From 989c964a95788e54a3426daff311ebdbd0d1cf32 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 4 Oct 2019 11:21:56 -0700
Subject: [PATCH 01/10] Synchronous Cavium OCTEON Support for Sniffer 1. Add
 configure option for sync IntelQA that uses the crypto callback API. 2. Make
 a synchonous copy of the quickassist files. 3. Tie in the crypto device to
 the sniffer. 4. When making a sniffer build, define static DH enabled. 5. The
 readme files in the Cavium were being added to the distro optionally, changed
 to always add the readme files. 6. Added an include of the cavium_octeon
 header in the wc_ports.c. 7. Updated the Cavium OCTEON callback for AES-GCM.
 8. Add the global tag to the list of crypto callback function pointers. 9.
 Add an accessor to the OCTEON crypto callback module to return the device ID
 of the OCTEON device. 10. Add a new version of ssl_SetWatchKeyCallback which
 takes an additional parameter of a device ID. This ID is used to set up the
 wolfSSL_CTXs in the sniffer session trackers. 11. Update the benchmark to use
 sync OCTEON and QAT.

---
 configure.ac                                  |  48 +-
 src/sniffer.c                                 |   3 +-
 wolfcrypt/benchmark/benchmark.c               |  64 +-
 wolfcrypt/src/cryptocb.c                      |   2 +-
 wolfcrypt/src/include.am                      |   5 +
 wolfcrypt/src/port/cavium/README_Octeon.md    | 150 +++
 .../src/port/cavium/cavium_octeon_sync.c      | 995 ++++++++++++++++++
 wolfcrypt/src/wc_port.c                       |   3 +
 wolfssl/wolfcrypt/aes.h                       |   3 +
 wolfssl/wolfcrypt/des3.h                      |   1 +
 wolfssl/wolfcrypt/include.am                  |   4 +
 .../port/cavium/cavium_octeon_sync.h          |  79 ++
 wolfssl/wolfcrypt/wc_port.h                   |  10 +
 13 files changed, 1356 insertions(+), 11 deletions(-)
 create mode 100644 wolfcrypt/src/port/cavium/README_Octeon.md
 create mode 100644 wolfcrypt/src/port/cavium/cavium_octeon_sync.c
 create mode 100644 wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h

diff --git a/configure.ac b/configure.ac
index c75bee31e..33fb74625 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3882,6 +3882,39 @@ AC_ARG_WITH([cavium-v],
 )
 
 
+# Cavium Octeon
+OCTEON_ROOT=""
+
+AC_ARG_WITH([octeon-sync],
+    [AS_HELP_STRING([--with-octeon-sync=PATH],[PATH to Cavium Octeon SDK dir (sync)])],
+    [
+        AC_MSG_CHECKING([for octeon])
+
+        if test "x$withval" = "xyes" ; then
+            AC_MSG_ERROR([need a PATH for --with-octeon])
+        fi
+        if test "x$withval" != "xno" ; then
+            OCTEON_ROOT=$withval
+        fi
+
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_CAVIUM_OCTEON_SYNC"
+        AM_CFLAGS="$AM_CFLAGS -DOCTEON_MODEL=$OCTEON_MODEL -DCVMX_BUILD_FOR_LINUX_HOST"
+        AM_CFLAGS="$AM_CFLAGS -I$OCTEON_ROOT/executive"
+
+        #-I$OCTEON_ROOT/target/include 
+        LDFLAGS="$LDFLAGS -lrt -Xlinker -T -Xlinker $OCTEON_ROOT/executive/cvmx-shared-linux.ld"
+        LIBS="$LIBS $OCTEON_ROOT/executive/obj-octeon3/libcvmx.a $OCTEON_ROOT/executive/obj-octeon3/libfdt.a"
+
+        enable_shared=no
+        enable_static=yes
+
+        ENABLED_OCTEON_SYNC=yes
+        AC_MSG_RESULT([yes])
+    ],
+    [ENABLED_OCTEON_SYNC=no]
+)
+
+
 # Intel QuickAssist
 QAT_DIR=""
 BUILD_INTEL_QAT_VERSION=2
@@ -4580,9 +4613,10 @@ AS_IF([test "x$ENABLED_OCSP" = "xyes" && \
        test "x$ENABLED_ECC" = "xno"],
       [AC_MSG_ERROR([please enable rsa or ecc if enabling ocsp.])])
 
-# Sync Intel QA requires the crypto callback
-AS_IF([test "x$ENABLED_CRYPTOCB" = "xno" && test "x$ENABLED_INTEL_QA_SYNC" = "xyes"],
-      [AC_MSG_ERROR([please enable the crypto callback support using --enable-cryptocb])])
+# Sync Intel QA and Sync Cavium Octeon require the crypto callback
+AS_IF([test "x$ENABLED_INTEL_QA_SYNC" = "xyes" || test "x$ENABLED_OCTEON_SYNC" = "xyes"],
+        [AS_IF([test "x$ENABLED_CRYPTOCB" = "xno"],
+         [AC_MSG_ERROR([please enable the crypto callback support using --enable-cryptocb])])])
 
 # checks for pkcs7 needed enables
 AS_IF([test "x$ENABLED_PKCS7" = "xyes" && \
@@ -4900,6 +4934,7 @@ AM_CONDITIONAL([BUILD_LIBZ],[test "x$ENABLED_LIBZ" = "xyes"])
 AM_CONDITIONAL([BUILD_PKCS11],[test "x$ENABLED_PKCS11" = "xyes"])
 AM_CONDITIONAL([BUILD_CAVIUM],[test "x$ENABLED_CAVIUM" = "xyes"])
 AM_CONDITIONAL([BUILD_CAVIUM_V],[test "x$ENABLED_CAVIUM_V" = "xyes"])
+AM_CONDITIONAL([BUILD_OCTEON_SYNC],[test "x$ENABLED_OCTEON_SYNC" = "xyes"])
 AM_CONDITIONAL([BUILD_INTEL_QA],[test "x$ENABLED_INTEL_QA" = "xyes"])
 AM_CONDITIONAL([BUILD_INTEL_QA_SYNC],[test "x$ENABLED_INTEL_QA_SYNC" = "xyes"])
 AM_CONDITIONAL([BUILD_SP],[test "x$ENABLED_SP" = "xyes"])
@@ -5191,16 +5226,17 @@ echo "   * Single Precision:           $ENABLED_SP"
 echo "   * Async Crypto:               $ENABLED_ASYNCCRYPT"
 echo "   * PKCS#11:                    $ENABLED_PKCS11"
 echo "   * PKCS#12:                    $ENABLED_PKCS12"
-echo "   * Cavium:                     $ENABLED_CAVIUM"
+echo "   * Cavium Nitox:               $ENABLED_CAVIUM"
+echo "   * Cavium Octeon (Sync):       $ENABLED_OCTEON_SYNC"
+echo "   * Intel Quick Assist:         $ENABLED_INTEL_QA"
 echo "   * ARM ASM:                    $ENABLED_ARMASM"
 echo "   * AES Key Wrap:               $ENABLED_AESKEYWRAP"
 echo "   * Write duplicate:            $ENABLED_WRITEDUP"
-echo "   * Intel Quick Assist:         $ENABLED_INTEL_QA"
 echo "   * Xilinx Hardware Acc.:       $ENABLED_XILINX"
 echo "   * Inline Code:                $ENABLED_INLINE"
 echo "   * Linux AF_ALG:               $ENABLED_AFALG"
 echo "   * Linux devcrypto:            $ENABLED_DEVCRYPTO"
-echo "   * Crypto callback:            $ENABLED_CRYPTOCB"
+echo "   * Crypto callbacks:           $ENABLED_CRYPTOCB"
 echo ""
 echo "---"
 
diff --git a/src/sniffer.c b/src/sniffer.c
index bad212021..12fd113d8 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -1457,7 +1457,8 @@ static int CreateWatchSnifferServer(char* error)
         return -1;
     }
 #ifdef WOLF_CRYPTO_CB
-	wolfSSL_CTX_SetDevId(sniffer->ctx, CryptoDevId);
+    if (CryptoDevId != INVALID_DEVID)
+	    wolfSSL_CTX_SetDevId(sniffer->ctx, CryptoDevId);
 #endif
     ServerList = sniffer;
 
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index 33e2bd536..2e13b27e4 100755
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -172,6 +172,13 @@
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/types.h>
 
+#ifdef WOLF_CRYPTO_CB
+    #include <wolfssl/wolfcrypt/cryptocb.h>
+    #ifdef HAVE_CAVIUM_OCTEON_SYNC
+        #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+    #endif
+#endif
+
 #ifdef WOLFSSL_ASYNC_CRYPT
     #include <wolfssl/wolfcrypt/async.h>
 #endif
@@ -683,6 +690,10 @@ static const char* bench_result_words2[][5] = {
 /* Asynchronous helper macros */
 static THREAD_LS_T int devId = INVALID_DEVID;
 
+#if defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC)
+    static THREAD_LS_T IntelQaDev devQat;
+#endif
+
 #ifdef WOLFSSL_ASYNC_CRYPT
     static WOLF_EVENT_QUEUE eventQueue;
 
@@ -1288,6 +1299,39 @@ static void* benchmarks_do(void* args)
     }
 #endif
 
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    {
+        int rc;
+        devId = IntelQaInit(NULL);
+        if (devId == INVALID_DEVID) {
+            WOLFSSL_MSG("Couldn't init the Intel QA");
+        }
+        rc = IntelQaOpen(&devQat, devId);
+        if (rc != 0) {
+            WOLFSSL_MSG("Couldn't open the device");
+        }
+        rc = wc_CryptoCb_RegisterDevice(devId,
+                IntelQaSymSync_CryptoDevCb, &devQat);
+        if (rc != 0) {
+            WOLFSSL_MSG("Couldn't register the device");
+        }
+    }
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    {
+        devId = wc_CryptoCb_GetDevIdOcteon();
+        if (devId == INVALID_DEVID) {
+            printf("Couldn't get the Octeon device ID\n");
+        }
+        if (wc_CryptoCb_InitOcteon() != 0) {
+            printf("Couldn't init the Cavium Octeon\n");
+            devId = INVALID_DEVID;
+        }
+    }
+#endif
+#endif
+
 #if defined(HAVE_LOCAL_RNG)
     {
         int rngRet;
@@ -1356,7 +1400,8 @@ static void* benchmarks_do(void* args)
     #ifndef NO_SW_BENCH
         bench_aescbc(0);
     #endif
-    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES) && \
+    #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \
+         defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \
         !defined(NO_HW_BENCH)
         bench_aescbc(1);
     #endif
@@ -1367,7 +1412,8 @@ static void* benchmarks_do(void* args)
     #ifndef NO_SW_BENCH
         bench_aesgcm(0);
     #endif
-    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES) && \
+    #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \
+         defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \
         !defined(NO_HW_BENCH)
         bench_aesgcm(1);
     #endif
@@ -1438,7 +1484,8 @@ static void* benchmarks_do(void* args)
     #ifndef NO_SW_BENCH
         bench_des(0);
     #endif
-    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES) && \
+    #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \
+         defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \
         !defined(NO_HW_BENCH)
         bench_des(1);
     #endif
@@ -1775,6 +1822,17 @@ exit:
     XFREE(bench_iv, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
 #endif
 
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    wc_CryptoCb_UnRegisterDevice(CryptoDeviceId);
+    IntelQaClose(&CryptoDevice);
+    IntelQaDeInit(CryptoDeviceId);
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    wc_CryptoCb_CleanupOcteon();
+#endif
+#endif
+
 #ifdef WOLFSSL_ASYNC_CRYPT
     /* free event queue */
     wolfEventQueue_Free(&eventQueue);
diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c
index 5e7c8fb23..a9ba73007 100644
--- a/wolfcrypt/src/cryptocb.c
+++ b/wolfcrypt/src/cryptocb.c
@@ -44,7 +44,7 @@ typedef struct CryptoCb {
     CryptoDevCallbackFunc cb;
     void* ctx;
 } CryptoCb;
-static CryptoCb gCryptoDev[MAX_CRYPTO_DEVID_CALLBACKS];
+static WOLFSSL_GLOBAL CryptoCb gCryptoDev[MAX_CRYPTO_DEVID_CALLBACKS];
 
 static CryptoCb* wc_CryptoCb_FindDevice(int devId)
 {
diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am
index eae62a108..67cc0003a 100644
--- a/wolfcrypt/src/include.am
+++ b/wolfcrypt/src/include.am
@@ -105,6 +105,11 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/port/cavium/cavium_nitrox.c
 endif
 EXTRA_DIST += wolfcrypt/src/port/cavium/README.md
 
