update encryption and decryption

2022-10-19 05:50:28 +00:00 · 2022-10-19 05:50:28 +00:00 · a77ba77b8a
commit a77ba77b8a
parent 8adb16b462
26 changed files with 2897 additions and 167 deletions
--- a/package/devel/valgrind/Makefile
+++ b/package/devel/valgrind/Makefile
@ -12,7 +12,7 @@ PKG_VERSION:=3.16.1
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=http://sourceware.org/pub/valgrind/
+PKG_SOURCE_URL:=https://sourceware.org/pub/valgrind/
 PKG_HASH:=c91f3a2f7b02db0f3bc99479861656154d241d2fdb265614ba918cc6720a33ca

 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
--- a/package/libs/libaudit/Makefile
+++ b/package/libs/libaudit/Makefile
@ -11,7 +11,7 @@ PKG_RELEASE:=1

 PKG_SOURCE_NAME:=audit
 PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/audit
+PKG_SOURCE_URL:=https://people.redhat.com/sgrubb/audit
 PKG_HASH:=0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_NAME)-$(PKG_VERSION)
 HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/$(PKG_SOURCE_NAME)-$(PKG_VERSION)
--- a/package/libs/libpcap/Makefile
+++ b/package/libs/libpcap/Makefile
@ -12,7 +12,7 @@ PKG_VERSION:=1.10.1
 PKG_RELEASE:=$(AUTORELEASE)

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.tcpdump.org/release/
+PKG_SOURCE_URL:=https://www.tcpdump.org/release/
 PKG_HASH:=ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4

 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@ -8,15 +8,14 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=mbedtls
-PKG_VERSION:=2.28.0
+PKG_VERSION:=2.28.1
 PKG_RELEASE:=$(AUTORELEASE)
 PKG_USE_MIPS16:=0

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=6519579b836ed78cc549375c7c18b111df5717e86ca0eeff4cb64b2674f424cc
+PKG_HASH:=6797a7b6483ef589deeab8d33d401ed235d7be25eeecda1be8ddfed406d40ff4

-PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=gpl-2.0.txt
 PKG_CPE_ID:=cpe:/a:arm:mbed_tls
@ -46,6 +45,7 @@ $(call Package/mbedtls/Default)
  CATEGORY:=Libraries
  SUBMENU:=SSL
  TITLE+= (library)
+  PKGFLAGS:=nonshared
  ABI_VERSION:=12
 endef

@ -67,13 +67,11 @@ config LIBMBEDTLS_HAVE_ARMV8CE_AES
 	bool
 	default y
 	prompt "Enable use of the ARMv8 Crypto Extensions"
-	depends on aarch64 && !TARGET_bcm27xx && !TARGET_bcm4908
+	depends on aarch64 && !TARGET_bcm27xx
 	help
 	 Use of the ARMv8 Crypto Extensions greatly increase performance
 	 (up to 4x faster on AES-GCM while 10x faster on raw AES).

-	 Related instructions should be included in all modern Aarch64
-	 devices, except some wastes like Broadcom.
 	 If you don't sure, say Y here.

 config LIBMBEDTLS_HAVE_SSE2
@ -118,8 +116,6 @@ This package contains mbedtls helper programs for private key and
 CSR generation (gen_key, cert_req)
 endef

-PKG_INSTALL:=1
-
 TARGET_CFLAGS += -ffunction-sections -fdata-sections
 TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS))
 ifneq ($(CONFIG_LIBMBEDTLS_HAVE_ARMV8CE_AES),)
@ -127,6 +123,7 @@ ifneq ($(CONFIG_LIBMBEDTLS_HAVE_ARMV8CE_AES),)
 endif

 CMAKE_OPTIONS += \
+	-DCMAKE_POSITION_INDEPENDENT_CODE=ON \
 	-DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \
 	-DENABLE_TESTING:Bool=OFF \
 	-DENABLE_PROGRAMS:Bool=ON
--- a/package/libs/mbedtls/patches/100-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch
+++ b/package/libs/mbedtls/patches/100-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch
@ -27,12 +27,12 @@ QEMU seems to also need
 Then run normal make or cmake etc.
 ---

--- a/ChangeLog.d/armv8_crypto_extensions.txt
+--- /dev/null
 +++ b/ChangeLog.d/armv8_crypto_extensions.txt
@@ -0,0 +1,2 @@
 +Features
 +    * Support ARMv8 Cryptography Extensions for AES and GCM.
--- a/include/mbedtls/armv8ce_aes.h
+--- /dev/null
 +++ b/include/mbedtls/armv8ce_aes.h
@@ -0,0 +1,63 @@
 +/**
@ -100,7 +100,7 @@ Then run normal make or cmake etc.
 +#endif /* MBEDTLS_ARMV8CE_AES_H */
 --- a/include/mbedtls/check_config.h
 +++ b/include/mbedtls/check_config.h
-@@ -95,6 +95,10 @@
+@@ -72,6 +72,10 @@
 #error "MBEDTLS_AESNI_C defined, but not all prerequisites"
 #endif
 
