 	__be16 proto;
+ 	__be32 *pid;
+
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ 	/* crypto is happening asynchronously. this function will be called
+ 	 * again later by the crypto callback with a proper return code
+ 	 */
+ 	if (unlikely(ret == -EINPROGRESS))
+ 		return;
++#endif
+
+ 	payload_offset = ovpn_skb_cb(skb)->payload_offset;
+ 	ks = ovpn_skb_cb(skb)->ks;
+@@ -228,6 +233,9 @@ void ovpn_recv(struct ovpn_peer *peer, s
+ 	ovpn_decrypt_post(skb, ovpn_aead_decrypt(peer, ks, skb));
+ }
+
++#if IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
++static
++#endif
+ void ovpn_encrypt_post(void *data, int ret)
+ {
+ 	struct ovpn_crypto_key_slot *ks;
+@@ -236,11 +244,13 @@ void ovpn_encrypt_post(void *data, int r
+ 	struct ovpn_peer *peer;
+ 	unsigned int orig_len;
+
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ 	/* encryption is happening asynchronously. This function will be
+ 	 * called later by the crypto callback with a proper return value
+ 	 */
+ 	if (unlikely(ret == -EINPROGRESS))
+ 		return;
++#endif
+
+ 	ks = ovpn_skb_cb(skb)->ks;
+ 	peer = ovpn_skb_cb(skb)->peer;
+--- a/drivers/net/ovpn/io.h
++++ b/drivers/net/ovpn/io.h
+@@ -28,7 +28,9 @@ void ovpn_recv(struct ovpn_peer *peer, s
+ void ovpn_xmit_special(struct ovpn_peer *peer, const void *data,
+ 		       const unsigned int len);
+
++#if !IS_ENABLED(CONFIG_CRYPTO_DEV_SAFEXCEL)
+ void ovpn_encrypt_post(void *data, int ret);
+ void ovpn_decrypt_post(void *data, int ret);
++#endif
+
+ #endif /* _NET_OVPN_OVPN_H_ */

net/openvpn/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=openvpn
 
 PKG_VERSION:=2.7.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
@@ -36,8 +36,14 @@ define Package/openvpn/Default
   URL:=http://openvpn.net
   SUBMENU:=VPN
   MENU:=1
-  DEPENDS:=+kmod-tun +libcap-ng +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_LZ4:liblz4 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip \
-	+OPENVPN_$(1)_ENABLE_DCO:libnl-genl $(3)
+  DEPENDS:=+kmod-tun \
+	 +libcap-ng \
+	 +OPENVPN_$(1)_ENABLE_LZO:liblzo \
+	 +OPENVPN_$(1)_ENABLE_LZ4:liblz4 \
+	 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip \
+	 +OPENVPN_$(1)_ENABLE_DCO:libnl-genl \
+	 +OPENVPN_$(1)_ENABLE_DCO:kmod-ovpn-backports \
+	 $(3)
   VARIANT:=$(1)
   PROVIDES:=openvpn openvpn-crypto
 endef