+if BUILD_OCTEON_SYNC
+src_libwolfssl_la_SOURCES += wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+endif
+EXTRA_DIST += wolfcrypt/src/port/cavium/README_Octeon.md
+
 if BUILD_INTEL_QA
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/intel/quickassist.c
 src_libwolfssl_la_SOURCES += wolfcrypt/src/port/intel/quickassist_mem.c
diff --git a/wolfcrypt/src/port/cavium/README_Octeon.md b/wolfcrypt/src/port/cavium/README_Octeon.md
new file mode 100644
index 000000000..093e675c1
--- /dev/null
+++ b/wolfcrypt/src/port/cavium/README_Octeon.md
@@ -0,0 +1,150 @@
+# Octeon III
+
+Guide for setting up wolfSSL on the Octeon III CN7300
+
+## Octeon SDK
+
+```sh
+sudo yum install libuuid-devel
+sudo yum install perl-Env
+
+sudo rpm -i OCTEON-SDK-5.1.0-609.x86_64.rpm
+```
+
+The OCTEON-SDK package has been successfully installed under the
+/usr/local/Cavium_Networks directory.
+
+The installation requires the OCTEON_MODEL environment variable
+to be set. To set this environment variable, cd to the
+/usr/local/Cavium_Networks/OCTEON-SDK directory, and invoke
+
+	  source env-setup <OCTEON_MODEL>
+
+script. Valid OCTEON_MODELs are listed in octeon-models.txt file
+under OCTEON-SDK directory.
+
+You may want to copy the OCTEON-SDK package to your home directory to allow
+modification without root privileges.
+
+For more information please refer to the online SDK documentation:
+file:///usr/local/Cavium_Networks/OCTEON-SDK/docs/html/index.html
+
+```sh
+sudo rpm -i OCTEON-CRYPTO-CORE-5.1.0-01.x86_64.rpm
+```
+
+The OCTEON-CRYPTO-CORE is installed under
+/usr/local/Cavium_Networks/OCTEON-SDK/components/crypto-api/core directory.
+This package installs the following sources.
+   * Crypto-Core API Sources
+   * Sample Crypto-Core Test Applications
+
+Please refer to following documentation under
+/usr/local/Cavium_Networks/OCTEON-SDK/components/crypto-api/core directory
+   * README.txt        - contains build instructions and other details
+   * Release_Notes.txt - contains change history
+
+```sh
+sudo rpm -i OCTEON-LINUX-5.1.0-609.x86_64.rpm
+```
+
+The Linux Kernel has been successfully installed under the directory
+/usr/local/Cavium_Networks/OCTEON-SDK/linux
+
+Please refer to file:///usr/local/Cavium_Networks/OCTEON-SDK/docs/html/linux.html
+on how to use Linux on the OCTEON.
+
+
+Final Setup:
+
+```sh
+cp -r /usr/local/Cavium_Networks/OCTEON-SDK/ ~
+cd OCTEON-SDK
+source env-setup OCTEON_CN73XX
+
+cd examples
+make
+```
+
+Note: You must run `source env-setup OCTEON_CN73XX` anytime a new shell is opened to setup the build environment.
+
+## Building Linux (Busybox)
+
+```sh
+cd $OCTEON_ROOT/linux
+make clean
+cd embedded_rootfs
+make menuconfig
+cd ..
+make kernel
+make strip
+
+cp ./kernel/linux/vmlinux.64 /run/media/dgarske/9016-4EF8/
+```
+
+```
+telnet 192.168.0.114 9761
+
+fatls mmc 0
+fatload mmc 0 $(loadaddr) vmlinux.64
+bootoctlinux $(loadaddr) coremask=0x1 root=/dev/sda2 mem=0
+```
+
+Shortcut macro from U-Boot:
+
+```
+linux_mmc=fatload mmc 0 $(loadaddr) vmlinux.64;bootoctlinux $(loadaddr) coremask=0xffff root=/dev/sda2 mem=0
+run linux_mmc
+```
+
+## Building Linux Debian
+
+```sh
+cd linux
+make kernel-deb
+cd debian
+sudo -E make DISK=/dev/sdc compact-flash
+```
+modprobe octeon-ethernet
+
+
+## wolfSSL Building for Octeon
+
+```sh
+cd examples
+ln -s ../../wolfssl wolfssl
+cd wolfssl
+./autogen.sh
+./configure --host=mips64 CC="mips64-octeon-linux-gnu-gcc -mabi=64" --with-octeon=/home/dgarske/OCTEON-SDK --enable-des3 --enable-cryptocb CFLAGS="-DWOLFSSL_AES_DIRECT"
+make
+
+```
+
+Installing to USB media for use on Octeon Board:
+
+```sh
+cp -r src /run/media/dgarske/OCTEON/
+cp -r wolfcrypt/ /run/media/dgarske/OCTEON/
+cp -r wolfssl /run/media/dgarske/OCTEON/
+cp -r certs /run/media/dgarske/OCTEON/
+```
+
+
+## Remote Access
+
+### UART and Telnet
+
+Device ID (MAC):
+EBB7304_DEFAULT	D8-80-39-7D-6D-0B
+
+Telnet Ports:
+telnet 192.168.0.114 9760
+telnet 192.168.0.114 9761
+
+Setting Date:
+date 070216502019
+
+
+## Support
+
+For questions please email wolfSSL at support@wolfssl.com
diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
new file mode 100644
index 000000000..dc7577111
--- /dev/null
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -0,0 +1,995 @@
+/* cavium_octeon.c
+ *
+ * Copyright(C) 2006-2019 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.(formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ *(at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+    #include <config.h>
+#endif
+
+#include <wolfssl/wolfcrypt/settings.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/wc_port.h>
+
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+
+/* Setting NO_MAIN_DRIVER here because this file ends up building
+ * in the library sources which doesn't have NO_MAIN_DRIVER set,
+ * as the library expects main to be somehwere else. */
+#undef NO_MAIN_DRIVER
+#define NO_MAIN_DRIVER
+
+#include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+
+static int devId = 1234;
+
+#ifndef NO_DES3
+int Octeon_Des3_CbcEncrypt(Des3* des3, uint64_t *inp64, uint64_t *outp64, size_t inl)
+{
+    register uint64_t i0, r0;
+    uint64_t *key, *iv;
+
+    if (des3 == NULL || inp64 == NULL || outp64 == NULL)
+        return BAD_FUNC_ARG;
+
+    /* expects 64-bit aligned value */
+    key = (uint64_t*)des3->devKey;
+    CVMX_MT_3DES_KEY(key[0], 0);
+    CVMX_MT_3DES_KEY(key[1], 1);
+    CVMX_MT_3DES_KEY(key[2], 2);
+    iv = (uint64_t*)des3->reg;
+    CVMX_MT_3DES_IV(iv[0]);
+
+    CVMX_PREFETCH0(inp64);
+
+    i0 = *inp64;
+
+    /* DES3 assembly can handle 16-byte chunks */
+    if (inl >= 16) {
+        CVMX_MT_3DES_ENC_CBC(i0);
+        inl -= 8;
+        inp64++;
+        outp64++;
+
+        if (inl >= 8) {
+           i0 = inp64[0];
+           CVMX_MF_3DES_RESULT(r0);
+           CVMX_MT_3DES_ENC_CBC(i0);
+
+            for (;;) {
+                outp64[-1] = r0;
+                inl -= 8;
+                inp64++;
+                outp64++;
+                i0 = *inp64;
+
+                if (inl < 8)
+                    break;
+
+                CVMX_PREFETCH(inp64, 64);
+                CVMX_MF_3DES_RESULT(r0);
+                CVMX_MT_3DES_ENC_CBC(i0);
+            }
+        }
+        CVMX_MF_3DES_RESULT(r0);
+        outp64[-1] = r0;
+    }
+    /* remainder */
+    if (inl > 0) {
+        uint64_t r = 0;
+        if (inl <= 8) {
+            XMEMCPY(&r, inp64, inl);
+            CVMX_MT_3DES_ENC_CBC(r);
+            CVMX_MF_3DES_RESULT(*outp64);
+        }
+        else {
+            i0 = *inp64;
+            CVMX_MT_3DES_ENC_CBC(i0);
+            CVMX_MF_3DES_RESULT(*outp64);
+            inp64++, outp64++;
+
+            XMEMCPY(&r, inp64, inl);
+            CVMX_MT_3DES_ENC_CBC(r);
+            CVMX_MF_3DES_RESULT(*outp64);
+        }
+    }
+
+    CVMX_MT_3DES_IV(iv[0]);
+
+    return 0;
+}
+
+int Octeon_Des3_CbcDecrypt(Des3* des3, uint64_t *inp64, uint64_t *outp64, size_t inl)
+{
+    register uint64_t i0, r0;
+    uint64_t *key, *iv;
+
+    if (des3 == NULL || inp64 == NULL || outp64 == NULL)
+        return BAD_FUNC_ARG;
+
+    /* expects 64-bit aligned value */
+    key = (uint64_t*)des3->devKey;
+    CVMX_MT_3DES_KEY(key[0], 0);
+    CVMX_MT_3DES_KEY(key[1], 1);
+    CVMX_MT_3DES_KEY(key[2], 2);
+
+    iv = (uint64_t*)des3->reg;
+    CVMX_MT_3DES_IV(iv[0]);
+
+    CVMX_PREFETCH0(inp64);
+
+    i0 = *inp64;
+
+    /* DES3 assembly can handle 16-byte chunks */
+    if (inl >= 16) {
+        CVMX_MT_3DES_DEC_CBC(i0);
+        inl -= 8;
+        inp64++;
+        outp64++;
+
+        if (inl >= 8) {
+            i0 = inp64[0];
+            CVMX_MF_3DES_RESULT(r0);
+            CVMX_MT_3DES_DEC_CBC(i0);
+
+            for (;;) {
+                outp64[-1] = r0;
+                inl -= 8;
+                inp64++;
+                outp64++;
+                i0 = *inp64;
+
+                if (inl < 8)
+                    break;
+
+                CVMX_PREFETCH(inp64, 64);
+                CVMX_MF_3DES_RESULT(r0);
+                CVMX_MT_3DES_DEC_CBC(i0);
+            }
+        }
+
+        CVMX_MF_3DES_RESULT(r0);
+        outp64[-1] = r0;
+    }
+    /* remainder */
+    if (inl > 0) {
+        if (inl <= 8) {
+            uint64_t r = 0;
+            XMEMCPY(&r, inp64, inl);
+            CVMX_MT_3DES_DEC_CBC(r);
+            CVMX_MF_3DES_RESULT(*outp64);
+        }
+        else {
+            uint64_t r = 0;
+            i0 = *inp64;
+            CVMX_MT_3DES_DEC_CBC(i0);
+            CVMX_MF_3DES_RESULT(*outp64);
+            inp64++, outp64++;
+
+            XMEMCPY(&r, inp64, inl);
+            CVMX_MT_3DES_DEC_CBC(r);
+            CVMX_MF_3DES_RESULT(*outp64);
+        }
+    }
+
+    CVMX_MT_3DES_IV(iv[0]);
+
+    return 0;
+}
+#endif /* !NO_DES3 */
+
+
+#ifndef NO_AES
+
+#ifdef WOLFSSL_AES_DIRECT
+/* Perform Single Block ECB Encrypt */
+int Octeon_AesEcb_Encrypt(Aes* aes, const unsigned char *in, unsigned char *out)
+{
+    uint64_t *in64, *out64, *key;
+
+    if (aes == NULL || in == NULL || out == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    key = (uint64_t*)aes->devKey;
+    CVMX_MT_AES_KEY(key[0], 0);
+    CVMX_MT_AES_KEY(key[1], 1);
+    CVMX_MT_AES_KEY(key[2], 2);
+    CVMX_MT_AES_KEY(key[3], 3);
+    CVMX_MT_AES_KEYLENGTH(aes->keylen/8 - 1);
+
+    in64 = (uint64_t*)in;
+    out64 = (uint64_t*)out;
+
+    CVMX_MT_AES_ENC0(in64[0]);
+    CVMX_MT_AES_ENC1(in64[1]);
+    CVMX_MF_AES_RESULT(out64[0],0);
+    CVMX_MF_AES_RESULT(out64[1],1);
+
+    return 0;
+}
+
+/* Perform Single Block ECB Decrypt */
+int Octeon_AesEcb_Decrypt(Aes* aes, const unsigned char *in, unsigned char *out)
+{
+    uint64_t *in64, *out64, *key;
+
+    if (aes == NULL || in == NULL || out == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    key = (uint64_t*)aes->devKey;
+    CVMX_MT_AES_KEY(key[0], 0);
+    CVMX_MT_AES_KEY(key[1], 1);
+    CVMX_MT_AES_KEY(key[2], 2);
+    CVMX_MT_AES_KEY(key[3], 3);
+    CVMX_MT_AES_KEYLENGTH(aes->keylen/8 - 1);
+
+    in64 = (uint64_t*)in;
+    out64 = (uint64_t*)out;
+    CVMX_MT_AES_DEC0(in64[0]);
+    CVMX_MT_AES_DEC1(in64[1]);
+    CVMX_MF_AES_RESULT(out64[0],0);
+    CVMX_MF_AES_RESULT(out64[1],1);
+
+    return 0;
+}
+#endif /* WOLFSSL_AES_DIRECT */
+
+#ifdef HAVE_AES_CBC
+int Octeon_AesCbc_Encrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl)
+{
+    register uint64_t i0, i1, r0, r1;
+    uint64_t *key, *iv;
+
+    if (aes == NULL || inp64 == NULL || outp64 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    iv = (uint64_t*)aes->reg;
+    CVMX_MT_AES_IV(iv[0], 0);
+    CVMX_MT_AES_IV(iv[1], 1);
+
+    key = (uint64_t*)aes->devKey;
+    CVMX_MT_AES_KEY(key[0], 0);
+    CVMX_MT_AES_KEY(key[1], 1);
+    CVMX_MT_AES_KEY(key[2], 2);
+    CVMX_MT_AES_KEY(key[3], 3);
+
+    CVMX_MT_AES_KEYLENGTH(aes->keylen/8 - 1);
+
+    CVMX_PREFETCH0(inp64);
+
+    i0 = inp64[0];
+    i1 = inp64[1];
+
+    /* AES assembly can handle 32-byte chunks */
+    if (inl >= 32) {
+        CVMX_MT_AES_ENC_CBC0(i0);
+        CVMX_MT_AES_ENC_CBC1(i1);
+        inl -= 16;
+        inp64  += 2;
+        outp64 += 2;
+
+        if (inl >= 16) {
+            CVMX_MF_AES_RESULT(r0, 0);
+            CVMX_MF_AES_RESULT(r1, 1);
+            i0 = inp64[0];
+            i1 = inp64[1];
+            CVMX_MT_AES_ENC_CBC0(i0);
+            CVMX_MT_AES_ENC_CBC1(i1);
+
+            for (;;) {
+                outp64[-2] = r0;
+                outp64[-1] = r1;
+                outp64 += 2;
+                inp64 += 2;
+                inl -= 16;
+                i0 = inp64[0];
+                i1 = inp64[1];
+
+                if (inl < 16)
+                    break;
+
+                CVMX_PREFETCH(inp64, 64);
+                CVMX_MF_AES_RESULT(r0, 0);
+                CVMX_MF_AES_RESULT(r1, 1);
+                CVMX_MT_AES_ENC_CBC0(i0);
+                CVMX_MT_AES_ENC_CBC1(i1);
+            }
+        }
+
+        CVMX_MF_AES_RESULT(r0, 0);
+        CVMX_MF_AES_RESULT(r1, 1);
+        outp64[-2] = r0;
+        outp64[-1] = r1;
+    }
+    /* remainder */
+    if (inl > 0) {
+        uint64_t in64[2] = { 0, 0 };
+        if (inl <= 16) {
+            XMEMCPY(in64, inp64, inl);
+            CVMX_MT_AES_ENC_CBC0(in64[0]);
+            CVMX_MT_AES_ENC_CBC1(in64[1]);
+            CVMX_MF_AES_RESULT(r0, 0);
+            CVMX_MF_AES_RESULT(r1, 1);
+            outp64[0] = r0;
+            outp64[1] = r1;
+        }
+        else {
+            CVMX_MT_AES_ENC_CBC0(i0);
+            CVMX_MT_AES_ENC_CBC1(i1);
+            CVMX_MF_AES_RESULT(r0, 0);
+            CVMX_MF_AES_RESULT(r1, 1);
+            inl -= 16;
+            outp64[0] = r0;
+            outp64[1] = r1;
+            inp64 += 2;
+            outp64 += 2;
+            XMEMCPY(in64, inp64, inl);
+            CVMX_MT_AES_ENC_CBC0(in64[0]);
+            CVMX_MT_AES_ENC_CBC1(in64[1]);
+            CVMX_MF_AES_RESULT(r0, 0);
+            CVMX_MF_AES_RESULT(r1, 1);
+            outp64[0] = r0;
+            outp64[1] = r1;
+        }
+    }
+
+    CVMX_MF_AES_IV(iv[0], 0);
+    CVMX_MF_AES_IV(iv[1], 1);
+
+    return 0;
+}
+
+int Octeon_AesCbc_Decrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl)
+{
+    register uint64_t i0, i1, r0, r1;
+    uint64_t *key, *iv;
+
+    if (aes == NULL || inp64 == NULL || outp64 == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    iv = (uint64_t*)aes->reg;
+    key = (uint64_t*)aes->devKey;
+
+    CVMX_MT_AES_IV(iv[0], 0);
+    CVMX_MT_AES_IV(iv[1], 1);
+
+    CVMX_MT_AES_KEY(key[0], 0);
+    CVMX_MT_AES_KEY(key[1], 1);
+    CVMX_MT_AES_KEY(key[2], 2);
+    CVMX_MT_AES_KEY(key[3], 3);
+    CVMX_MT_AES_KEYLENGTH(aes->keylen/8 - 1);
+
+    CVMX_PREFETCH0(inp64);
+
+    i0 = inp64[0];
+    i1 = inp64[1];
+
+    /* AES assembly can handle 32-byte chunks */
+    if (inl >= 32) {
+        CVMX_MT_AES_DEC_CBC0(i0);
+        CVMX_MT_AES_DEC_CBC1(i1);
+        inp64 += 2;
+        outp64 += 2;
+        inl -= 16;
+
+        if (inl >= 16) {
+            i0 = inp64[0];
+            i1 = inp64[1];
+            CVMX_MF_AES_RESULT(r0, 0);
+            CVMX_MF_AES_RESULT(r1, 1);
+            CVMX_MT_AES_DEC_CBC0(i0);
+            CVMX_MT_AES_DEC_CBC1(i1);
+
+            for (;;) {
+                outp64[-2] = r0;
+                outp64[-1] = r1;
+                outp64 += 2;
+                inp64 += 2;
+                inl -= 16;
+                i0 = inp64[0];
+                i1 = inp64[1];
+
+                if (inl < 16)
+                    break;
+
+                CVMX_PREFETCH(inp64, 64);
+                CVMX_MF_AES_RESULT(r0, 0);
+                CVMX_MF_AES_RESULT(r1, 1);
+                CVMX_MT_AES_DEC_CBC0(i0);
+                CVMX_MT_AES_DEC_CBC1(i1);
+           }
+        }
+
+        CVMX_MF_AES_RESULT(r0, 0);
+        CVMX_MF_AES_RESULT(r1, 1);
+        outp64[-2] = r0;
+        outp64[-1] = r1;
+    }
+    /* remainder */
+    if (inl > 0) {
+        uint64_t in64[2] = { 0, 0 };
+        XMEMCPY(in64, inp64, inl);
+        CVMX_MT_AES_DEC_CBC0(in64[0]);
+        CVMX_MT_AES_DEC_CBC1(in64[1]);
+        CVMX_MF_AES_RESULT(r0, 0);
+        CVMX_MF_AES_RESULT(r1, 1);
+        outp64[0] = r0;
+        outp64[1] = r1;
+    }
+
+    CVMX_MF_AES_IV(iv[0], 0);
+    CVMX_MF_AES_IV(iv[1], 1);
+
+    return 0;
+}
+#endif /* HAVE_AES_CBC */
+
+
+#ifdef HAVE_AESGCM
+
+#define CVM_AES_RD_RESULT_WR_DATA(in1, in2, out1, out2) \
+    asm volatile(\
+            ".set noreorder    \n" \
+            "dmfc2 %[r1],0x0100\n" \
+            "dmfc2 %[r2],0x0101\n" \
+            "dmtc2 %[r3],0x010a\n" \
+            "dmtc2 %[r4],0x310b\n" \
+            ".set reorder      \n" \
+            : [r1] "=&d"(in1) , [r2] "=&d"(in2) \
+            : [r3] "d"(out1),  [r4] "d"(out2))
+
+static inline void Octeon_GHASH_Restore(word16 poly, byte* h)
+{
+    word64* bigH = (word64*)h;
+    CVMX_MT_GFM_POLY((word64)poly);
+    CVMX_MT_GFM_MUL(bigH[0], 0);
+    CVMX_MT_GFM_MUL(bigH[1], 1);
+}
+
+
+static inline void Octeon_GHASH_Init(word16 poly, byte* h)
+{
+    Octeon_GHASH_Restore(poly, h);
+    CVMX_MT_GFM_RESINP(0, 0);
+    CVMX_MT_GFM_RESINP(0, 1);
+}
+
+
+static inline void Octeon_GHASH_Update(byte* in)
+{
+    word64* bigIn = (word64*)in;
+    CVMX_MT_GFM_XOR0(bigIn[0]);
+    CVMX_MT_GFM_XORMUL1(bigIn[1]);
+}
+
+
+static inline void Octeon_GHASH_Final(byte* out, word64 authInSz, word64 inSz)
+{
+    word64* bigOut = (word64*)out;
+
+    CVMX_MT_GFM_XOR0(authInSz);
+    CVMX_MT_GFM_XORMUL1(inSz);
+    CVMX_MF_GFM_RESINP(bigOut[0], 0);
+    CVMX_MF_GFM_RESINP(bigOut[1], 1);
+}
+
+
+/* Sets the Octeon key with the key found in the Aes record. */
+static int Octeon_AesGcm_SetKey(Aes* aes)
+{
+    int ret = 0;
+
+    if (aes == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret != 0) {
+        word32* key = (word32*)aes->devKey;
+
+        CVMX_MT_AES_KEY(key[0], 0);
+        CVMX_MT_AES_KEY(key[1], 1);
+        CVMX_MT_AES_KEY(key[2], 2);
+        CVMX_MT_AES_KEY(key[3], 3);
+        CVMX_MT_AES_KEYLENGTH((aes->keylen / 8) - 1);
+    }
+
+    return ret;
+}
+
+
+static int Octeon_AesGcm_SetIV(Aes* aes, byte* iv, word32 ivSz)
+{
+    int ret = 0;
+
+    if (aes == NULL || iv == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0) {
+        if (ivSz == GCM_NONCE_MID_SZ) {
+            XMEMSET((byte*)aes->reg, 0, sizeof(aes->reg));
+            XMEMCPY((byte*)aes->reg, iv, ivSz);
+            aes->reg[3] = 1;
+        }
+        else {
+            int blocks, remainder, i;
+            byte aesBlock[AES_BLOCK_SIZE];
+
+            blocks = ivSz / AES_BLOCK_SIZE;
+            remainder = ivSz % AES_BLOCK_SIZE;
+
+            for (i = 0; i < blocks; i++, iv += AES_BLOCK_SIZE)
+                Octeon_GHASH_Update(iv);
+
+            XMEMSET(aesBlock, 0, sizeof(aesBlock));
+            for (i = 0; i < remainder; i++)
+                aesBlock[i] = iv[i];
+            Octeon_GHASH_Update(aesBlock);
+
+            Octeon_GHASH_Final((byte*)aes->reg, 0, ivSz);
+        }
+
+        aes->y0 = aes->reg[3];
+        aes->reg[3]++;
+
+        Octeon_GHASH_Init(0xe100, aes->H);
+    }
+
+    return ret;
+}
+
+
+static int Octeon_AesGcm_SetAAD(Aes* aes, byte* aad, word32 aadSz)
+{
+    word64* p;
+    ALIGN16 byte aesBlock[AES_BLOCK_SIZE];
+    int blocks, remainder, i;
+
+    if (aes == NULL || (aadSz != 0 && aad == NULL))
+        return BAD_FUNC_ARG;
+
+    if (aadSz == 0)
+        return 0;
+
+    blocks = aadSz / AES_BLOCK_SIZE;
+    remainder = aadSz % AES_BLOCK_SIZE;
+
+    Octeon_GHASH_Restore(0xe100, aes->H);
+
+    p = (word64*)aesBlock;
+
+    for (i = 0; i < blocks; i++, aad += AES_BLOCK_SIZE) {
+        CVMX_LOADUNA_INT64(p[0], aad, 0);
+        CVMX_LOADUNA_INT64(p[1], aad, 8);
+        CVMX_MT_GFM_XOR0(p[0]);
+        CVMX_MT_GFM_XORMUL1(p[1]);
+    }
+
+    XMEMSET(aesBlock, 0, sizeof(aesBlock));
+
+    for (i = 0; i < remainder; i++)
+        aesBlock[i] = aad[i];
+
+    CVMX_MT_GFM_XOR0(p[0]);
+    CVMX_MT_GFM_XORMUL1(p[1]);
+
+    return 0;
+}
+
+
+static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+        int encrypt)
+{
+    word32 i, blocks, remainder;
+    ALIGN16 byte aesBlockIn[AES_BLOCK_SIZE];
+    ALIGN16 byte aesBlockOut[AES_BLOCK_SIZE];
+    ALIGN16 byte aesBlockMask[AES_BLOCK_SIZE];
+    word64* pIn;
+    word64* pOut;
+    word64* pIv;
+
+    if (aes == NULL || in == NULL || out == NULL)
+        return BAD_FUNC_ARG;
+
+    pIn = (word64*)aesBlockIn;
+    pOut = (word64*)aesBlockOut;
+    pIv = (word64*)aes->reg;
+
+    CVMX_PREFETCH0(in);
+
+    CVMX_MT_AES_ENC0(&pIv[0]);
+    CVMX_MT_AES_ENC1(&pIv[1]);
+
+    blocks = inSz / AES_BLOCK_SIZE;
+    remainder = inSz % AES_BLOCK_SIZE;
+
+    for (i = 0; i < blocks;
+            i++, in += AES_BLOCK_SIZE, out += AES_BLOCK_SIZE) {
+        CVMX_PREFETCH128(in);
+        aes->reg[3]++;
+
+        CVMX_LOADUNA_INT64(pIn[0], in, 0);
+        CVMX_LOADUNA_INT64(pIn[1], in, 8);
+
+        CVM_AES_RD_RESULT_WR_DATA(pOut[0], pOut[1], pIv[0], pIv[1]);
+
+        if (encrypt) {
+            pOut[0] ^= pIn[0];
+            pOut[1] ^= pIn[1];
+            CVMX_MT_GFM_XOR0(pOut[0]);
+            CVMX_MT_GFM_XORMUL1(pOut[1]);
+        }
+        else {
+            CVMX_MT_GFM_XOR0(pOut[0]);
+            CVMX_MT_GFM_XORMUL1(pOut[1]);
+            pOut[0] ^= pIn[0];
+            pOut[1] ^= pIn[1];
+        }
+
+        CVMX_STOREUNA_INT64(pOut[0], out, 0);
+        CVMX_STOREUNA_INT64(pOut[1], out, 8);
+    }
+
+    XMEMSET(aesBlockMask, 0, sizeof(aesBlockMask));
+    for (i = 0; i < remainder; i++) {
+        aesBlockIn[i] = in[i];
+        aesBlockMask[i] = 0xff;
+    }
+
+    if (encrypt) {
+        CVMX_MF_AES_RESULT(pOut[0], 0);
+        CVMX_MF_AES_RESULT(pOut[1], 1);
+
+        pOut[0] ^= pIn[0];
+        pOut[1] ^= pIn[1];
+
+        pIv = (word64*)aesBlockMask;
+        pOut[0] &= pIv[0];
+        pOut[1] &= pIv[1];
+
+        CVMX_MT_GFM_XOR0(pOut[0]);
+        CVMX_MT_GFM_XORMUL1(pOut[1]);
+    }
+    else {
+        CVMX_MT_GFM_XOR0(pIn[0]);
+        CVMX_MT_GFM_XORMUL1(pIn[1]);
+
+        CVMX_MF_AES_RESULT(pOut[0], 0);
+        CVMX_MF_AES_RESULT(pOut[1], 1);
+
+        pOut[0] ^= pIn[0];
+        pOut[1] ^= pIn[1];
+
+        pIv = (word64*)aesBlockMask;
+        pOut[0] &= pIv[0];
+        pOut[1] &= pIv[1];
+    }
+
+    for (i = 0; i < remainder; i++)
+        out[i] = aesBlockOut[i];
+
+    return 0;
+}
+
+
+static int Octeon_AesGcm_Finalize(Aes* aes, word32 inSz, word32 aadSz,
+        byte* tag)
+{
+    word64 bigSz;
+    word64* pIv;
+    word64* pIn;
+    word64* pOut;
+    uint32_t countSave;
+    ALIGN16 byte aesBlockIn[AES_BLOCK_SIZE];
+    ALIGN16 byte aesBlockOut[AES_BLOCK_SIZE];
+
+    countSave = aes->reg[3];
+    aes->reg[3] = aes->y0;
+
+    pIv = (word64*)aes->reg;
+    CVMX_MT_AES_ENC0(pIv[0]);
+    CVMX_MT_AES_ENC1(pIv[1]);
+
+    bigSz = (word64)aadSz * 8;
+    CVMX_MT_GFM_XOR0(bigSz);
+    bigSz = (word64)inSz * 8;
+    CVMX_MT_GFM_XORMUL1(bigSz);
+
+    aes->reg[3] = countSave;
+
+    pIn = (word64*)aesBlockIn;
+    CVMX_MF_AES_RESULT(pIn[0], 0);
+    CVMX_MF_AES_RESULT(pIn[1], 1);
+
+    pOut = (word64*)aesBlockOut;
+    CVMX_MF_GFM_RESINP(pOut[0], 0);
+    CVMX_MF_GFM_RESINP(pOut[1], 1);
+
+    pOut[0] ^= pIn[0];
+    pOut[1] ^= pIn[1];
+
+    CVMX_STOREUNA_INT64(pOut[0], tag, 0);
+    CVMX_STOREUNA_INT64(pOut[1], tag, 8);
+
+    return 0;
+}
+
+
+int Octeon_AesGcm_Encrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+        byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag)
+{
+    int ret = 0;
+
+    if (aes == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetKey(aes);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetIV(aes, iv, ivSz);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetAAD(aes, aad, aadSz);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetEncrypt(aes, in, out, inSz, 1);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_Finalize(aes, inSz, aadSz, tag);
+
+    return ret;
+}
+
+
+int Octeon_AesGcm_Decrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+        byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag)
+{
+    int ret = 0;
+
+    if (aes == NULL)
+        ret = BAD_FUNC_ARG;
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetKey(aes);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetIV(aes, iv, ivSz);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetAAD(aes, aad, aadSz);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_SetEncrypt(aes, in, out, inSz, 0);
+
+    if (ret == 0)
+        ret = Octeon_AesGcm_Finalize(aes, inSz, aadSz, tag);
+
+    return ret;
+}
+
+#endif /* HAVE_AESGCM */
+
+#endif /* !NO_AES */
+
+#ifdef WOLF_CRYPTO_CB
+
+#include <wolfssl/wolfcrypt/cryptocb.h>
+
+
+static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
+{
+    int ret = NOT_COMPILED_IN; /* return this to bypass HW and use SW */
+
+    if (info == NULL)
+        return BAD_FUNC_ARG;
+
+#ifdef DEBUG_WOLFSSL
+    printf("CryptoDevCb: Algo Type %d\n", info->algo_type);
+#endif
+
+    if (info->algo_type == WC_ALGO_TYPE_CIPHER) {
+#if !defined(NO_AES) || !defined(NO_DES3)
+    #ifdef HAVE_AESGCM
+        if (info->cipher.type == WC_CIPHER_AES_GCM) {
+            if (info->cipher.enc) {
+                ret = Octeon_AesGcm_Encrypt(
+                    info->cipher.aesgcm_enc.aes,
+                    (byte*)info->cipher.aesgcm_enc.in,
+                    (byte*)info->cipher.aesgcm_enc.out,
+                    info->cipher.aesgcm_enc.sz,
+                    (byte*)info->cipher.aesgcm_enc.iv,
+                    info->cipher.aesgcm_enc.ivSz,
+                    (byte*)info->cipher.aesgcm_enc.authIn,
+                    info->cipher.aesgcm_enc.authInSz,
+                    (byte*)info->cipher.aesgcm_enc.authTag);
+            }
+            else {
+                ret = Octeon_AesGcm_Decrypt(
+                    info->cipher.aesgcm_dec.aes,
+                    (byte*)info->cipher.aesgcm_dec.in,
+                    (byte*)info->cipher.aesgcm_dec.out,
+                    info->cipher.aesgcm_dec.sz,
+                    (byte*)info->cipher.aesgcm_dec.iv,
+                    info->cipher.aesgcm_dec.ivSz,
+                    (byte*)info->cipher.aesgcm_dec.authIn,
+                    info->cipher.aesgcm_dec.authInSz,
+                    (byte*)info->cipher.aesgcm_dec.authTag);
+            }
+        }
+    #endif /* HAVE_AESGCM */
+    #ifdef HAVE_AES_CBC
+        if (info->cipher.type == WC_CIPHER_AES_CBC) {
+            if (info->cipher.enc) {
+                ret = Octeon_AesCbc_Encrypt(
+                    info->cipher.aescbc.aes,
+                    (word64*)info->cipher.aescbc.in,
+                    (word64*)info->cipher.aescbc.out,
+                    info->cipher.aescbc.sz);
+            }
+            else {
+                ret = Octeon_AesCbc_Decrypt(
+                    info->cipher.aescbc.aes,
+                    (word64*)info->cipher.aescbc.in,
+                    (word64*)info->cipher.aescbc.out,
+                    info->cipher.aescbc.sz);
+            }
+        }
+    #endif /* HAVE_AES_CBC */
+    #ifndef NO_DES3
+        if (info->cipher.type == WC_CIPHER_DES3) {
+            if (info->cipher.enc) {
+                ret = Octeon_Des3_CbcEncrypt(
+                    info->cipher.des3.des,
+                    (word64*)info->cipher.des3.in,
+                    (word64*)info->cipher.des3.out,
+                    info->cipher.des3.sz);
+            }
+            else {
+                ret = Octeon_Des3_CbcDecrypt(
+                    info->cipher.des3.des,
+                    (word64*)info->cipher.des3.in,
+                    (word64*)info->cipher.des3.out,
+                    info->cipher.des3.sz);
+            }
+        }
+    #endif /* !NO_DES3 */
+#endif /* !NO_AES || !NO_DES3 */
+    }
+
+    (void)devIdArg;
+    (void)ctx;
+
+    return ret;
+}
+
+int wc_CryptoCb_InitOcteon(void)
+{
+    return wc_CryptoCb_RegisterDevice(devId, myCryptoDevCb, NULL);
+}
+
+void wc_CryptoCb_CleanupOcteon(void)
+{
+    wc_CryptoCb_UnRegisterDevice(devId);
+}
+
+int wc_CryptoCb_GetDevIdOcteon(void)
+{
+    return devId;
+}
+
+#endif /* WOLF_CRYPTO_CB */
+
+
+#ifndef NO_MAIN_DRIVER
+
+#ifndef NO_DES3
+static int des3_test(void)
+{
+    const byte vector[] = { /* "Now is the time for all " w/o trailing 0 */
+        0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
+        0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
+        0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
+    };
+
+    byte plain[24];
+    byte cipher[24];
+
+    Des3 enc;
+    Des3 dec;
+
+    const byte key3[] =
+    {
+        0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
+        0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
+        0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
+    };
+    const byte iv3[] =
+    {
+        0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef,
+        0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
+        0x11,0x21,0x31,0x41,0x51,0x61,0x71,0x81
+
+    };
+
+    const byte verify3[] =
+    {
+        0x43,0xa0,0x29,0x7e,0xd1,0x84,0xf8,0x0e,
+        0x89,0x64,0x84,0x32,0x12,0xd5,0x08,0x98,
+        0x18,0x94,0x15,0x74,0x87,0x12,0x7d,0xb0
+    };
+
+    int ret;
+
+
+    if (wc_Des3Init(&enc, NULL, devId) != 0)
+        return -4700;
+    if (wc_Des3Init(&dec, NULL, devId) != 0)
+        return -4701;
+
+    ret = wc_Des3_SetKey(&enc, key3, iv3, DES_ENCRYPTION);
+    if (ret != 0)
+        return -4702;
+    ret = wc_Des3_SetKey(&dec, key3, iv3, DES_DECRYPTION);
+    if (ret != 0)
+        return -4703;
+    ret = wc_Des3_CbcEncrypt(&enc, cipher, vector, sizeof(vector));
+    if (ret != 0)
+        return -4704;
+    ret = wc_Des3_CbcDecrypt(&dec, plain, cipher, sizeof(cipher));
+    if (ret != 0)
+        return -4705;
+
+    if (XMEMCMP(plain, vector, sizeof(plain)))
+        return -4706;
+
+    if (XMEMCMP(cipher, verify3, sizeof(cipher)))
+        return -4707;
+
+
+    wc_Des3Free(&enc);
+    wc_Des3Free(&dec);
+
+    return 0;
+}
+#endif /* NO_DES */
+
+int main(void)
+{
+    int ret = 0;
+
+    wolfCrypt_Init();
+
+    /* The following is called in wolfCrypt_Init().
+    wc_CryptoCb_InitOcteon();
+    */
+
+#ifndef NO_DES3
+    des3_test();
+#endif
+
+    wolfCrypt_Cleanup();
+
+    return ret;
+}
+#endif /* !NO_MAIN_DRIVER */
+
+#endif /* HAVE_CAVIUM_OCTEON_SYNC */
diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
index b0b0faf83..f13a23740 100644
--- a/wolfcrypt/src/wc_port.c
+++ b/wolfcrypt/src/wc_port.c
@@ -76,6 +76,9 @@
 
 #ifdef HAVE_INTEL_QA_SYNC
     #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
 #endif
 
 #ifdef _MSC_VER
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index cf25d6249..926a2f547 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -159,6 +159,9 @@ struct Aes {
     /* key-based fast multiplication table. */
     ALIGN16 byte M0[256][AES_BLOCK_SIZE];
 #endif /* GCM_TABLE */
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    word32 y0;
+#endif
 #endif /* HAVE_AESGCM */
 #ifdef WOLFSSL_AESNI
     byte use_aesni;
diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h
index 69cd6ed47..9c5e5d530 100644
--- a/wolfssl/wolfcrypt/des3.h
+++ b/wolfssl/wolfcrypt/des3.h
@@ -109,6 +109,7 @@ struct Des3 {
 #ifdef WOLF_CRYPTO_CB
     int    devId;
     void*  devCtx;
+    word32 devKey[DES3_KEY_SIZE/sizeof(word32)]; /* raw key */
 #endif
     void* heap;
 };
diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am
index 9b9d76588..56f5efe96 100644
--- a/wolfssl/wolfcrypt/include.am
+++ b/wolfssl/wolfcrypt/include.am
@@ -106,6 +106,10 @@ if BUILD_CAVIUM
 nobase_include_HEADERS+= wolfssl/wolfcrypt/port/cavium/cavium_nitrox.h
 endif
 
+if BUILD_OCTEON_SYNC
+nobase_include_HEADERS+= wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
+endif
+
 if BUILD_INTEL_QA
 nobase_include_HEADERS+= wolfssl/wolfcrypt/port/intel/quickassist.h
 nobase_include_HEADERS+= wolfssl/wolfcrypt/port/intel/quickassist_mem.h
diff --git a/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
new file mode 100644
index 000000000..af0816898
--- /dev/null
+++ b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
@@ -0,0 +1,79 @@
+/* cavium_octeon.h
+ *
+ * Copyright (C) 2006-2019 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifndef _CAVIUM_OCTEON_SYNC_H_
+#define _CAVIUM_OCTEON_SYNC_H_
+
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+
+#ifndef NO_DES3
+    #include <wolfssl/wolfcrypt/des3.h>
+#endif
+#ifndef NO_AES
+    #include <wolfssl/wolfcrypt/aes.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+#include "cvmx.h"
+#include "cvmx-asm.h"
+#include "cvmx-key.h"
+#include "cvmx-swap.h"
+
+
+#ifdef WOLF_CRYPTO_CB
+int wc_CryptoCb_InitOcteon(void);
+void wc_CryptoCb_CleanupOcteon(void);
+int wc_CryptoCb_GetDevIdOcteon(void);
+#endif /* WOLF_CRYPTO_CB */
+
+
+#ifndef NO_DES3
+int Octeon_Des3_CbcEncrypt(Des3 *key, uint64_t *inp64, uint64_t *outp64, size_t inl);
+int Octeon_Des3_CbcDecrypt(Des3 *key, uint64_t *inp64, uint64_t *outp64, size_t inl);
+#endif /* !NO_DES3 */
+
+
+#ifndef NO_AES
+
+#ifdef WOLFSSL_AES_DIRECT
+int Octeon_AesEcb_Encrypt(Aes *aes, const unsigned char *in, unsigned char *out);
+int Octeon_AesEcb_Decrypt(Aes *aes, const unsigned char *in, unsigned char *out);
+#endif
+
+#ifdef HAVE_AES_CBC
+int Octeon_AesCbc_Encrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl);
+int Octeon_AesCbc_Decrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl);
+#endif
+
+#ifdef HAVE_AESGCM
+int Octeon_AesGcm_Encrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+        byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag);
+int Octeon_AesGcm_Decrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+        byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag);
+#endif /* HAVE_AESGCM */
+
+#endif /* !NO_AES */
+
+#endif /* HAVE_CAVIUM_OCTEON_SYNC */
+#endif /* _CAVIUM_OCTEON_SYNC_H_ */
diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h
index 225876f22..3a1dd2b8b 100644
--- a/wolfssl/wolfcrypt/wc_port.h
+++ b/wolfssl/wolfcrypt/wc_port.h
@@ -731,6 +731,16 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
 #endif
 
 
+#ifdef HAVE_NITROX_OCTEON
+    /* By default, the OCTEON's global variables are all thread local. This
+     * tag allows them to be shared between threads. */
+    #include "cvmx-platform.h"
+    #define WOLFSSL_GLOBAL CVMX_SHARED
+#else
+    #define WOLFSSL_GLOBAL
+#endif
+
+
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif

From 67b11b8ece3af8c3f4cbe73d11057a966d912075 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 4 Oct 2019 15:35:39 -0700
Subject: [PATCH 02/10] Fixing some play-nice between sync QAT and sync Octeon.

---
 src/sniffer.c                                 | 24 ++++++++++++++++---
 wolfcrypt/benchmark/benchmark.c               | 17 +++++++------
 wolfcrypt/src/aes.c                           |  6 +++++
 .../src/port/cavium/cavium_octeon_sync.c      |  2 +-
 wolfcrypt/src/wc_port.c                       |  1 +
 wolfssl/wolfcrypt/des3.h                      |  1 -
 .../wolfcrypt/port/intel/quickassist_sync.h   | 22 ++++++++---------
 7 files changed, 50 insertions(+), 23 deletions(-)

diff --git a/src/sniffer.c b/src/sniffer.c
index 12fd113d8..7741c3f63 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -61,6 +61,9 @@
     #ifdef HAVE_INTEL_QA_SYNC
         #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
     #endif
+    #ifdef HAVE_CAVIUM_OCTEON_SYNC
+        #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+    #endif
 #endif
 
 
@@ -508,16 +511,28 @@ void ssl_InitSniffer(void)
         int rc;
         CryptoDeviceId = IntelQaInit(NULL);
         if (CryptoDeviceId == INVALID_DEVID) {
-            WOLFSSL_MSG("Couldn't init the Intel QA");
+            printf("Couldn't init the Intel QA\n");
         }
         rc = IntelQaOpen(&CryptoDevice, CryptoDeviceId);
         if (rc != 0) {
-            WOLFSSL_MSG("Couldn't open the device");
+            printf("Couldn't open the device\n");
         }
         rc = wc_CryptoCb_RegisterDevice(CryptoDeviceId,
                 IntelQaSymSync_CryptoDevCb, &CryptoDevice);
         if (rc != 0) {
-            WOLFSSL_MSG("Couldn't register the device");
+            printf("Couldn't register the device\n");
+        }
+    }
+    #endif
+    #ifdef HAVE_CAVIUM_OCTEON_SYNC
+    {
+        CryptoDeviceId = wc_CryptoCb_GetDevIdOcteon();
+        if (CryptoDeviceId == INVALID_DEVID) {
+            printf("Couldn't get the Octeon device ID\n");
+        }
+        if (wc_CryptoCb_InitOcteon() != 0) {
+            printf("Couldn't init the Cavium Octeon\n");
+            CryptoDeviceId = INVALID_DEVID;
         }
     }
     #endif
@@ -656,6 +671,9 @@ void ssl_FreeSniffer(void)
     IntelQaClose(&CryptoDevice);
     IntelQaDeInit(CryptoDeviceId);
 #endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    wc_CryptoCb_CleanupOcteon();
+#endif
 #endif
 
     if (TraceFile) {
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index 2e13b27e4..58a3f2391 100755
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -174,6 +174,9 @@
 
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
+    #ifdef HAVE_INTEL_QA_SYNC
+        #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+    #endif
     #ifdef HAVE_CAVIUM_OCTEON_SYNC
         #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
     #endif
@@ -1305,16 +1308,16 @@ static void* benchmarks_do(void* args)
         int rc;
         devId = IntelQaInit(NULL);
         if (devId == INVALID_DEVID) {
-            WOLFSSL_MSG("Couldn't init the Intel QA");
+            printf("Couldn't init the Intel QA\n");
         }
         rc = IntelQaOpen(&devQat, devId);
         if (rc != 0) {
-            WOLFSSL_MSG("Couldn't open the device");
+            printf("Couldn't open the device\n");
         }
         rc = wc_CryptoCb_RegisterDevice(devId,
                 IntelQaSymSync_CryptoDevCb, &devQat);
         if (rc != 0) {
-            WOLFSSL_MSG("Couldn't register the device");
+            printf("Couldn't register the device\n");
         }
     }
 #endif
@@ -1372,7 +1375,7 @@ static void* benchmarks_do(void* args)
     XMEMSET(bench_plain, 0, (size_t)bench_buf_size);
     XMEMSET(bench_cipher, 0, (size_t)bench_buf_size);
 
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(HAVE_INTEL_QA_SYNC)
     bench_key = (byte*)XMALLOC(sizeof(bench_key_buf), HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
     bench_iv = (byte*)XMALLOC(sizeof(bench_iv_buf), HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT);
     if (bench_key == NULL || bench_iv == NULL) {
@@ -1824,9 +1827,9 @@ exit:
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    wc_CryptoCb_UnRegisterDevice(CryptoDeviceId);
-    IntelQaClose(&CryptoDevice);
-    IntelQaDeInit(CryptoDeviceId);
+    wc_CryptoCb_UnRegisterDevice(devId);
+    IntelQaClose(&devQat);
+    IntelQaDeInit(devId);
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
     wc_CryptoCb_CleanupOcteon();
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 08b3fec73..caf798795 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -3629,6 +3629,12 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
     wc_AesGcmSetKey_ex(aes, key, len, 0);
 #endif
 
+#ifdef WOLF_CRYPTO_CB
+    if (aes->devId != INVALID_DEVID) {
+        XMEMCPY(aes->devKey, key, len);
+    }
+#endif
+
 #ifdef WOLFSSL_IMX6_CAAM_BLOB
     ForceZero(local, sizeof(local));
 #endif
diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
index dc7577111..b379ab0dd 100644
--- a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -503,7 +503,7 @@ static int Octeon_AesGcm_SetKey(Aes* aes)
         ret = BAD_FUNC_ARG;
 
     if (ret != 0) {
-        word32* key = (word32*)aes->devKey;
+        uint64_t* key = (uint64_t*)aes->devKey;
 
         CVMX_MT_AES_KEY(key[0], 0);
         CVMX_MT_AES_KEY(key[1], 1);
diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
index f13a23740..18ca54180 100644
--- a/wolfcrypt/src/wc_port.c
+++ b/wolfcrypt/src/wc_port.c
@@ -76,6 +76,7 @@
 
 #ifdef HAVE_INTEL_QA_SYNC
     #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+#endif
 
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
     #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
diff --git a/wolfssl/wolfcrypt/des3.h b/wolfssl/wolfcrypt/des3.h
index 9c5e5d530..69cd6ed47 100644
--- a/wolfssl/wolfcrypt/des3.h
+++ b/wolfssl/wolfcrypt/des3.h
@@ -109,7 +109,6 @@ struct Des3 {
 #ifdef WOLF_CRYPTO_CB
     int    devId;
     void*  devCtx;
-    word32 devKey[DES3_KEY_SIZE/sizeof(word32)]; /* raw key */
 #endif
     void* heap;
 };
diff --git a/wolfssl/wolfcrypt/port/intel/quickassist_sync.h b/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
index 974d2b500..6a03ced37 100644
--- a/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
+++ b/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
@@ -155,16 +155,16 @@ typedef struct IntelQaDev {
 
 
 /* Interface */
-WOLFSSL_LOCAL int IntelQaHardwareStart(const char*, int);
-WOLFSSL_LOCAL void IntelQaHardwareStop(void);
-WOLFSSL_LOCAL int IntelQaInit(void*);
-WOLFSSL_LOCAL void IntelQaDeInit(int);
-WOLFSSL_LOCAL int IntelQaNumInstances(void);
-WOLFSSL_LOCAL int IntelQaOpen(IntelQaDev*, int);
-WOLFSSL_LOCAL void IntelQaClose(IntelQaDev*);
-WOLFSSL_LOCAL int IntelQaDevCopy(IntelQaDev*, IntelQaDev*);
-WOLFSSL_LOCAL int IntelQaPoll(IntelQaDev*);
-WOLFSSL_LOCAL int IntelQaGetCyInstanceCount(void);
+WOLFSSL_API int IntelQaHardwareStart(const char*, int);
+WOLFSSL_API void IntelQaHardwareStop(void);
+WOLFSSL_API int IntelQaInit(void*);
+WOLFSSL_API void IntelQaDeInit(int);
+WOLFSSL_API int IntelQaNumInstances(void);
+WOLFSSL_API int IntelQaOpen(IntelQaDev*, int);
+WOLFSSL_API void IntelQaClose(IntelQaDev*);
+WOLFSSL_API int IntelQaDevCopy(IntelQaDev*, IntelQaDev*);
+WOLFSSL_API int IntelQaPoll(IntelQaDev*);
+WOLFSSL_API int IntelQaGetCyInstanceCount(void);
 
 #ifndef NO_AES
     #ifdef HAVE_AES_CBC
@@ -196,7 +196,7 @@ WOLFSSL_LOCAL int IntelQaGetCyInstanceCount(void);
 #endif /*! NO_DES3 */
 
 #ifdef WOLF_CRYPTO_CB
-    WOLFSSL_LOCAL int IntelQaSymSync_CryptoDevCb(int, struct wc_CryptoInfo*,
+    WOLFSSL_API int IntelQaSymSync_CryptoDevCb(int, struct wc_CryptoInfo*,
 			void*);
 #endif /* WOLF_CRYPTO_CB */
 

From 41e0712eb051fc9125e1180ac1a569c5d3dabb00 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 7 Oct 2019 17:33:51 -0700
Subject: [PATCH 03/10] Synchronous Cavium OCTEON Support for Sniffer 1. Fixes
 for AES-GCM.

---
 .../src/port/cavium/cavium_octeon_sync.c      | 84 +++++++++----------
 wolfssl/wolfcrypt/aes.h                       |  1 +
 2 files changed, 43 insertions(+), 42 deletions(-)

diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
index b379ab0dd..3b4f1fbd3 100644
--- a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -487,8 +487,8 @@ static inline void Octeon_GHASH_Final(byte* out, word64 authInSz, word64 inSz)
 {
     word64* bigOut = (word64*)out;
 
-    CVMX_MT_GFM_XOR0(authInSz);
-    CVMX_MT_GFM_XORMUL1(inSz);
+    CVMX_MT_GFM_XOR0(authInSz * 8);
+    CVMX_MT_GFM_XORMUL1(inSz * 8);
     CVMX_MF_GFM_RESINP(bigOut[0], 0);
     CVMX_MF_GFM_RESINP(bigOut[1], 1);
 }
@@ -502,7 +502,7 @@ static int Octeon_AesGcm_SetKey(Aes* aes)
     if (aes == NULL)
         ret = BAD_FUNC_ARG;
 
-    if (ret != 0) {
+    if (ret == 0) {
         uint64_t* key = (uint64_t*)aes->devKey;
 
         CVMX_MT_AES_KEY(key[0], 0);
@@ -510,6 +510,15 @@ static int Octeon_AesGcm_SetKey(Aes* aes)
         CVMX_MT_AES_KEY(key[2], 2);
         CVMX_MT_AES_KEY(key[3], 3);
         CVMX_MT_AES_KEYLENGTH((aes->keylen / 8) - 1);
+
+        if (!aes->keySet) {
+            uint64_t* bigH = (uint64_t*)aes->H;
+            CVMX_MT_AES_ENC0(0);
+            CVMX_MT_AES_ENC1(0);
+            CVMX_MF_AES_RESULT(bigH[0], 0);
+            CVMX_MF_AES_RESULT(bigH[1], 1);
+            aes->keySet = 1;
+        }
     }
 
     return ret;
@@ -601,7 +610,6 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
     word32 i, blocks, remainder;
     ALIGN16 byte aesBlockIn[AES_BLOCK_SIZE];
     ALIGN16 byte aesBlockOut[AES_BLOCK_SIZE];
-    ALIGN16 byte aesBlockMask[AES_BLOCK_SIZE];
     word64* pIn;
     word64* pOut;
     word64* pIv;
@@ -615,8 +623,8 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
 
     CVMX_PREFETCH0(in);
 
-    CVMX_MT_AES_ENC0(&pIv[0]);
-    CVMX_MT_AES_ENC1(&pIv[1]);
+    CVMX_MT_AES_ENC0(pIv[0]);
+    CVMX_MT_AES_ENC1(pIv[1]);
 
     blocks = inSz / AES_BLOCK_SIZE;
     remainder = inSz % AES_BLOCK_SIZE;
@@ -648,44 +656,36 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
         CVMX_STOREUNA_INT64(pOut[1], out, 8);
     }
 
-    XMEMSET(aesBlockMask, 0, sizeof(aesBlockMask));
-    for (i = 0; i < remainder; i++) {
-        aesBlockIn[i] = in[i];
-        aesBlockMask[i] = 0xff;
+    if (remainder > 0) {
+        XMEMSET(aesBlockOut, 0, sizeof(aesBlockOut));
+        for (i = 0; i < remainder; i++)
+            aesBlockIn[i] = in[i];
+
+        if (encrypt) {
+            CVMX_MF_AES_RESULT(pOut[0], 0);
+            CVMX_MF_AES_RESULT(pOut[1], 1);
+
+            pOut[0] ^= pIn[0];
+            pOut[1] ^= pIn[1];
+
+            CVMX_MT_GFM_XOR0(pOut[0]);
+            CVMX_MT_GFM_XORMUL1(pOut[1]);
+        }
+        else {
+            CVMX_MT_GFM_XOR0(pIn[0]);
+            CVMX_MT_GFM_XORMUL1(pIn[1]);
+
+            CVMX_MF_AES_RESULT(pOut[0], 0);
+            CVMX_MF_AES_RESULT(pOut[1], 1);
+
+            pOut[0] ^= pIn[0];
+            pOut[1] ^= pIn[1];
+        }
+
+        for (i = 0; i < remainder; i++)
+            out[i] = aesBlockOut[i];
     }
 
-    if (encrypt) {
-        CVMX_MF_AES_RESULT(pOut[0], 0);
-        CVMX_MF_AES_RESULT(pOut[1], 1);
-
-        pOut[0] ^= pIn[0];
-        pOut[1] ^= pIn[1];
-
-        pIv = (word64*)aesBlockMask;
-        pOut[0] &= pIv[0];
-        pOut[1] &= pIv[1];
-
-        CVMX_MT_GFM_XOR0(pOut[0]);
-        CVMX_MT_GFM_XORMUL1(pOut[1]);
-    }
-    else {
-        CVMX_MT_GFM_XOR0(pIn[0]);
-        CVMX_MT_GFM_XORMUL1(pIn[1]);
-
-        CVMX_MF_AES_RESULT(pOut[0], 0);
-        CVMX_MF_AES_RESULT(pOut[1], 1);
-
-        pOut[0] ^= pIn[0];
-        pOut[1] ^= pIn[1];
-
-        pIv = (word64*)aesBlockMask;
-        pOut[0] &= pIv[0];
-        pOut[1] &= pIv[1];
-    }
-
-    for (i = 0; i < remainder; i++)
-        out[i] = aesBlockOut[i];
-
     return 0;
 }
 
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index 926a2f547..fa8eb8186 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -200,6 +200,7 @@ struct Aes {
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \
     (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES))
     word32 devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
+    int    keySet;
 #endif
 #if defined(WOLFSSL_DEVCRYPTO) && \
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))

From 825f3119592744c35c203e2b69b2a533f8dac43d Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Fri, 11 Oct 2019 13:20:24 -0400
Subject: [PATCH 04/10] add OCTEON and QAT to wolfCrypt test, update SHA-1 to
 reset ret when it will do the software sha

---
 wolfcrypt/src/sha.c   |  2 ++
 wolfcrypt/test/test.c | 54 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)

diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c
index 1eee40bc3..cdd7146c3 100644
--- a/wolfcrypt/src/sha.c
+++ b/wolfcrypt/src/sha.c
@@ -499,6 +499,7 @@ int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
         ret = wc_CryptoCb_ShaHash(sha, data, len, NULL);
         if (ret != CRYPTOCB_UNAVAILABLE)
             return ret;
+        ret = 0; /* reset ret */
         /* fall-through when unavailable */
     }
 #endif
@@ -653,6 +654,7 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash)
         ret = wc_CryptoCb_ShaHash(sha, NULL, 0, hash);
         if (ret != CRYPTOCB_UNAVAILABLE)
             return ret;
+        ret = 0; /* reset ret */
         /* fall-through when unavailable */
     }
 #endif
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 9c3db9618..04de111b9 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -196,6 +196,12 @@
 #endif
 #ifdef WOLF_CRYPTO_CB
     #include <wolfssl/wolfcrypt/cryptocb.h>
+    #ifdef HAVE_INTEL_QA_SYNC
+        #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+    #endif
+    #ifdef HAVE_CAVIUM_OCTEON_SYNC
+        #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+    #endif
 #endif
 
 #ifdef _MSC_VER
@@ -252,6 +258,10 @@ static void initDefaultName(void);
 /* for async devices */
 static int devId = INVALID_DEVID;
 
+#if defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC)
+    static THREAD_LS_T IntelQaDev devQat;
+#endif
+
 #ifdef HAVE_WNR
     const char* wnrConfigFile = "wnr-example.conf";
 #endif
@@ -560,6 +570,39 @@ initDefaultName();
     (void)devId;
 #endif /* WOLFSSL_ASYNC_CRYPT */
 
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    {
+        int rc;
+        devId = IntelQaInit(NULL);
+        if (devId == INVALID_DEVID) {
+            printf("Couldn't init the Intel QA\n");
+        }
+        rc = IntelQaOpen(&devQat, devId);
+        if (rc != 0) {
+            printf("Couldn't open the device\n");
+        }
+        rc = wc_CryptoCb_RegisterDevice(devId,
+                IntelQaSymSync_CryptoDevCb, &devQat);
+        if (rc != 0) {
+            printf("Couldn't register the device\n");
+        }
+    }
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    {
+        devId = wc_CryptoCb_GetDevIdOcteon();
+        if (devId == INVALID_DEVID) {
+            printf("Couldn't get the Octeon device ID\n");
+        }
+        if (wc_CryptoCb_InitOcteon() != 0) {
+            printf("Couldn't init the Cavium Octeon\n");
+            devId = INVALID_DEVID;
+        }
+    }
+#endif
+#endif
+
 #ifdef HAVE_SELFTEST
     if ( (ret = wolfCrypt_SelfTest()) != 0)
         return err_sys("CAVP selftest failed!\n", ret);
@@ -1122,6 +1165,17 @@ initDefaultName();
         test_pass("cert piv test passed!\n");
 #endif
 
+#ifdef WOLF_CRYPTO_CB
+#ifdef HAVE_INTEL_QA_SYNC
+    wc_CryptoCb_UnRegisterDevice(devId);
+    IntelQaClose(&devQat);
+    IntelQaDeInit(devId);
+#endif
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
+    wc_CryptoCb_CleanupOcteon();
+#endif
+#endif
+
 #ifdef WOLFSSL_ASYNC_CRYPT
     wolfAsync_DevClose(&devId);
 #endif

From 54f0b1a44a3f592581c7479f5ed85e50d1695f52 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 14 Oct 2019 13:55:51 -0400
Subject: [PATCH 05/10] Sync QAT Fixes 1. The QAT callback's worker functions
 need to copy the IV into the AES IV register. QAT doesn't update it
 automatically. 2. Update the GMAC test to set its device to INVALID_DEVID. 3.
 Always allocate NUMA buffers before running crypto operation and store the
 results. 4. The QAT does not like non-multiple of 4 iv lenths, and aad
 lengths. Or 0. Remove a few test cases for those. 5. QAT wasn't getting a
 pointer to store the auth tag for GCM. Then store it.

---
 wolfcrypt/src/port/intel/quickassist_sync.c | 70 ++++++++++++++-------
 wolfcrypt/test/test.c                       | 12 +++-
 2 files changed, 56 insertions(+), 26 deletions(-)

diff --git a/wolfcrypt/src/port/intel/quickassist_sync.c b/wolfcrypt/src/port/intel/quickassist_sync.c
index 19a576000..c913b2870 100644
--- a/wolfcrypt/src/port/intel/quickassist_sync.c
+++ b/wolfcrypt/src/port/intel/quickassist_sync.c
@@ -743,7 +743,11 @@ static void IntelQaSymCipherFree(IntelQaDev* dev)
     dev->out = NULL;
     dev->outLen = 0;
 #ifndef NO_AES
-    dev->op.cipher.authTag = NULL;
+    if (dev->op.cipher.authTag != NULL) {
+        XMEMSET(dev->op.cipher.authTag, 0, dev->op.cipher.authTagSz);
+        XFREE(dev->op.cipher.authTag, dev->heap, DYNAMIC_TYPE_ASYNC_NUMA);
+        dev->op.cipher.authTag = NULL;
+    }
     dev->op.cipher.authTagSz = 0;
 #endif
 }
@@ -772,7 +776,9 @@ static int IntelQaSymCipher(IntelQaDev* dev, byte* out, const byte* in,
     Cpa32U metaSize = 0;
     Cpa8U* authInBuf = NULL;
     Cpa32U authInSzAligned = authInSz;
+    Cpa8U* authTagBuf = NULL;
     IntelQaSymCtx* ctx;
+    CpaBoolean verifyResult = CPA_FALSE;
 
     QLOG("IntelQaSymCipher: dev %p, out %p, in %p, inOutSz %d, op %d, "
             "algo %d, dir %d, hash %d\n",
@@ -806,19 +812,15 @@ static int IntelQaSymCipher(IntelQaDev* dev, byte* out, const byte* in,
     bufferList = &dev->op.cipher.bufferList;
     flatBuffer = &dev->op.cipher.flatBuffer;
     metaBuf = XMALLOC(metaSize, dev->heap, DYNAMIC_TYPE_ASYNC_NUMA);
-#ifndef WOLFSSL_SNIFFER
-    dataBuf = XREALLOC((byte*)in, dataLen, dev->heap, DYNAMIC_TYPE_ASYNC_NUMA);
-    ivBuf = XREALLOC((byte*)iv, AES_BLOCK_SIZE, dev->heap,
-            DYNAMIC_TYPE_ASYNC_NUMA);
-#else
     dataBuf = XMALLOC(dataLen, dev->heap, DYNAMIC_TYPE_ASYNC_NUMA);
     XMEMCPY(dataBuf, in, inOutSz);
     ivBuf = XMALLOC(AES_BLOCK_SIZE, dev->heap, DYNAMIC_TYPE_ASYNC_NUMA);
     XMEMCPY(ivBuf, iv, ivSz);
-#endif
+    authTagBuf = XMALLOC(authTagSz, dev->heap, DYNAMIC_TYPE_ASYNC_NUMA);
 
     /* check allocations */
-    if (ivBuf == NULL || metaBuf == NULL || dataBuf == NULL) {
+    if (ivBuf == NULL || metaBuf == NULL || dataBuf == NULL ||
+        authTagBuf == NULL) {
         ret = MEMORY_E; goto exit;
     }
 
@@ -830,14 +832,9 @@ static int IntelQaSymCipher(IntelQaDev* dev, byte* out, const byte* in,
                 (authInSzAligned % AES_BLOCK_SIZE);
         }
 
-#ifndef WOLFSSL_SNIFFER
-        authInBuf = XREALLOC((byte*)authIn, authInSzAligned, dev->heap,
-            DYNAMIC_TYPE_ASYNC_NUMA);
-#else
         authInBuf = XMALLOC(authInSzAligned, dev->heap,
                 DYNAMIC_TYPE_ASYNC_NUMA);
         XMEMCPY(authInBuf, authIn, authInSz);
-#endif
         if (authInBuf == NULL) {
             ret = MEMORY_E; goto exit;
         }
@@ -878,7 +875,10 @@ static int IntelQaSymCipher(IntelQaDev* dev, byte* out, const byte* in,
         setup.hashSetupData.digestResultLenInBytes = authTagSz;
         setup.hashSetupData.authModeSetupData.aadLenInBytes = authInSz;
 
-        setup.digestIsAppended = CPA_TRUE;
+        if (cipherDirection == CPA_CY_SYM_CIPHER_DIRECTION_DECRYPT)
+            setup.digestIsAppended = CPA_TRUE;
+        else
+            setup.digestIsAppended = CPA_FALSE;
     }
 
     /* open session */
@@ -903,13 +903,19 @@ static int IntelQaSymCipher(IntelQaDev* dev, byte* out, const byte* in,
             XMEMCPY(flatBuffer->pData + inOutSz, authTag, authTagSz);
         }
     }
+    else {
+        if (authTag && authTagSz > 0) {
+            XMEMCPY(authTagBuf, authTag, authTagSz);
+        }
+    }
 
     /* store info needed for output */
     dev->out = out;
     dev->outLen = inOutSz;
     if (cipherDirection == CPA_CY_SYM_CIPHER_DIRECTION_ENCRYPT) {
-        dev->op.cipher.authTag = authTag;
+        dev->op.cipher.authTag = authTagBuf;
         dev->op.cipher.authTagSz = authTagSz;
+        opData->pDigestResult = authTagBuf;
     }
     else {
         dev->op.cipher.authTag = NULL;
@@ -920,11 +926,16 @@ static int IntelQaSymCipher(IntelQaDev* dev, byte* out, const byte* in,
     /* perform symmetric AES operation async */
     /* use same buffer list for in-place operation */
     status = cpaCySymPerformOp(dev->handle, dev, opData,
-            bufferList, bufferList, NULL);
-
-    if (ret == WC_PENDING_E)
-        return ret;
+            bufferList, bufferList, &verifyResult);
 
+    if (symOperation == CPA_CY_SYM_OP_ALGORITHM_CHAINING &&
+        cipherAlgorithm == CPA_CY_SYM_CIPHER_AES_GCM &&
+        cipherDirection == CPA_CY_SYM_CIPHER_DIRECTION_DECRYPT &&
+        hashAlgorithm == CPA_CY_SYM_HASH_AES_GCM) {
+        if (verifyResult == CPA_FALSE) {
+            ret = AES_GCM_AUTH_E;
+        }
+    }
 exit:
 
     if (ret != 0) {
@@ -932,10 +943,13 @@ exit:
             dev, status, ret);
     }
 
-#ifdef WOLFSSL_SNIFFER
     /* Capture the inline decrypt into the output. */
     XMEMCPY(out, dataBuf, inOutSz);
-#endif
+    if (cipherDirection == CPA_CY_SYM_CIPHER_DIRECTION_ENCRYPT) {
+        if (authTag != NULL && authTagSz > 0) {
+            XMEMCPY(authTag, authTagBuf, authTagSz);
+        }
+    }
 
     /* handle cleanup */
     IntelQaSymCipherFree(dev);
@@ -949,11 +963,14 @@ int IntelQaSymAesCbcEncrypt(IntelQaDev* dev,
             const byte* key, word32 keySz,
             const byte* iv, word32 ivSz)
 {
-    return IntelQaSymCipher(dev, out, in, sz,
+    int ret = IntelQaSymCipher(dev, out, in, sz,
         key, keySz, iv, ivSz,
         CPA_CY_SYM_OP_CIPHER, CPA_CY_SYM_CIPHER_AES_CBC,
         CPA_CY_SYM_CIPHER_DIRECTION_ENCRYPT,
         CPA_CY_SYM_HASH_NONE, NULL, 0, NULL, 0);
+
+    XMEMCPY((byte*)iv, out + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    return ret;
 }
 
 #ifdef HAVE_AES_DECRYPT
@@ -962,11 +979,18 @@ int IntelQaSymAesCbcDecrypt(IntelQaDev* dev,
             const byte* key, word32 keySz,
             const byte* iv, word32 ivSz)
 {
-    return IntelQaSymCipher(dev, out, in, sz,
+    byte nextIv[AES_BLOCK_SIZE];
+    int ret;
+
+    XMEMCPY(nextIv, in + sz - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+    ret = IntelQaSymCipher(dev, out, in, sz,
         key, keySz, iv, ivSz,
         CPA_CY_SYM_OP_CIPHER, CPA_CY_SYM_CIPHER_AES_CBC,
         CPA_CY_SYM_CIPHER_DIRECTION_DECRYPT,
         CPA_CY_SYM_HASH_NONE, NULL, 0, NULL, 0);
+
+    XMEMCPY((byte*)iv, nextIv, AES_BLOCK_SIZE);
+    return ret;
 }
 #endif /* HAVE_AES_DECRYPT */
 #endif /* HAVE_AES_CBC */
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 04de111b9..87f6538d9 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -890,7 +890,8 @@ initDefaultName();
     if ( (ret = aesgcm_test()) != 0)
         return err_sys("AES-GCM  test failed!\n", ret);
     #endif
-    #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
+    #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \
+        !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
     if ((ret = aesgcm_default_test()) != 0) {
         return err_sys("AES-GCM  test failed!\n", ret);
     }
@@ -7390,7 +7391,8 @@ int aesgcm_test(void)
 #if !defined(HAVE_FIPS) && \
         !defined(WOLFSSL_PIC32MZ_CRYPT) && \
         !defined(FREESCALE_LTC) && !defined(FREESCALE_MMCAU) && \
-        !defined(WOLFSSL_XILINX_CRYPT) && !defined(WOLFSSL_AFALG_XILINX_AES)
+        !defined(WOLFSSL_XILINX_CRYPT) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
+        !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
 
     #define ENABLE_NON_12BYTE_IV_TEST
 #ifdef WOLFSSL_AES_192
@@ -7596,6 +7598,7 @@ int aesgcm_test(void)
     }
 #endif
 
+#if !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
     /* Variable authenticated data length test */
     for (alen=0; alen<(int)sizeof(p); alen++) {
          /* AES-GCM encrypt and decrypt both use AES encrypt internally */
@@ -7616,6 +7619,7 @@ int aesgcm_test(void)
             return -5713;
 #endif /* HAVE_AES_DECRYPT */
     }
+#endif
 
 #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT)
 #ifdef BENCH_AESGCM_LARGE
@@ -7734,7 +7738,8 @@ int aesgcm_test(void)
 #endif /* ENABLE_NON_12BYTE_IV_TEST */
 
 #if defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
-    !defined(WOLFSSL_XILINX_CRYPT)
+    !defined(WOLFSSL_XILINX_CRYPT) && \
+    !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
     XMEMSET(resultT, 0, sizeof(resultT));
     XMEMSET(resultC, 0, sizeof(resultC));
     XMEMSET(resultP, 0, sizeof(resultP));
@@ -7895,6 +7900,7 @@ int gmac_test(void)
     byte tag[16];
 
     XMEMSET(&gmac, 0, sizeof(Gmac)); /* clear context */
+    wc_AesInit((Aes*)&gmac, HEAP_HINT, INVALID_DEVID); /* Make sure devId updated */
     XMEMSET(tag, 0, sizeof(tag));
     wc_GmacSetKey(&gmac, k1, sizeof(k1));
     wc_GmacUpdate(&gmac, iv1, sizeof(iv1), a1, sizeof(a1), tag, sizeof(t1));

From b0dafbcd1b16e00651edb4741ef9a8070320fe2c Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 14 Oct 2019 16:55:24 -0700
Subject: [PATCH 06/10] Sync Octeon Sniffer Added back some changes from a
 dropped commit. 1. The Octeon README should be a stub. 2. Changed the license
 notice in the octeon sync files back to GPLv2. 3. Added a flag to Aes that
 needed a build guard around it. 4. Replaced the disable for sniffer session
 stats.

---
 wolfcrypt/src/port/cavium/README_Octeon.md    | 151 +-----------------
 .../src/port/cavium/cavium_octeon_sync.c      |   4 +-
 wolfssl/wolfcrypt/aes.h                       |   2 +
 .../port/cavium/cavium_octeon_sync.h          |   4 +-
 4 files changed, 8 insertions(+), 153 deletions(-)

diff --git a/wolfcrypt/src/port/cavium/README_Octeon.md b/wolfcrypt/src/port/cavium/README_Octeon.md
index 093e675c1..b2670d02e 100644
--- a/wolfcrypt/src/port/cavium/README_Octeon.md
+++ b/wolfcrypt/src/port/cavium/README_Octeon.md
@@ -1,150 +1,3 @@
-# Octeon III
+# Cavium Octeon III CN7300
 
-Guide for setting up wolfSSL on the Octeon III CN7300
-
-## Octeon SDK
-
-```sh
-sudo yum install libuuid-devel
-sudo yum install perl-Env
-
-sudo rpm -i OCTEON-SDK-5.1.0-609.x86_64.rpm
-```
-
-The OCTEON-SDK package has been successfully installed under the
-/usr/local/Cavium_Networks directory.
-
-The installation requires the OCTEON_MODEL environment variable
-to be set. To set this environment variable, cd to the
-/usr/local/Cavium_Networks/OCTEON-SDK directory, and invoke
-
-	  source env-setup <OCTEON_MODEL>
-
-script. Valid OCTEON_MODELs are listed in octeon-models.txt file
-under OCTEON-SDK directory.
-
-You may want to copy the OCTEON-SDK package to your home directory to allow
-modification without root privileges.
-
-For more information please refer to the online SDK documentation:
-file:///usr/local/Cavium_Networks/OCTEON-SDK/docs/html/index.html
-
-```sh
-sudo rpm -i OCTEON-CRYPTO-CORE-5.1.0-01.x86_64.rpm
-```
-
-The OCTEON-CRYPTO-CORE is installed under
-/usr/local/Cavium_Networks/OCTEON-SDK/components/crypto-api/core directory.
-This package installs the following sources.
-   * Crypto-Core API Sources
-   * Sample Crypto-Core Test Applications
-
-Please refer to following documentation under
-/usr/local/Cavium_Networks/OCTEON-SDK/components/crypto-api/core directory
-   * README.txt        - contains build instructions and other details
-   * Release_Notes.txt - contains change history
-
-```sh
-sudo rpm -i OCTEON-LINUX-5.1.0-609.x86_64.rpm
-```
-
-The Linux Kernel has been successfully installed under the directory
-/usr/local/Cavium_Networks/OCTEON-SDK/linux
-
-Please refer to file:///usr/local/Cavium_Networks/OCTEON-SDK/docs/html/linux.html
-on how to use Linux on the OCTEON.
-
-
-Final Setup:
-
-```sh
-cp -r /usr/local/Cavium_Networks/OCTEON-SDK/ ~
-cd OCTEON-SDK
-source env-setup OCTEON_CN73XX
-
-cd examples
-make
-```
-
-Note: You must run `source env-setup OCTEON_CN73XX` anytime a new shell is opened to setup the build environment.
-
-## Building Linux (Busybox)
-
-```sh
-cd $OCTEON_ROOT/linux
-make clean
-cd embedded_rootfs
-make menuconfig
-cd ..
-make kernel
-make strip
-
-cp ./kernel/linux/vmlinux.64 /run/media/dgarske/9016-4EF8/
-```
-
-```
-telnet 192.168.0.114 9761
-
-fatls mmc 0
-fatload mmc 0 $(loadaddr) vmlinux.64
-bootoctlinux $(loadaddr) coremask=0x1 root=/dev/sda2 mem=0
-```
-
-Shortcut macro from U-Boot:
-
-```
-linux_mmc=fatload mmc 0 $(loadaddr) vmlinux.64;bootoctlinux $(loadaddr) coremask=0xffff root=/dev/sda2 mem=0
-run linux_mmc
-```
-
-## Building Linux Debian
-
-```sh
-cd linux
-make kernel-deb
-cd debian
-sudo -E make DISK=/dev/sdc compact-flash
-```
-modprobe octeon-ethernet
-
-
-## wolfSSL Building for Octeon
-
-```sh
-cd examples
-ln -s ../../wolfssl wolfssl
-cd wolfssl
-./autogen.sh
-./configure --host=mips64 CC="mips64-octeon-linux-gnu-gcc -mabi=64" --with-octeon=/home/dgarske/OCTEON-SDK --enable-des3 --enable-cryptocb CFLAGS="-DWOLFSSL_AES_DIRECT"
-make
-
-```
-
-Installing to USB media for use on Octeon Board:
-
-```sh
-cp -r src /run/media/dgarske/OCTEON/
-cp -r wolfcrypt/ /run/media/dgarske/OCTEON/
-cp -r wolfssl /run/media/dgarske/OCTEON/
-cp -r certs /run/media/dgarske/OCTEON/
-```
-
-
-## Remote Access
-
-### UART and Telnet
-
-Device ID (MAC):
-EBB7304_DEFAULT	D8-80-39-7D-6D-0B
-
-Telnet Ports:
-telnet 192.168.0.114 9760
-telnet 192.168.0.114 9761
-
-Setting Date:
-date 070216502019
-
-
-## Support
-
-For questions please email wolfSSL at support@wolfssl.com
+Please contact wolfSSL at info@wolfssl.com to request an evaluation.
diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
index 3b4f1fbd3..efe2ffdb3 100644
--- a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -1,4 +1,4 @@
-/* cavium_octeon.c
+/* cavium_octeon_sync.c
  *
  * Copyright(C) 2006-2019 wolfSSL Inc.
  *
@@ -6,7 +6,7 @@
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
  *(at your option) any later version.
  *
  * wolfSSL is distributed in the hope that it will be useful,
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index fa8eb8186..3aef9dc6c 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -200,8 +200,10 @@ struct Aes {
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))) || \
     (defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES))
     word32 devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
+#ifdef HAVE_CAVIUM_OCTEON_SYNC
     int    keySet;
 #endif
+#endif
 #if defined(WOLFSSL_DEVCRYPTO) && \
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
     WC_CRYPTODEV ctx;
diff --git a/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
index af0816898..1ab8d8ef5 100644
--- a/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
+++ b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
@@ -1,4 +1,4 @@
-/* cavium_octeon.h
+/* cavium_octeon_sync.h
  *
  * Copyright (C) 2006-2019 wolfSSL Inc.
  *
@@ -6,7 +6,7 @@
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
+ * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  *
  * wolfSSL is distributed in the hope that it will be useful,

From 1ad23334bf93f5d6bab8d4178620c5be6ec64328 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 17 Oct 2019 14:49:22 -0700
Subject: [PATCH 07/10] Sync Sniffer API Cleanup 1. Switched the IntelQa sync
 API back to local. 2. Added two functions to setup and cleanup the IntelQA
 device. 3. Changed the Octeon functions to match the IntelQa functions. 4.
 Updated sniffer, wolfcryptest, and benchmark.

---
 src/sniffer.c                                 | 37 +++-----------
 wolfcrypt/benchmark/benchmark.c               | 36 +++-----------
 .../src/port/cavium/cavium_octeon_sync.c      | 39 ++++++++++-----
 wolfcrypt/src/port/intel/quickassist_sync.c   | 49 +++++++++++++++++++
 wolfcrypt/test/test.c                         | 36 +++-----------
 .../port/cavium/cavium_octeon_sync.h          | 29 ++++++-----
 .../wolfcrypt/port/intel/quickassist_sync.h   | 36 ++++++++------
 7 files changed, 138 insertions(+), 124 deletions(-)

diff --git a/src/sniffer.c b/src/sniffer.c
index 7741c3f63..c25e43413 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -507,34 +507,15 @@ void ssl_InitSniffer(void)
 #endif
 #ifdef WOLF_CRYPTO_CB
     #ifdef HAVE_INTEL_QA_SYNC
-    {
-        int rc;
-        CryptoDeviceId = IntelQaInit(NULL);
-        if (CryptoDeviceId == INVALID_DEVID) {
-            printf("Couldn't init the Intel QA\n");
-        }
-        rc = IntelQaOpen(&CryptoDevice, CryptoDeviceId);
-        if (rc != 0) {
-            printf("Couldn't open the device\n");
-        }
-        rc = wc_CryptoCb_RegisterDevice(CryptoDeviceId,
-                IntelQaSymSync_CryptoDevCb, &CryptoDevice);
-        if (rc != 0) {
-            printf("Couldn't register the device\n");
-        }
+    CryptoDeviceId = wc_CryptoCb_InitIntelQa(&CryptoDevice);
+    if (INVALID_DEVID == CryptoDeviceId) {
+        printf("Couldn't init the Intel QA\n");
     }
     #endif
     #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    {
-        CryptoDeviceId = wc_CryptoCb_GetDevIdOcteon();
-        if (CryptoDeviceId == INVALID_DEVID) {
-            printf("Couldn't get the Octeon device ID\n");
-        }
-        if (wc_CryptoCb_InitOcteon() != 0) {
-            printf("Couldn't init the Cavium Octeon\n");
-            CryptoDeviceId = INVALID_DEVID;
-        }
-    }
+    CryptoDeviceId = wc_CryptoCb_InitOcteon(NULL);
+    if (INVALID_DEVID == CryptoDeviceId) {
+        printf("Couldn't init the Intel QA\n");
     #endif
 #endif
 }
@@ -667,12 +648,10 @@ void ssl_FreeSniffer(void)
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    wc_CryptoCb_UnRegisterDevice(CryptoDeviceId);
-    IntelQaClose(&CryptoDevice);
-    IntelQaDeInit(CryptoDeviceId);
+    wc_CryptoCb_CleanupIntelQa(&CryptoDeviceId, &CryptoDevice);
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    wc_CryptoCb_CleanupOcteon();
+    wc_CryptoCb_CleanupOcteon(&CryptoDeviceId, NULL);
 #endif
 #endif
 
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index 58a3f2391..cac7e7235 100755
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -1304,33 +1304,15 @@ static void* benchmarks_do(void* args)
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    {
-        int rc;
-        devId = IntelQaInit(NULL);
-        if (devId == INVALID_DEVID) {
-            printf("Couldn't init the Intel QA\n");
-        }
-        rc = IntelQaOpen(&devQat, devId);
-        if (rc != 0) {
-            printf("Couldn't open the device\n");
-        }
-        rc = wc_CryptoCb_RegisterDevice(devId,
-                IntelQaSymSync_CryptoDevCb, &devQat);
-        if (rc != 0) {
-            printf("Couldn't register the device\n");
-        }
+    devId = wc_CryptoCb_InitIntelQa(&devQat);
+    if (devId == INVALID_DEVID) {
+        printf("Couldn't init the Intel QA\n");
     }
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    {
-        devId = wc_CryptoCb_GetDevIdOcteon();
-        if (devId == INVALID_DEVID) {
-            printf("Couldn't get the Octeon device ID\n");
-        }
-        if (wc_CryptoCb_InitOcteon() != 0) {
-            printf("Couldn't init the Cavium Octeon\n");
-            devId = INVALID_DEVID;
-        }
+    devId = wc_CryptoCb_InitOcteon(NULL);
+    if (devId == INVALID_DEVID) {
+        printf("Couldn't get the Octeon device ID\n");
     }
 #endif
 #endif
@@ -1827,12 +1809,10 @@ exit:
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    wc_CryptoCb_UnRegisterDevice(devId);
-    IntelQaClose(&devQat);
-    IntelQaDeInit(devId);
+    wc_CryptoCb_CleanupIntelQa(&devId, &devQat);
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    wc_CryptoCb_CleanupOcteon();
+    wc_CryptoCb_CleanupOcteon(&devId, NULL);
 #endif
 #endif
 
diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
index efe2ffdb3..a287f4345 100644
--- a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -646,8 +646,8 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
             CVMX_MT_GFM_XORMUL1(pOut[1]);
         }
         else {
-            CVMX_MT_GFM_XOR0(pOut[0]);
-            CVMX_MT_GFM_XORMUL1(pOut[1]);
+            CVMX_MT_GFM_XOR0(pIn[0]);
+            CVMX_MT_GFM_XORMUL1(pIn[1]);
             pOut[0] ^= pIn[0];
             pOut[1] ^= pIn[1];
         }
@@ -657,9 +657,15 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
     }
 
     if (remainder > 0) {
+        ALIGN16 byte aesBlockMask[AES_BLOCK_SIZE];
+        word64* pMask = (word64*)aesBlockMask;
+
         XMEMSET(aesBlockOut, 0, sizeof(aesBlockOut));
-        for (i = 0; i < remainder; i++)
+        XMEMSET(aesBlockMask, 0, sizeof(aesBlockMask));
+        for (i = 0; i < remainder; i++) {
             aesBlockIn[i] = in[i];
+            aesBlockMask[i] = 0xFF;
+        }
 
         if (encrypt) {
             CVMX_MF_AES_RESULT(pOut[0], 0);
@@ -668,6 +674,9 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
             pOut[0] ^= pIn[0];
             pOut[1] ^= pIn[1];
 
+            pOut[0] &= pMask[0];
+            pOut[1] &= pMask[1];
+
             CVMX_MT_GFM_XOR0(pOut[0]);
             CVMX_MT_GFM_XORMUL1(pOut[1]);
         }
@@ -680,6 +689,9 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
 
             pOut[0] ^= pIn[0];
             pOut[1] ^= pIn[1];
+
+            pOut[0] &= pMask[0];
+            pOut[1] &= pMask[1];
         }
 
         for (i = 0; i < remainder; i++)
@@ -881,21 +893,24 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
     return ret;
 }
 
-int wc_CryptoCb_InitOcteon(void)
+int wc_CryptoCb_InitOcteon(void* unused)
 {
-    return wc_CryptoCb_RegisterDevice(devId, myCryptoDevCb, NULL);
-}
+    (void)unused;
 
-void wc_CryptoCb_CleanupOcteon(void)
-{
-    wc_CryptoCb_UnRegisterDevice(devId);
-}
+    if (wc_CryptoCb_RegisterDevice(devId, myCryptoDevCb, NULL) < 0) {
+        return INVALID_DEVID;
+    }
 
-int wc_CryptoCb_GetDevIdOcteon(void)
-{
     return devId;
 }
 
+void wc_CryptoCb_CleanupOcteon(int* id, void* unused)
+{
+    (void)unused;
+    wc_CryptoCb_UnRegisterDevice(*id);
+    *id = INVALID_DEVID;
+}
+
 #endif /* WOLF_CRYPTO_CB */
 
 
diff --git a/wolfcrypt/src/port/intel/quickassist_sync.c b/wolfcrypt/src/port/intel/quickassist_sync.c
index c913b2870..1b4679996 100644
--- a/wolfcrypt/src/port/intel/quickassist_sync.c
+++ b/wolfcrypt/src/port/intel/quickassist_sync.c
@@ -1167,6 +1167,55 @@ int IntelQaSymSync_CryptoDevCb(int devId, struct wc_CryptoInfo* info, void* ctx)
     return rc;
 }
 
+/* -------------------------------------------------------------------------- */
+/* Public API                                                                 */
+/* -------------------------------------------------------------------------- */
+
+int wc_CryptoCb_InitIntelQa(void* dev)
+{
+    IntelQaDev* qaDev = (IntelQaDev*)dev;
+    int devId, rc;
+
+    devId = IntelQaInit(NULL);
+    if (devId < 0) {
+        QLOG("Couldn't init the Intel QA\n");
+        devId = INVALID_DEVID;
+    }
+    else {
+        rc = IntelQaOpen(qaDev, devId);
+        if (rc != 0) {
+            QLOG("Couldn't open the device\n");
+            IntelQaDeInit(devId);
+            devId = INVALID_DEVID;
+        }
+        else {
+            rc = wc_CryptoCb_RegisterDevice(devId,
+                    IntelQaSymSync_CryptoDevCb, qaDev);
+            if (rc != 0) {
+                QLOG("Couldn't register the device\n");
+                IntelQaClose(qaDev);
+                IntelQaDeInit(devId);
+                devId = INVALID_DEVID;
+            }
+        }
+    }
+
+    return devId;
+}
+
+
+void wc_CryptoCb_CleanupIntelQa(int* id, void* dev)
+{
+    IntelQaDev* qaDev = (IntelQaDev*)dev;
+
+    if (INVALID_DEVID != *id) {
+        wc_CryptoCb_UnRegisterDevice(*id);
+        IntelQaClose(qaDev);
+        IntelQaDeInit(*id);
+        *id = INVALID_DEVID;
+    }
+}
+
 #endif /* WOLF_CRYPTO_CB */
 
 
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 87f6538d9..8973eb909 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -572,33 +572,15 @@ initDefaultName();
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    {
-        int rc;
-        devId = IntelQaInit(NULL);
-        if (devId == INVALID_DEVID) {
-            printf("Couldn't init the Intel QA\n");
-        }
-        rc = IntelQaOpen(&devQat, devId);
-        if (rc != 0) {
-            printf("Couldn't open the device\n");
-        }
-        rc = wc_CryptoCb_RegisterDevice(devId,
-                IntelQaSymSync_CryptoDevCb, &devQat);
-        if (rc != 0) {
-            printf("Couldn't register the device\n");
-        }
+    devId = wc_CryptoCb_InitIntelQa(&devQat);
+    if (INVALID_DEVID == devId) {
+        printf("Couldn't init the Intel QA\n");
     }
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    {
-        devId = wc_CryptoCb_GetDevIdOcteon();
-        if (devId == INVALID_DEVID) {
-            printf("Couldn't get the Octeon device ID\n");
-        }
-        if (wc_CryptoCb_InitOcteon() != 0) {
-            printf("Couldn't init the Cavium Octeon\n");
-            devId = INVALID_DEVID;
-        }
+    devId = wc_CryptoCb_InitOcteon(NULL);
+    if (INVALID_DEVID == devId) {
+        printf("Couldn't init the Cavium Octeon\n");
     }
 #endif
 #endif
@@ -1168,12 +1150,10 @@ initDefaultName();
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    wc_CryptoCb_UnRegisterDevice(devId);
-    IntelQaClose(&devQat);
-    IntelQaDeInit(devId);
+    wc_CryptoCb_CleanupIntelQa(&devId, &devQat);
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    wc_CryptoCb_CleanupOcteon();
+    wc_CryptoCb_CleanupOcteon(&devId, NULL);
 #endif
 #endif
 
diff --git a/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
index 1ab8d8ef5..0da957ccb 100644
--- a/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
+++ b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
@@ -42,34 +42,41 @@
 
 
 #ifdef WOLF_CRYPTO_CB
-int wc_CryptoCb_InitOcteon(void);
-void wc_CryptoCb_CleanupOcteon(void);
-int wc_CryptoCb_GetDevIdOcteon(void);
+WOLFSSL_API int wc_CryptoCb_InitOcteon(void* unused);
+WOLFSSL_API void wc_CryptoCb_CleanupOcteon(int* id, void* unused);
 #endif /* WOLF_CRYPTO_CB */
 
 
 #ifndef NO_DES3
-int Octeon_Des3_CbcEncrypt(Des3 *key, uint64_t *inp64, uint64_t *outp64, size_t inl);
-int Octeon_Des3_CbcDecrypt(Des3 *key, uint64_t *inp64, uint64_t *outp64, size_t inl);
+WOLFSSL_LOCAL int Octeon_Des3_CbcEncrypt(Des3 *key,
+        uint64_t *inp64, uint64_t *outp64, size_t inl);
+WOLFSSL_LOCAL int Octeon_Des3_CbcDecrypt(Des3 *key,
+        uint64_t *inp64, uint64_t *outp64, size_t inl);
 #endif /* !NO_DES3 */
 
 
 #ifndef NO_AES
 
 #ifdef WOLFSSL_AES_DIRECT
-int Octeon_AesEcb_Encrypt(Aes *aes, const unsigned char *in, unsigned char *out);
-int Octeon_AesEcb_Decrypt(Aes *aes, const unsigned char *in, unsigned char *out);
+WOLFSSL_LOCAL int Octeon_AesEcb_Encrypt(Aes *aes,
+        const unsigned char *in, unsigned char *out);
+WOLFSSL_LOCAL int Octeon_AesEcb_Decrypt(Aes *aes,
+        const unsigned char *in, unsigned char *out);
 #endif
 
 #ifdef HAVE_AES_CBC
-int Octeon_AesCbc_Encrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl);
-int Octeon_AesCbc_Decrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl);
+WOLFSSL_LOCAL int Octeon_AesCbc_Encrypt(Aes *aes,
+        uint64_t *inp64, uint64_t *outp64, size_t inl);
+WOLFSSL_LOCAL int Octeon_AesCbc_Decrypt(Aes *aes,
+        uint64_t *inp64, uint64_t *outp64, size_t inl);
 #endif
 
 #ifdef HAVE_AESGCM
-int Octeon_AesGcm_Encrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+WOLFSSL_LOCAL int Octeon_AesGcm_Encrypt(Aes* aes,
+        byte* in, byte* out, word32 inSz,
         byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag);
-int Octeon_AesGcm_Decrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+WOLFSSL_LOCAL int Octeon_AesGcm_Decrypt(Aes* aes,
+        byte* in, byte* out, word32 inSz,
         byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag);
 #endif /* HAVE_AESGCM */
 
diff --git a/wolfssl/wolfcrypt/port/intel/quickassist_sync.h b/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
index 6a03ced37..ed591bb0d 100644
--- a/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
+++ b/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
@@ -154,17 +154,21 @@ typedef struct IntelQaDev {
 } IntelQaDev;
 
 
+WOLFSSL_API int wc_CryptoCb_InitIntelQa(void* dev);
+WOLFSSL_API void wc_CryptoCb_CleanupIntelQa(int* id, void* dev);
+
+
 /* Interface */
-WOLFSSL_API int IntelQaHardwareStart(const char*, int);
-WOLFSSL_API void IntelQaHardwareStop(void);
-WOLFSSL_API int IntelQaInit(void*);
-WOLFSSL_API void IntelQaDeInit(int);
-WOLFSSL_API int IntelQaNumInstances(void);
-WOLFSSL_API int IntelQaOpen(IntelQaDev*, int);
-WOLFSSL_API void IntelQaClose(IntelQaDev*);
-WOLFSSL_API int IntelQaDevCopy(IntelQaDev*, IntelQaDev*);
-WOLFSSL_API int IntelQaPoll(IntelQaDev*);
-WOLFSSL_API int IntelQaGetCyInstanceCount(void);
+WOLFSSL_LOCAL int IntelQaHardwareStart(const char*, int);
+WOLFSSL_LOCAL void IntelQaHardwareStop(void);
+WOLFSSL_LOCAL int IntelQaInit(void*);
+WOLFSSL_LOCAL void IntelQaDeInit(int);
+WOLFSSL_LOCAL int IntelQaNumInstances(void);
+WOLFSSL_LOCAL int IntelQaOpen(IntelQaDev*, int);
+WOLFSSL_LOCAL void IntelQaClose(IntelQaDev*);
+WOLFSSL_LOCAL int IntelQaDevCopy(IntelQaDev*, IntelQaDev*);
+WOLFSSL_LOCAL int IntelQaPoll(IntelQaDev*);
+WOLFSSL_LOCAL int IntelQaGetCyInstanceCount(void);
 
 #ifndef NO_AES
     #ifdef HAVE_AES_CBC
@@ -196,30 +200,30 @@ WOLFSSL_API int IntelQaGetCyInstanceCount(void);
 #endif /*! NO_DES3 */
 
 #ifdef WOLF_CRYPTO_CB
-    WOLFSSL_API int IntelQaSymSync_CryptoDevCb(int, struct wc_CryptoInfo*,
+    WOLFSSL_LOCAL int IntelQaSymSync_CryptoDevCb(int, struct wc_CryptoInfo*,
 			void*);
 #endif /* WOLF_CRYPTO_CB */
 
 
 #ifdef WOLFSSL_TRACK_MEMORY
-    WOLFSSL_API int InitMemoryTracker(void);
-    WOLFSSL_API void ShowMemoryTracker(void);
+    WOLFSSL_LOCAL int InitMemoryTracker(void);
+    WOLFSSL_LOCAL void ShowMemoryTracker(void);
 #endif
 
 
-WOLFSSL_API void* IntelQaMalloc(size_t size, void* heap, int type
+WOLFSSL_LOCAL void* IntelQaMalloc(size_t size, void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
 );
 
-WOLFSSL_API void IntelQaFree(void *ptr, void* heap, int type
+WOLFSSL_LOCAL void IntelQaFree(void *ptr, void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
 );
 
-WOLFSSL_API void* IntelQaRealloc(void *ptr, size_t size, void* heap, int type
+WOLFSSL_LOCAL void* IntelQaRealloc(void *ptr, size_t size, void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif

From b8f4b1a712f4737075a640289b1d64d36b4f5e75 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 22 Oct 2019 16:26:35 -0700
Subject: [PATCH 08/10] QAT Header Hiding For the sync QAT, the QAT headers are
 included into the library after it has been built and is being used. The
 actual headers should only be used when building wolfSSL and should be hidden
 from the user. 1. Most of the functions in the sync QAT and OCTEON headers
 don't need to be exported. Move all of that into the source files. Only
 export the init and deinit functions. 2. Remove inline from the OCTEON
 support functions. 3. Remove the AES-ECB files for sync OCTEON as unused. 4.
 Configure defaults to OCTEON2 build, can be overridden with variable.

---
 configure.ac                                  |   3 +-
 src/sniffer.c                                 |  15 +-
 wolfcrypt/benchmark/benchmark.c               |  12 +-
 .../src/port/cavium/cavium_octeon_sync.c      | 196 +++--------------
 wolfcrypt/src/port/intel/quickassist_sync.c   | 194 +++++++++++++++--
 wolfcrypt/src/wc_port.c                       |   8 -
 wolfcrypt/test/test.c                         |  12 +-
 .../port/cavium/cavium_octeon_sync.h          |  59 +-----
 .../wolfcrypt/port/intel/quickassist_sync.h   | 198 +-----------------
 wolfssl/wolfcrypt/types.h                     |  32 ++-
 10 files changed, 262 insertions(+), 467 deletions(-)

diff --git a/configure.ac b/configure.ac
index 33fb74625..91c3ab1e0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3884,6 +3884,7 @@ AC_ARG_WITH([cavium-v],
 
 # Cavium Octeon
 OCTEON_ROOT=""
+: ${OCTEON_OBJ="obj-octeon2"}
 
 AC_ARG_WITH([octeon-sync],
     [AS_HELP_STRING([--with-octeon-sync=PATH],[PATH to Cavium Octeon SDK dir (sync)])],
@@ -3903,7 +3904,7 @@ AC_ARG_WITH([octeon-sync],
 
         #-I$OCTEON_ROOT/target/include 
         LDFLAGS="$LDFLAGS -lrt -Xlinker -T -Xlinker $OCTEON_ROOT/executive/cvmx-shared-linux.ld"
-        LIBS="$LIBS $OCTEON_ROOT/executive/obj-octeon3/libcvmx.a $OCTEON_ROOT/executive/obj-octeon3/libfdt.a"
+        LIBS="$LIBS $OCTEON_ROOT/executive/$OCTEON_OBJ/libcvmx.a $OCTEON_ROOT/executive/$OCTEON_OBJ/libfdt.a"
 
         enable_shared=no
         enable_static=yes
diff --git a/src/sniffer.c b/src/sniffer.c
index c25e43413..f25f30b71 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -488,9 +488,6 @@ static void UpdateMissedDataSessions(void)
 
 #ifdef WOLF_CRYPTO_CB
     static int CryptoDeviceId = INVALID_DEVID;
-    #ifdef HAVE_INTEL_QA_SYNC
-        static IntelQaDev CryptoDevice;
-    #endif
 #endif
 
 
@@ -507,13 +504,13 @@ void ssl_InitSniffer(void)
 #endif
 #ifdef WOLF_CRYPTO_CB
     #ifdef HAVE_INTEL_QA_SYNC
-    CryptoDeviceId = wc_CryptoCb_InitIntelQa(&CryptoDevice);
+    CryptoDeviceId = wc_CryptoCb_InitIntelQa();
     if (INVALID_DEVID == CryptoDeviceId) {
         printf("Couldn't init the Intel QA\n");
     }
     #endif
     #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    CryptoDeviceId = wc_CryptoCb_InitOcteon(NULL);
+    CryptoDeviceId = wc_CryptoCb_InitOcteon();
     if (INVALID_DEVID == CryptoDeviceId) {
         printf("Couldn't init the Intel QA\n");
     #endif
@@ -648,10 +645,10 @@ void ssl_FreeSniffer(void)
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    wc_CryptoCb_CleanupIntelQa(&CryptoDeviceId, &CryptoDevice);
+    wc_CryptoCb_CleanupIntelQa(&CryptoDeviceId);
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    wc_CryptoCb_CleanupOcteon(&CryptoDeviceId, NULL);
+    wc_CryptoCb_CleanupOcteon(&CryptoDeviceId);
 #endif
 #endif
 
@@ -1454,8 +1451,8 @@ static int CreateWatchSnifferServer(char* error)
         return -1;
     }
 #ifdef WOLF_CRYPTO_CB
-    if (CryptoDevId != INVALID_DEVID)
-	    wolfSSL_CTX_SetDevId(sniffer->ctx, CryptoDevId);
+    if (CryptoDeviceId != INVALID_DEVID)
+	    wolfSSL_CTX_SetDevId(sniffer->ctx, CryptoDeviceId);
 #endif
     ServerList = sniffer;
 
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index cac7e7235..af3da627c 100755
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -693,10 +693,6 @@ static const char* bench_result_words2[][5] = {
 /* Asynchronous helper macros */
 static THREAD_LS_T int devId = INVALID_DEVID;
 
-#if defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC)
-    static THREAD_LS_T IntelQaDev devQat;
-#endif
-
 #ifdef WOLFSSL_ASYNC_CRYPT
     static WOLF_EVENT_QUEUE eventQueue;
 
@@ -1304,13 +1300,13 @@ static void* benchmarks_do(void* args)
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    devId = wc_CryptoCb_InitIntelQa(&devQat);
+    devId = wc_CryptoCb_InitIntelQa();
     if (devId == INVALID_DEVID) {
         printf("Couldn't init the Intel QA\n");
     }
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    devId = wc_CryptoCb_InitOcteon(NULL);
+    devId = wc_CryptoCb_InitOcteon();
     if (devId == INVALID_DEVID) {
         printf("Couldn't get the Octeon device ID\n");
     }
@@ -1809,10 +1805,10 @@ exit:
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    wc_CryptoCb_CleanupIntelQa(&devId, &devQat);
+    wc_CryptoCb_CleanupIntelQa(&devId);
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    wc_CryptoCb_CleanupOcteon(&devId, NULL);
+    wc_CryptoCb_CleanupOcteon(&devId);
 #endif
 #endif
 
diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
index a287f4345..38aec4455 100644
--- a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -36,11 +36,28 @@
 #define NO_MAIN_DRIVER
 
 #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+#include "cvmx.h"
+#include "cvmx-asm.h"
+#include "cvmx-key.h"
+#include "cvmx-swap.h"
+
+#ifndef NO_DES3
+    #include <wolfssl/wolfcrypt/des3.h>
+#endif
+#ifndef NO_AES
+    #include <wolfssl/wolfcrypt/aes.h>
+#endif
+
 
 static int devId = 1234;
 
 #ifndef NO_DES3
-int Octeon_Des3_CbcEncrypt(Des3* des3, uint64_t *inp64, uint64_t *outp64, size_t inl)
+static int Octeon_Des3_CbcEncrypt(Des3* des3,
+        uint64_t *inp64, uint64_t *outp64, size_t inl)
 {
     register uint64_t i0, r0;
     uint64_t *key, *iv;
@@ -115,7 +132,8 @@ int Octeon_Des3_CbcEncrypt(Des3* des3, uint64_t *inp64, uint64_t *outp64, size_t
     return 0;
 }
 
-int Octeon_Des3_CbcDecrypt(Des3* des3, uint64_t *inp64, uint64_t *outp64, size_t inl)
+static int Octeon_Des3_CbcDecrypt(Des3* des3,
+        uint64_t *inp64, uint64_t *outp64, size_t inl)
 {
     register uint64_t i0, r0;
     uint64_t *key, *iv;
@@ -197,63 +215,9 @@ int Octeon_Des3_CbcDecrypt(Des3* des3, uint64_t *inp64, uint64_t *outp64, size_t
 
 #ifndef NO_AES
 
-#ifdef WOLFSSL_AES_DIRECT
-/* Perform Single Block ECB Encrypt */
-int Octeon_AesEcb_Encrypt(Aes* aes, const unsigned char *in, unsigned char *out)
-{
-    uint64_t *in64, *out64, *key;
-
-    if (aes == NULL || in == NULL || out == NULL) {
-        return BAD_FUNC_ARG;
-    }
-
-    key = (uint64_t*)aes->devKey;
-    CVMX_MT_AES_KEY(key[0], 0);
-    CVMX_MT_AES_KEY(key[1], 1);
-    CVMX_MT_AES_KEY(key[2], 2);
-    CVMX_MT_AES_KEY(key[3], 3);
-    CVMX_MT_AES_KEYLENGTH(aes->keylen/8 - 1);
-
-    in64 = (uint64_t*)in;
-    out64 = (uint64_t*)out;
-
-    CVMX_MT_AES_ENC0(in64[0]);
-    CVMX_MT_AES_ENC1(in64[1]);
-    CVMX_MF_AES_RESULT(out64[0],0);
-    CVMX_MF_AES_RESULT(out64[1],1);
-
-    return 0;
-}
-
-/* Perform Single Block ECB Decrypt */
-int Octeon_AesEcb_Decrypt(Aes* aes, const unsigned char *in, unsigned char *out)
-{
-    uint64_t *in64, *out64, *key;
-
-    if (aes == NULL || in == NULL || out == NULL) {
-        return BAD_FUNC_ARG;
-    }
-
-    key = (uint64_t*)aes->devKey;
-    CVMX_MT_AES_KEY(key[0], 0);
-    CVMX_MT_AES_KEY(key[1], 1);
-    CVMX_MT_AES_KEY(key[2], 2);
-    CVMX_MT_AES_KEY(key[3], 3);
-    CVMX_MT_AES_KEYLENGTH(aes->keylen/8 - 1);
-
-    in64 = (uint64_t*)in;
-    out64 = (uint64_t*)out;
-    CVMX_MT_AES_DEC0(in64[0]);
-    CVMX_MT_AES_DEC1(in64[1]);
-    CVMX_MF_AES_RESULT(out64[0],0);
-    CVMX_MF_AES_RESULT(out64[1],1);
-
-    return 0;
-}
-#endif /* WOLFSSL_AES_DIRECT */
-
 #ifdef HAVE_AES_CBC
-int Octeon_AesCbc_Encrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl)
+static int Octeon_AesCbc_Encrypt(Aes *aes,
+        uint64_t *inp64, uint64_t *outp64, size_t inl)
 {
     register uint64_t i0, i1, r0, r1;
     uint64_t *key, *iv;
@@ -358,7 +322,8 @@ int Octeon_AesCbc_Encrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t in
     return 0;
 }
 
-int Octeon_AesCbc_Decrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t inl)
+static int Octeon_AesCbc_Decrypt(Aes *aes,
+        uint64_t *inp64, uint64_t *outp64, size_t inl)
 {
     register uint64_t i0, i1, r0, r1;
     uint64_t *key, *iv;
@@ -458,7 +423,7 @@ int Octeon_AesCbc_Decrypt(Aes *aes, uint64_t *inp64, uint64_t *outp64, size_t in
             : [r1] "=&d"(in1) , [r2] "=&d"(in2) \
             : [r3] "d"(out1),  [r4] "d"(out2))
 
-static inline void Octeon_GHASH_Restore(word16 poly, byte* h)
+static void Octeon_GHASH_Restore(word16 poly, byte* h)
 {
     word64* bigH = (word64*)h;
     CVMX_MT_GFM_POLY((word64)poly);
@@ -467,7 +432,7 @@ static inline void Octeon_GHASH_Restore(word16 poly, byte* h)
 }
 
 
-static inline void Octeon_GHASH_Init(word16 poly, byte* h)
+static void Octeon_GHASH_Init(word16 poly, byte* h)
 {
     Octeon_GHASH_Restore(poly, h);
     CVMX_MT_GFM_RESINP(0, 0);
@@ -475,7 +440,7 @@ static inline void Octeon_GHASH_Init(word16 poly, byte* h)
 }
 
 
-static inline void Octeon_GHASH_Update(byte* in)
+static void Octeon_GHASH_Update(byte* in)
 {
     word64* bigIn = (word64*)in;
     CVMX_MT_GFM_XOR0(bigIn[0]);
@@ -483,7 +448,7 @@ static inline void Octeon_GHASH_Update(byte* in)
 }
 
 
-static inline void Octeon_GHASH_Final(byte* out, word64 authInSz, word64 inSz)
+static void Octeon_GHASH_Final(byte* out, word64 authInSz, word64 inSz)
 {
     word64* bigOut = (word64*)out;
 
@@ -745,7 +710,7 @@ static int Octeon_AesGcm_Finalize(Aes* aes, word32 inSz, word32 aadSz,
 }
 
 
-int Octeon_AesGcm_Encrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+static int Octeon_AesGcm_Encrypt(Aes* aes, byte* in, byte* out, word32 inSz,
         byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag)
 {
     int ret = 0;
@@ -772,7 +737,7 @@ int Octeon_AesGcm_Encrypt(Aes* aes, byte* in, byte* out, word32 inSz,
 }
 
 
-int Octeon_AesGcm_Decrypt(Aes* aes, byte* in, byte* out, word32 inSz,
+static int Octeon_AesGcm_Decrypt(Aes* aes, byte* in, byte* out, word32 inSz,
         byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag)
 {
     int ret = 0;
@@ -893,10 +858,8 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
     return ret;
 }
 
-int wc_CryptoCb_InitOcteon(void* unused)
+int wc_CryptoCb_InitOcteon(void)
 {
-    (void)unused;
-
     if (wc_CryptoCb_RegisterDevice(devId, myCryptoDevCb, NULL) < 0) {
         return INVALID_DEVID;
     }
@@ -904,107 +867,12 @@ int wc_CryptoCb_InitOcteon(void* unused)
     return devId;
 }
 
-void wc_CryptoCb_CleanupOcteon(int* id, void* unused)
+void wc_CryptoCb_CleanupOcteon(int* id)
 {
-    (void)unused;
     wc_CryptoCb_UnRegisterDevice(*id);
     *id = INVALID_DEVID;
 }
 
 #endif /* WOLF_CRYPTO_CB */
 
-
-#ifndef NO_MAIN_DRIVER
-
-#ifndef NO_DES3
-static int des3_test(void)
-{
-    const byte vector[] = { /* "Now is the time for all " w/o trailing 0 */
-        0x4e,0x6f,0x77,0x20,0x69,0x73,0x20,0x74,
-        0x68,0x65,0x20,0x74,0x69,0x6d,0x65,0x20,
-        0x66,0x6f,0x72,0x20,0x61,0x6c,0x6c,0x20
-    };
-
-    byte plain[24];
-    byte cipher[24];
-
-    Des3 enc;
-    Des3 dec;
-
-    const byte key3[] =
-    {
-        0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,
-        0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10,
-        0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67
-    };
-    const byte iv3[] =
-    {
-        0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef,
-        0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
-        0x11,0x21,0x31,0x41,0x51,0x61,0x71,0x81
-
-    };
-
-    const byte verify3[] =
-    {
-        0x43,0xa0,0x29,0x7e,0xd1,0x84,0xf8,0x0e,
-        0x89,0x64,0x84,0x32,0x12,0xd5,0x08,0x98,
-        0x18,0x94,0x15,0x74,0x87,0x12,0x7d,0xb0
-    };
-
-    int ret;
-
-
-    if (wc_Des3Init(&enc, NULL, devId) != 0)
-        return -4700;
-    if (wc_Des3Init(&dec, NULL, devId) != 0)
-        return -4701;
-
-    ret = wc_Des3_SetKey(&enc, key3, iv3, DES_ENCRYPTION);
-    if (ret != 0)
-        return -4702;
-    ret = wc_Des3_SetKey(&dec, key3, iv3, DES_DECRYPTION);
-    if (ret != 0)
-        return -4703;
-    ret = wc_Des3_CbcEncrypt(&enc, cipher, vector, sizeof(vector));
-    if (ret != 0)
-        return -4704;
-    ret = wc_Des3_CbcDecrypt(&dec, plain, cipher, sizeof(cipher));
-    if (ret != 0)
-        return -4705;
-
-    if (XMEMCMP(plain, vector, sizeof(plain)))
-        return -4706;
-
-    if (XMEMCMP(cipher, verify3, sizeof(cipher)))
-        return -4707;
-
-
-    wc_Des3Free(&enc);
-    wc_Des3Free(&dec);
-
-    return 0;
-}
-#endif /* NO_DES */
-
-int main(void)
-{
-    int ret = 0;
-
-    wolfCrypt_Init();
-
-    /* The following is called in wolfCrypt_Init().
-    wc_CryptoCb_InitOcteon();
-    */
-
-#ifndef NO_DES3
-    des3_test();
-#endif
-
-    wolfCrypt_Cleanup();
-
-    return ret;
-}
-#endif /* !NO_MAIN_DRIVER */
-
 #endif /* HAVE_CAVIUM_OCTEON_SYNC */
diff --git a/wolfcrypt/src/port/intel/quickassist_sync.c b/wolfcrypt/src/port/intel/quickassist_sync.c
index 1b4679996..a148d0b83 100644
--- a/wolfcrypt/src/port/intel/quickassist_sync.c
+++ b/wolfcrypt/src/port/intel/quickassist_sync.c
@@ -42,6 +42,18 @@
 #include <wolfssl/wolfcrypt/cryptocb.h>
 #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
 
+#include "cpa.h"
+#include "cpa_cy_im.h"
+#include "cpa_cy_sym.h"
+#include "cpa_cy_rsa.h"
+#include "cpa_cy_ln.h"
+#include "cpa_cy_ecdh.h"
+#include "cpa_cy_ecdsa.h"
+#include "cpa_cy_dh.h"
+#include "cpa_cy_drbg.h"
+#include "cpa_cy_nrbg.h"
+#include "cpa_cy_prime.h"
+
 #include "icp_sal_user.h"
 #include "icp_sal_poll.h"
 
@@ -53,6 +65,164 @@
     #include <wolfcrypt/src/misc.c>
 #endif
 
+/* User space utils */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#if 0
+    /* Optional feature for partial QAT hashing support */
+    /* This will process updates through hardware instead of caching them */
+    #define QAT_HASH_ENABLE_PARTIAL
+#endif
+#ifdef QAT_HASH_ENABLE_PARTIAL
+    #define MAX_QAT_HASH_BUFFERS 2
+#endif
+
+/* Detect QAT driver version */
+#if defined(CPA_CY_API_VERSION_NUM_MAJOR) && CPA_CY_API_VERSION_NUM_MAJOR > 1
+    #define QAT_V2
+#endif
+
+#ifdef QAT_V2
+    /* quickassist/utilities/libusdm_drv/qae_mem.h */
+    /* Provides user-space API's for accessing NUMA allocated memory through usdm_drv */
+    #include "qae_mem.h"
+#include "linux/include/qae_mem_utils.h"
+#endif
+
+#ifdef QAT_USE_POLLING_THREAD
+    #include <pthread.h>
+#endif
+
+/* Tunable parameters */
+#ifndef QAT_PROCESS_NAME
+    #define QAT_PROCESS_NAME     "SSL"
+#endif
+#ifndef QAT_LIMIT_DEV_ACCESS
+    #define QAT_LIMIT_DEV_ACCESS CPA_FALSE
+#endif
+#ifndef QAT_MAX_DEVICES
+    #define QAT_MAX_DEVICES  (1)  /* maximum number of QAT cards */
+#endif
+
+#ifndef QAT_RETRY_LIMIT
+    #define QAT_RETRY_LIMIT  (100)
+#endif
+#ifndef QAT_POLL_RESP_QUOTA
+    #define QAT_POLL_RESP_QUOTA (0) /* all pending */
+#endif
+
+#if !defined(NO_AES) || !defined(NO_DES3)
+    #define QAT_ENABLE_CRYPTO
+#endif
+
+/* Pre-declarations */
+struct IntelQaDev;
+struct wc_CryptoInfo;
+struct WC_BIGINT;
+struct WC_RNG;
+
+
+#if defined(QAT_ENABLE_HASH) || defined(QAT_ENABLE_CRYPTO)
+/* symmetric context */
+typedef struct IntelQaSymCtx {
+    CpaCySymOpData opData;
+    CpaCySymSessionCtx symCtxSrc;
+    CpaCySymSessionCtx symCtx;
+    word32 symCtxSize;
+
+    /* flags */
+    word32 isOpen:1;
+    word32 isCopy:1;
+} IntelQaSymCtx;
+#endif
+
+typedef void (*IntelQaFreeFunc)(struct IntelQaDev*);
+
+
+/* QuickAssist device */
+typedef struct IntelQaDev {
+	CpaInstanceHandle handle;
+    int devId;
+	void* heap;
+
+    /* callback return info */
+    int ret;
+    byte* out;
+    union {
+        word32* outLenPtr;
+        word32 outLen;
+    };
+
+    /* operations */
+    IntelQaFreeFunc freeFunc;
+    union {
+    #ifdef QAT_ENABLE_CRYPTO
+        struct {
+            IntelQaSymCtx ctx;
+            CpaBufferList bufferList;
+            CpaFlatBuffer flatBuffer;
+            byte* authTag;
+            word32 authTagSz;
+        } cipher;
+    #endif
+    } op;
+
+#ifdef QAT_USE_POLLING_THREAD
+    pthread_t pollingThread;
+    byte pollingCy;
+#endif
+} IntelQaDev;
+
+
+/* Interface */
+static int IntelQaHardwareStart(const char*, int);
+static void IntelQaHardwareStop(void);
+static int IntelQaInit(void*);
+static void IntelQaDeInit(int);
+static int IntelQaNumInstances(void);
+static int IntelQaOpen(IntelQaDev*, int);
+static void IntelQaClose(IntelQaDev*);
+static int IntelQaDevCopy(IntelQaDev*, IntelQaDev*);
+static int IntelQaPoll(IntelQaDev*);
+static int IntelQaGetCyInstanceCount(void);
+
+#ifndef NO_AES
+    #ifdef HAVE_AES_CBC
+        static int IntelQaSymAesCbcEncrypt(IntelQaDev*, byte*,
+                const byte*, word32, const byte*, word32, const byte*, word32);
+    #ifdef HAVE_AES_DECRYPT
+        static int IntelQaSymAesCbcDecrypt(IntelQaDev*, byte*,
+                const byte*, word32, const byte*, word32, const byte*, word32);
+    #endif /* HAVE_AES_DECRYPT */
+    #endif /* HAVE_AES_CBC */
+
+    #ifdef HAVE_AESGCM
+        static int IntelQaSymAesGcmEncrypt(IntelQaDev*, byte*,
+                const byte*, word32, const byte*, word32, const byte*, word32,
+                byte*, word32, const byte*, word32);
+    #ifdef HAVE_AES_DECRYPT
+        static int IntelQaSymAesGcmDecrypt(IntelQaDev*, byte*,
+                const byte*, word32, const byte*, word32, const byte*, word32,
+                const byte*, word32, const byte*, word32);
+    #endif /* HAVE_AES_DECRYPT */
+    #endif /* HAVE_AESGCM */
+#endif /* !NO_AES */
+
+#ifndef NO_DES3
+    static int IntelQaSymDes3CbcEncrypt(IntelQaDev*, byte*,
+            const byte*, word32, const byte*, word32, const byte* iv, word32);
+    static int IntelQaSymDes3CbcDecrypt(IntelQaDev* dev, byte*,
+            const byte*, word32, const byte*, word32, const byte* iv, word32);
+#endif /*! NO_DES3 */
+
+#ifdef WOLF_CRYPTO_CB
+    static int IntelQaSymSync_CryptoDevCb(int, struct wc_CryptoInfo*,
+			void*);
+#endif /* WOLF_CRYPTO_CB */
+
 
 #ifdef QAT_DEBUG
     #define QLOG(...) do { printf(__VA_ARGS__); } while (0)
@@ -94,6 +264,9 @@ static qatCapabilities_t g_qatCapabilities = {0};
 extern Cpa32U osalLogLevelSet(Cpa32U level);
 
 
+static IntelQaDev qaDev;
+
+
 /* -------------------------------------------------------------------------- */
 /* Polling */
 /* -------------------------------------------------------------------------- */
@@ -1171,9 +1344,8 @@ int IntelQaSymSync_CryptoDevCb(int devId, struct wc_CryptoInfo* info, void* ctx)
 /* Public API                                                                 */
 /* -------------------------------------------------------------------------- */
 
-int wc_CryptoCb_InitIntelQa(void* dev)
+int wc_CryptoCb_InitIntelQa(void)
 {
-    IntelQaDev* qaDev = (IntelQaDev*)dev;
     int devId, rc;
 
     devId = IntelQaInit(NULL);
@@ -1182,7 +1354,7 @@ int wc_CryptoCb_InitIntelQa(void* dev)
         devId = INVALID_DEVID;
     }
     else {
-        rc = IntelQaOpen(qaDev, devId);
+        rc = IntelQaOpen(&qaDev, devId);
         if (rc != 0) {
             QLOG("Couldn't open the device\n");
             IntelQaDeInit(devId);
@@ -1190,10 +1362,10 @@ int wc_CryptoCb_InitIntelQa(void* dev)
         }
         else {
             rc = wc_CryptoCb_RegisterDevice(devId,
-                    IntelQaSymSync_CryptoDevCb, qaDev);
+                    IntelQaSymSync_CryptoDevCb, &qaDev);
             if (rc != 0) {
                 QLOG("Couldn't register the device\n");
-                IntelQaClose(qaDev);
+                IntelQaClose(&qaDev);
                 IntelQaDeInit(devId);
                 devId = INVALID_DEVID;
             }
@@ -1204,13 +1376,11 @@ int wc_CryptoCb_InitIntelQa(void* dev)
 }
 
 
-void wc_CryptoCb_CleanupIntelQa(int* id, void* dev)
+void wc_CryptoCb_CleanupIntelQa(int* id)
 {
-    IntelQaDev* qaDev = (IntelQaDev*)dev;
-
     if (INVALID_DEVID != *id) {
         wc_CryptoCb_UnRegisterDevice(*id);
-        IntelQaClose(qaDev);
+        IntelQaClose(&qaDev);
         IntelQaDeInit(*id);
         *id = INVALID_DEVID;
     }
@@ -1524,7 +1694,7 @@ static void* _qaeMemAlloc(size_t size, void* heap, int type
 }
 
 /* Public Functions */
-void* IntelQaMalloc(size_t size, void* heap, int type
+void* wc_CryptoCb_IntelQaMalloc(size_t size, void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
@@ -1553,7 +1723,7 @@ void* IntelQaMalloc(size_t size, void* heap, int type
     return ptr;
 }
 
-void IntelQaFree(void *ptr, void* heap, int type
+void wc_CryptoCb_IntelQaFree(void *ptr, void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
@@ -1578,7 +1748,7 @@ void IntelQaFree(void *ptr, void* heap, int type
 #endif
 }
 
-void* IntelQaRealloc(void *ptr, size_t size, void* heap, int type
+void* wc_CryptoCb_IntelQaRealloc(void *ptr, size_t size, void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
index 18ca54180..d24a21569 100644
--- a/wolfcrypt/src/wc_port.c
+++ b/wolfcrypt/src/wc_port.c
@@ -133,10 +133,6 @@ int wolfCrypt_Init(void)
         }
     #endif
 
-    #ifdef HAVE_INTEL_QA_SYNC
-        ret = IntelQaHardwareStart(QAT_PROCESS_NAME, QAT_LIMIT_DEV_ACCESS);
-    #endif
-
     #if defined(WOLFSSL_TRACK_MEMORY) && !defined(WOLFSSL_STATIC_MEMORY)
         ret = InitMemoryTracker();
         if (ret != 0) {
@@ -270,10 +266,6 @@ int wolfCrypt_Cleanup(void)
         wolfAsync_HardwareStop();
     #endif
 
-    #ifdef HAVE_INTEL_QA_SYNC
-        IntelQaHardwareStop();
-    #endif
-
     #if defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG) || \
         defined(WOLFSSL_IMX6_CAAM_BLOB)
         wc_caamFree();
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 8973eb909..db7602d4d 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -258,10 +258,6 @@ static void initDefaultName(void);
 /* for async devices */
 static int devId = INVALID_DEVID;
 
-#if defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC)
-    static THREAD_LS_T IntelQaDev devQat;
-#endif
-
 #ifdef HAVE_WNR
     const char* wnrConfigFile = "wnr-example.conf";
 #endif
@@ -572,13 +568,13 @@ initDefaultName();
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    devId = wc_CryptoCb_InitIntelQa(&devQat);
+    devId = wc_CryptoCb_InitIntelQa();
     if (INVALID_DEVID == devId) {
         printf("Couldn't init the Intel QA\n");
     }
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    devId = wc_CryptoCb_InitOcteon(NULL);
+    devId = wc_CryptoCb_InitOcteon();
     if (INVALID_DEVID == devId) {
         printf("Couldn't init the Cavium Octeon\n");
     }
@@ -1150,10 +1146,10 @@ initDefaultName();
 
 #ifdef WOLF_CRYPTO_CB
 #ifdef HAVE_INTEL_QA_SYNC
-    wc_CryptoCb_CleanupIntelQa(&devId, &devQat);
+    wc_CryptoCb_CleanupIntelQa(&devId);
 #endif
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
-    wc_CryptoCb_CleanupOcteon(&devId, NULL);
+    wc_CryptoCb_CleanupOcteon(&devId);
 #endif
 #endif
 
diff --git a/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
index 0da957ccb..8e28477d0 100644
--- a/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
+++ b/wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h
@@ -24,63 +24,8 @@
 
 #ifdef HAVE_CAVIUM_OCTEON_SYNC
 
-#ifndef NO_DES3
-    #include <wolfssl/wolfcrypt/des3.h>
-#endif
-#ifndef NO_AES
-    #include <wolfssl/wolfcrypt/aes.h>
-#endif
-
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-
-#include "cvmx.h"
-#include "cvmx-asm.h"
-#include "cvmx-key.h"
-#include "cvmx-swap.h"
-
-
-#ifdef WOLF_CRYPTO_CB
-WOLFSSL_API int wc_CryptoCb_InitOcteon(void* unused);
-WOLFSSL_API void wc_CryptoCb_CleanupOcteon(int* id, void* unused);
-#endif /* WOLF_CRYPTO_CB */
-
-
-#ifndef NO_DES3
-WOLFSSL_LOCAL int Octeon_Des3_CbcEncrypt(Des3 *key,
-        uint64_t *inp64, uint64_t *outp64, size_t inl);
-WOLFSSL_LOCAL int Octeon_Des3_CbcDecrypt(Des3 *key,
-        uint64_t *inp64, uint64_t *outp64, size_t inl);
-#endif /* !NO_DES3 */
-
-
-#ifndef NO_AES
-
-#ifdef WOLFSSL_AES_DIRECT
-WOLFSSL_LOCAL int Octeon_AesEcb_Encrypt(Aes *aes,
-        const unsigned char *in, unsigned char *out);
-WOLFSSL_LOCAL int Octeon_AesEcb_Decrypt(Aes *aes,
-        const unsigned char *in, unsigned char *out);
-#endif
-
-#ifdef HAVE_AES_CBC
-WOLFSSL_LOCAL int Octeon_AesCbc_Encrypt(Aes *aes,
-        uint64_t *inp64, uint64_t *outp64, size_t inl);
-WOLFSSL_LOCAL int Octeon_AesCbc_Decrypt(Aes *aes,
-        uint64_t *inp64, uint64_t *outp64, size_t inl);
-#endif
-
-#ifdef HAVE_AESGCM
-WOLFSSL_LOCAL int Octeon_AesGcm_Encrypt(Aes* aes,
-        byte* in, byte* out, word32 inSz,
-        byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag);
-WOLFSSL_LOCAL int Octeon_AesGcm_Decrypt(Aes* aes,
-        byte* in, byte* out, word32 inSz,
-        byte* iv, word32 ivSz, byte* aad, word32 aadSz, byte* tag);
-#endif /* HAVE_AESGCM */
-
-#endif /* !NO_AES */
+WOLFSSL_API int wc_CryptoCb_InitOcteon(void);
+WOLFSSL_API void wc_CryptoCb_CleanupOcteon(int* id);
 
 #endif /* HAVE_CAVIUM_OCTEON_SYNC */
 #endif /* _CAVIUM_OCTEON_SYNC_H_ */
diff --git a/wolfssl/wolfcrypt/port/intel/quickassist_sync.h b/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
index ed591bb0d..ff87b2ac3 100644
--- a/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
+++ b/wolfssl/wolfcrypt/port/intel/quickassist_sync.h
@@ -24,210 +24,30 @@
 
 #ifdef HAVE_INTEL_QA_SYNC
 
-#include "cpa.h"
-#include "cpa_cy_im.h"
-#include "cpa_cy_sym.h"
-#include "cpa_cy_rsa.h"
-#include "cpa_cy_ln.h"
-#include "cpa_cy_ecdh.h"
-#include "cpa_cy_ecdsa.h"
-#include "cpa_cy_dh.h"
-#include "cpa_cy_drbg.h"
-#include "cpa_cy_nrbg.h"
-#include "cpa_cy_prime.h"
+WOLFSSL_API int wc_CryptoCb_InitIntelQa(void);
+WOLFSSL_API void wc_CryptoCb_CleanupIntelQa(int* id);
 
-/* User space utils */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-
-#if 0
-    /* Optional feature for partial QAT hashing support */
-    /* This will process updates through hardware instead of caching them */
-    #define QAT_HASH_ENABLE_PARTIAL
-#endif
-#ifdef QAT_HASH_ENABLE_PARTIAL
-    #define MAX_QAT_HASH_BUFFERS 2
-#endif
-
-/* Detect QAT driver version */
-#if defined(CPA_CY_API_VERSION_NUM_MAJOR) && CPA_CY_API_VERSION_NUM_MAJOR > 1
-    #define QAT_V2
-#endif
-
-#ifdef QAT_V2
-    /* quickassist/utilities/libusdm_drv/qae_mem.h */
-    /* Provides user-space API's for accessing NUMA allocated memory through usdm_drv */
-    #include "qae_mem.h"
-#include "linux/include/qae_mem_utils.h"
-#endif
-
-#ifdef QAT_USE_POLLING_THREAD
-    #include <pthread.h>
-#endif
-#ifdef QA_DEMO_MAIN
-    #include <semaphore.h>
-#endif
-
-
-/* Tunable parameters */
-#ifndef QAT_PROCESS_NAME
-    #define QAT_PROCESS_NAME     "SSL"
-#endif
-#ifndef QAT_LIMIT_DEV_ACCESS
-    #define QAT_LIMIT_DEV_ACCESS CPA_FALSE
-#endif
-#ifndef QAT_MAX_DEVICES
-    #define QAT_MAX_DEVICES  (1)  /* maximum number of QAT cards */
-#endif
-
-#ifndef QAT_RETRY_LIMIT
-    #define QAT_RETRY_LIMIT  (100)
-#endif
-#ifndef QAT_POLL_RESP_QUOTA
-    #define QAT_POLL_RESP_QUOTA (0) /* all pending */
-#endif
-
-#if !defined(NO_AES) || !defined(NO_DES3)
-    #define QAT_ENABLE_CRYPTO
-#endif
-
-
-/* Pre-declarations */
-struct IntelQaDev;
-struct wc_CryptoInfo;
-struct WC_BIGINT;
-struct WC_RNG;
-
-
-#if defined(QAT_ENABLE_HASH) || defined(QAT_ENABLE_CRYPTO)
-/* symmetric context */
-typedef struct IntelQaSymCtx {
-    CpaCySymOpData opData;
-    CpaCySymSessionCtx symCtxSrc;
-    CpaCySymSessionCtx symCtx;
-    word32 symCtxSize;
-
-    /* flags */
-    word32 isOpen:1;
-    word32 isCopy:1;
-} IntelQaSymCtx;
-#endif
-
-typedef void (*IntelQaFreeFunc)(struct IntelQaDev*);
-
-
-/* QuickAssist device */
-typedef struct IntelQaDev {
-	CpaInstanceHandle handle;
-    int devId;
-	void* heap;
-
-    /* callback return info */
-    int ret;
-    byte* out;
-    union {
-        word32* outLenPtr;
-        word32 outLen;
-    };
-
-    /* operations */
-    IntelQaFreeFunc freeFunc;
-    union {
-    #ifdef QAT_ENABLE_CRYPTO
-        struct {
-            IntelQaSymCtx ctx;
-            CpaBufferList bufferList;
-            CpaFlatBuffer flatBuffer;
-            byte* authTag;
-            word32 authTagSz;
-        } cipher;
-    #endif
-    } op;
-
-#ifdef QAT_USE_POLLING_THREAD
-    pthread_t pollingThread;
-    byte pollingCy;
-#endif
-} IntelQaDev;
-
-
-WOLFSSL_API int wc_CryptoCb_InitIntelQa(void* dev);
-WOLFSSL_API void wc_CryptoCb_CleanupIntelQa(int* id, void* dev);
-
-
-/* Interface */
-WOLFSSL_LOCAL int IntelQaHardwareStart(const char*, int);
-WOLFSSL_LOCAL void IntelQaHardwareStop(void);
-WOLFSSL_LOCAL int IntelQaInit(void*);
-WOLFSSL_LOCAL void IntelQaDeInit(int);
-WOLFSSL_LOCAL int IntelQaNumInstances(void);
-WOLFSSL_LOCAL int IntelQaOpen(IntelQaDev*, int);
-WOLFSSL_LOCAL void IntelQaClose(IntelQaDev*);
-WOLFSSL_LOCAL int IntelQaDevCopy(IntelQaDev*, IntelQaDev*);
-WOLFSSL_LOCAL int IntelQaPoll(IntelQaDev*);
-WOLFSSL_LOCAL int IntelQaGetCyInstanceCount(void);
-
-#ifndef NO_AES
-    #ifdef HAVE_AES_CBC
-        WOLFSSL_LOCAL int IntelQaSymAesCbcEncrypt(IntelQaDev*, byte*,
-                const byte*, word32, const byte*, word32, const byte*, word32);
-    #ifdef HAVE_AES_DECRYPT
-        WOLFSSL_LOCAL int IntelQaSymAesCbcDecrypt(IntelQaDev*, byte*,
-                const byte*, word32, const byte*, word32, const byte*, word32);
-    #endif /* HAVE_AES_DECRYPT */
-    #endif /* HAVE_AES_CBC */
-
-    #ifdef HAVE_AESGCM
-        WOLFSSL_LOCAL int IntelQaSymAesGcmEncrypt(IntelQaDev*, byte*,
-                const byte*, word32, const byte*, word32, const byte*, word32,
-                byte*, word32, const byte*, word32);
-    #ifdef HAVE_AES_DECRYPT
-        WOLFSSL_LOCAL int IntelQaSymAesGcmDecrypt(IntelQaDev*, byte*,
-                const byte*, word32, const byte*, word32, const byte*, word32,
-                const byte*, word32, const byte*, word32);
-    #endif /* HAVE_AES_DECRYPT */
-    #endif /* HAVE_AESGCM */
-#endif /* !NO_AES */
-
-#ifndef NO_DES3
-    WOLFSSL_LOCAL int IntelQaSymDes3CbcEncrypt(IntelQaDev*, byte*,
-            const byte*, word32, const byte*, word32, const byte* iv, word32);
-    WOLFSSL_LOCAL int IntelQaSymDes3CbcDecrypt(IntelQaDev* dev, byte*,
-            const byte*, word32, const byte*, word32, const byte* iv, word32);
-#endif /*! NO_DES3 */
-
-#ifdef WOLF_CRYPTO_CB
-    WOLFSSL_LOCAL int IntelQaSymSync_CryptoDevCb(int, struct wc_CryptoInfo*,
-			void*);
-#endif /* WOLF_CRYPTO_CB */
-
-
-#ifdef WOLFSSL_TRACK_MEMORY
-    WOLFSSL_LOCAL int InitMemoryTracker(void);
-    WOLFSSL_LOCAL void ShowMemoryTracker(void);
-#endif
-
-
-WOLFSSL_LOCAL void* IntelQaMalloc(size_t size, void* heap, int type
+WOLFSSL_API void* wc_CryptoCb_IntelQaMalloc(size_t size,
+    void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
 );
 
-WOLFSSL_LOCAL void IntelQaFree(void *ptr, void* heap, int type
+WOLFSSL_API void wc_CryptoCb_IntelQaFree(void *ptr,
+    void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
 );
 
-WOLFSSL_LOCAL void* IntelQaRealloc(void *ptr, size_t size, void* heap, int type
+WOLFSSL_API void* wc_CryptoCb_IntelQaRealloc(void *ptr,
+    size_t size, void* heap, int type
 #ifdef WOLFSSL_DEBUG_MEMORY
     , const char* func, unsigned int line
 #endif
 );
+
 #endif /* HAVE_INTEL_QA_SYNC */
 
 #endif /* _INTEL_QUICKASSIST_SYNC_H_ */
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 7c8cc1d7d..efd94b75e 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -236,20 +236,30 @@
     #elif (defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_INTEL_QA)) || \
           defined(HAVE_INTEL_QA_SYNC)
         #ifndef HAVE_INTEL_QA_SYNC
-            #include <wolfssl/wolfcrypt/port/intel/quickassist_mem.h>
+            #include <wolfssl/wolfcrypt/port/intel/quickassist.h>
+            #undef USE_WOLFSSL_MEMORY
+            #ifdef WOLFSSL_DEBUG_MEMORY
+                #define XMALLOC(s, h, t)     IntelQaMalloc((s), (h), (t), __func__, __LINE__)
+                #define XFREE(p, h, t)       IntelQaFree((p), (h), (t), __func__, __LINE__)
+                #define XREALLOC(p, n, h, t) IntelQaRealloc((p), (n), (h), (t), __func__, __LINE__)
+            #else
+                #define XMALLOC(s, h, t)     IntelQaMalloc((s), (h), (t))
+                #define XFREE(p, h, t)       IntelQaFree((p), (h), (t))
+                #define XREALLOC(p, n, h, t) IntelQaRealloc((p), (n), (h), (t))
+            #endif /* WOLFSSL_DEBUG_MEMORY */
         #else
             #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
+            #undef USE_WOLFSSL_MEMORY
+            #ifdef WOLFSSL_DEBUG_MEMORY
+                #define XMALLOC(s, h, t)     wc_CryptoCb_IntelQaMalloc((s), (h), (t), __func__, __LINE__)
+                #define XFREE(p, h, t)       wc_CryptoCb_IntelQaFree((p), (h), (t), __func__, __LINE__)
+                #define XREALLOC(p, n, h, t) wc_CryptoCb_IntelQaRealloc((p), (n), (h), (t), __func__, __LINE__)
+            #else
+                #define XMALLOC(s, h, t)     wc_CryptoCb_IntelQaMalloc((s), (h), (t))
+                #define XFREE(p, h, t)       wc_CryptoCb_IntelQaFree((p), (h), (t))
+                #define XREALLOC(p, n, h, t) wc_CryptoCb_IntelQaRealloc((p), (n), (h), (t))
+            #endif /* WOLFSSL_DEBUG_MEMORY */
         #endif
-        #undef USE_WOLFSSL_MEMORY
-        #ifdef WOLFSSL_DEBUG_MEMORY
-            #define XMALLOC(s, h, t)     IntelQaMalloc((s), (h), (t), __func__, __LINE__)
-            #define XFREE(p, h, t)       IntelQaFree((p), (h), (t), __func__, __LINE__)
-            #define XREALLOC(p, n, h, t) IntelQaRealloc((p), (n), (h), (t), __func__, __LINE__)
-        #else
-            #define XMALLOC(s, h, t)     IntelQaMalloc((s), (h), (t))
-            #define XFREE(p, h, t)       IntelQaFree((p), (h), (t))
-            #define XREALLOC(p, n, h, t) IntelQaRealloc((p), (n), (h), (t))
-        #endif /* WOLFSSL_DEBUG_MEMORY */
     #elif defined(XMALLOC_USER)
         /* prototypes for user heap override functions */
         #include <stddef.h>  /* for size_t */

From 954d1ad13ebf753e02bfea6600607005678fdef0 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 23 Oct 2019 15:01:41 -0700
Subject: [PATCH 09/10] Sniffer Update 1. Add ssl_SetWatchKeyCallback_ex()
 which was missing. 2. Fix linking issue with OCTEON libraries.

---
 configure.ac  |  4 ++--
 src/sniffer.c | 14 +++++++++++---
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 91c3ab1e0..53131278f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3903,8 +3903,8 @@ AC_ARG_WITH([octeon-sync],
         AM_CFLAGS="$AM_CFLAGS -I$OCTEON_ROOT/executive"
 
         #-I$OCTEON_ROOT/target/include 
-        LDFLAGS="$LDFLAGS -lrt -Xlinker -T -Xlinker $OCTEON_ROOT/executive/cvmx-shared-linux.ld"
-        LIBS="$LIBS $OCTEON_ROOT/executive/$OCTEON_OBJ/libcvmx.a $OCTEON_ROOT/executive/$OCTEON_OBJ/libfdt.a"
+        AM_LDFLAGS="$AM_LDFLAGS -lrt -Xlinker -T -Xlinker $OCTEON_ROOT/executive/cvmx-shared-linux.ld"
+        AM_LDFLAGS="$AM_LDFLAGS -L$OCTEON_ROOT/executive/$OCTEON_OBJ -lcvmx -lfdt"
 
         enable_shared=no
         enable_static=yes
diff --git a/src/sniffer.c b/src/sniffer.c
index f25f30b71..835f06cdd 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -513,6 +513,7 @@ void ssl_InitSniffer(void)
     CryptoDeviceId = wc_CryptoCb_InitOcteon();
     if (INVALID_DEVID == CryptoDeviceId) {
         printf("Couldn't init the Intel QA\n");
+    }
     #endif
 #endif
 }
@@ -1433,7 +1434,7 @@ static int LoadKeyFile(byte** keyBuf, word32* keyBufSz,
 
 #ifdef WOLFSSL_SNIFFER_WATCH
 
-static int CreateWatchSnifferServer(char* error)
+static int CreateWatchSnifferServer(char* error, int devId)
 {
     SnifferServer* sniffer;
 
@@ -1452,7 +1453,7 @@ static int CreateWatchSnifferServer(char* error)
     }
 #ifdef WOLF_CRYPTO_CB
     if (CryptoDeviceId != INVALID_DEVID)
-	    wolfSSL_CTX_SetDevId(sniffer->ctx, CryptoDeviceId);
+	    wolfSSL_CTX_SetDevId(sniffer->ctx, devId);
 #endif
     ServerList = sniffer;
 
@@ -4503,10 +4504,17 @@ int ssl_ReadResetStatistics(SSLStats* stats)
 
 #ifdef WOLFSSL_SNIFFER_WATCH
 
+int ssl_SetWatchKeyCallback_ex(SSLWatchCb cb, int devId, char* error)
+{
+    WatchCb = cb;
+    return CreateWatchSnifferServer(error, devId);
+}
+
+
 int ssl_SetWatchKeyCallback(SSLWatchCb cb, char* error)
 {
     WatchCb = cb;
-    return CreateWatchSnifferServer(error);
+    return CreateWatchSnifferServer(error, INVALID_DEVID);
 }
 
 

From 17f44d4d2908d8f923efe194f5f64924f09a5aae Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Thu, 24 Oct 2019 10:00:20 -0700
Subject: [PATCH 10/10] OCTEON Sync 1. Add attributes to the OCTEON functions
 so they aren't optimized. 2. Disable the same test cases for OCTEON as we do
 QAT in sync.

---
 wolfcrypt/src/port/cavium/cavium_octeon_sync.c | 17 +++++++++--------
 wolfcrypt/test/test.c                          | 17 ++++++++++-------
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
index 38aec4455..735a9ad3f 100644
--- a/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
+++ b/wolfcrypt/src/port/cavium/cavium_octeon_sync.c
@@ -52,6 +52,7 @@
     #include <wolfssl/wolfcrypt/aes.h>
 #endif
 
+#define NOOPT __attribute__((optimize("O0")))
 
 static int devId = 1234;
 
@@ -423,7 +424,7 @@ static int Octeon_AesCbc_Decrypt(Aes *aes,
             : [r1] "=&d"(in1) , [r2] "=&d"(in2) \
             : [r3] "d"(out1),  [r4] "d"(out2))
 
-static void Octeon_GHASH_Restore(word16 poly, byte* h)
+static NOOPT void Octeon_GHASH_Restore(word16 poly, byte* h)
 {
     word64* bigH = (word64*)h;
     CVMX_MT_GFM_POLY((word64)poly);
@@ -432,7 +433,7 @@ static void Octeon_GHASH_Restore(word16 poly, byte* h)
 }
 
 
-static void Octeon_GHASH_Init(word16 poly, byte* h)
+static NOOPT void Octeon_GHASH_Init(word16 poly, byte* h)
 {
     Octeon_GHASH_Restore(poly, h);
     CVMX_MT_GFM_RESINP(0, 0);
@@ -440,7 +441,7 @@ static void Octeon_GHASH_Init(word16 poly, byte* h)
 }
 
 
-static void Octeon_GHASH_Update(byte* in)
+static NOOPT void Octeon_GHASH_Update(byte* in)
 {
     word64* bigIn = (word64*)in;
     CVMX_MT_GFM_XOR0(bigIn[0]);
@@ -448,7 +449,7 @@ static void Octeon_GHASH_Update(byte* in)
 }
 
 
-static void Octeon_GHASH_Final(byte* out, word64 authInSz, word64 inSz)
+static NOOPT void Octeon_GHASH_Final(byte* out, word64 authInSz, word64 inSz)
 {
     word64* bigOut = (word64*)out;
 
@@ -460,7 +461,7 @@ static void Octeon_GHASH_Final(byte* out, word64 authInSz, word64 inSz)
 
 
 /* Sets the Octeon key with the key found in the Aes record. */
-static int Octeon_AesGcm_SetKey(Aes* aes)
+static NOOPT int Octeon_AesGcm_SetKey(Aes* aes)
 {
     int ret = 0;
 
@@ -490,7 +491,7 @@ static int Octeon_AesGcm_SetKey(Aes* aes)
 }
 
 
-static int Octeon_AesGcm_SetIV(Aes* aes, byte* iv, word32 ivSz)
+static NOOPT int Octeon_AesGcm_SetIV(Aes* aes, byte* iv, word32 ivSz)
 {
     int ret = 0;
 
@@ -531,7 +532,7 @@ static int Octeon_AesGcm_SetIV(Aes* aes, byte* iv, word32 ivSz)
 }
 
 
-static int Octeon_AesGcm_SetAAD(Aes* aes, byte* aad, word32 aadSz)
+static NOOPT int Octeon_AesGcm_SetAAD(Aes* aes, byte* aad, word32 aadSz)
 {
     word64* p;
     ALIGN16 byte aesBlock[AES_BLOCK_SIZE];
@@ -667,7 +668,7 @@ static int Octeon_AesGcm_SetEncrypt(Aes* aes, byte* in, byte* out, word32 inSz,
 }
 
 
-static int Octeon_AesGcm_Finalize(Aes* aes, word32 inSz, word32 aadSz,
+static NOOPT int Octeon_AesGcm_Finalize(Aes* aes, word32 inSz, word32 aadSz,
         byte* tag)
 {
     word64 bigSz;
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index db7602d4d..6e7b600f1 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -869,7 +869,8 @@ initDefaultName();
         return err_sys("AES-GCM  test failed!\n", ret);
     #endif
     #if !defined(WOLFSSL_AFALG_XILINX_AES) && !defined(WOLFSSL_XILINX_CRYPT) && \
-        !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
+        !(defined(WOLF_CRYPTO_CB) && \
+            (defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)))
     if ((ret = aesgcm_default_test()) != 0) {
         return err_sys("AES-GCM  test failed!\n", ret);
     }
@@ -1130,7 +1131,8 @@ initDefaultName();
         test_pass("blob     test passed!\n");
 #endif
 
-#ifdef WOLF_CRYPTO_CB
+#if defined(WOLF_CRYPTO_CB) && \
+    !(defined(HAVE_INTEL_QAT_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC))
     if ( (ret = cryptocb_test()) != 0)
         return err_sys("crypto callback test failed!\n", ret);
     else
@@ -7233,7 +7235,6 @@ int aesgcm_default_test(void)
         0x3a, 0x7a, 0x56, 0x05, 0x09, 0xa2, 0xd9, 0xf2
     };
 
-
     byte key2[] = {
         0x01, 0x6d, 0xbb, 0x38, 0xda, 0xa7, 0x6d, 0xfe,
         0x7d, 0xa3, 0x84, 0xeb, 0xf1, 0x24, 0x03, 0x64
@@ -7281,7 +7282,6 @@ int aesgcm_default_test(void)
 	if (ret != 0) {
 		return ret;
 	}
-
 	ret = aesgcm_default_test_helper(key2, sizeof(key2), iv2, sizeof(iv2),
 		plain2, sizeof(plain2), cipher2, sizeof(cipher2),
 		NULL, 0, tag2, sizeof(tag2));
@@ -7368,7 +7368,8 @@ int aesgcm_test(void)
         !defined(WOLFSSL_PIC32MZ_CRYPT) && \
         !defined(FREESCALE_LTC) && !defined(FREESCALE_MMCAU) && \
         !defined(WOLFSSL_XILINX_CRYPT) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
-        !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
+        !(defined(WOLF_CRYPTO_CB) && \
+            (defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)))
 
     #define ENABLE_NON_12BYTE_IV_TEST
 #ifdef WOLFSSL_AES_192
@@ -7715,7 +7716,8 @@ int aesgcm_test(void)
 
 #if defined(WOLFSSL_AES_256) && !defined(WOLFSSL_AFALG_XILINX_AES) && \
     !defined(WOLFSSL_XILINX_CRYPT) && \
-    !(defined(WOLF_CRYPTO_CB) && defined(HAVE_INTEL_QA_SYNC))
+    !(defined(WOLF_CRYPTO_CB) && \
+        defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC))
     XMEMSET(resultT, 0, sizeof(resultT));
     XMEMSET(resultC, 0, sizeof(resultC));
     XMEMSET(resultP, 0, sizeof(resultP));
@@ -7750,7 +7752,8 @@ int aesgcm_test(void)
 #if !defined(HAVE_FIPS) || \
     (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))
     /* Test encrypt with internally generated IV */
-#if defined(WOLFSSL_AES_256) && !(defined(WC_NO_RNG) || defined(HAVE_SELFTEST))
+#if defined(WOLFSSL_AES_256) && !(defined(WC_NO_RNG) || defined(HAVE_SELFTEST)) \
+    && !(defined(WOLF_CRYPTO_CB) && defined(HAVE_CAVIUM_OCTEON_SYNC))
     {
         WC_RNG rng;
         byte randIV[12];