@ -111,14 +111,14 @@ Then run normal make or cmake etc.
 #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
 #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
 #endif
-@@ -772,3 +776,4 @@
+@@ -897,3 +901,4 @@
 typedef int mbedtls_iso_c_forbids_empty_translation_units;
 
 #endif /* MBEDTLS_CHECK_CONFIG_H */
 +
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -73,6 +73,7 @@
+@@ -46,6 +46,7 @@
  * Requires support for asm() in compiler.
  *
  * Used in:
@ -126,7 +126,7 @@ Then run normal make or cmake etc.
  *      library/aria.c
  *      library/timing.c
  *      include/mbedtls/bn_mul.h
-@@ -1888,6 +1889,21 @@
+@@ -2313,6 +2314,21 @@
 #define MBEDTLS_AESNI_C
 
 /**
@ -150,7 +150,7 @@ Then run normal make or cmake etc.
  * Enable the AES block cipher.
 --- a/library/aes.c
 +++ b/library/aes.c
-@@ -69,7 +69,9 @@
+@@ -39,7 +39,9 @@
 #if defined(MBEDTLS_AESNI_C)
 #include "mbedtls/aesni.h"
 #endif
@ -161,7 +161,7 @@ Then run normal make or cmake etc.
 #if defined(MBEDTLS_SELF_TEST)
 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
-@@ -1052,6 +1054,11 @@
+@@ -999,6 +1001,11 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_c
         return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
 #endif
 
@ -173,7 +173,7 @@ Then run normal make or cmake etc.
 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
     if( aes_padlock_ace )
     {
--- a/library/armv8ce_aes.c
+--- /dev/null
 +++ b/library/armv8ce_aes.c
@@ -0,0 +1,142 @@
 +/*
@ -320,7 +320,7 @@ Then run normal make or cmake etc.
 +#endif /* MBEDTLS_ARMV8CE_AES_C */
 --- a/library/CMakeLists.txt
 +++ b/library/CMakeLists.txt
-@@ -7,6 +7,7 @@
+@@ -15,6 +15,7 @@ set(src_crypto
     aesni.c
     arc4.c
     aria.c
@ -330,7 +330,7 @@ Then run normal make or cmake etc.
     base64.c
 --- a/library/gcm.c
 +++ b/library/gcm.c
-@@ -71,6 +71,10 @@
+@@ -41,6 +41,10 @@
 #include "mbedtls/aesni.h"
 #endif
 
@ -341,7 +341,7 @@ Then run normal make or cmake etc.
 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
 #include "mbedtls/aes.h"
 #include "mbedtls/platform.h"
-@@ -140,6 +144,12 @@
+@@ -87,6 +91,12 @@ static int gcm_gen_table( mbedtls_gcm_co
     if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 )
         return( ret );
 
@ -352,9 +352,9 @@ Then run normal make or cmake etc.
 +#endif
 +
     /* pack h as two 64-bits ints, big-endian */
-     GET_UINT32_BE( hi, h,  0  );
-     GET_UINT32_BE( lo, h,  4  );
-@@ -248,6 +258,11 @@
+     hi = MBEDTLS_GET_UINT32_BE( h,  0  );
+     lo = MBEDTLS_GET_UINT32_BE( h,  4  );
+@@ -196,6 +206,11 @@ static void gcm_mult( mbedtls_gcm_contex
     unsigned char lo, hi, rem;
     uint64_t zh, zl;
 
@ -368,18 +368,17 @@ Then run normal make or cmake etc.
         unsigned char h[16];
 --- a/library/Makefile
 +++ b/library/Makefile
-@@ -72,6 +72,7 @@
- 	     aesni.o \
- 	     arc4.o \
+@@ -74,6 +74,7 @@ OBJS_CRYPTO= \
 	     aria.o \
-+	     armv8ce_aes.o \
 	     asn1parse.o \
 	     asn1write.o \
+	     armv8ce_aes.o \
 	     base64.o \
-
+ 	     bignum.o \
+ 	     blowfish.o \
 --- a/library/version_features.c
 +++ b/library/version_features.c
-@@ -583,6 +583,9 @@
+@@ -624,6 +624,9 @@ static const char * const features[] = {
 #if defined(MBEDTLS_AESNI_C)
     "MBEDTLS_AESNI_C",
 #endif /* MBEDTLS_AESNI_C */
--- a/package/libs/mbedtls/patches/100-fix-compile.patch
+++ b/package/libs/mbedtls/patches/100-fix-compile.patch
@ -0,0 +1,22 @@
+Fix a compile problem introduced in commit 331c3421d1f0 ("Address review comments")
+
+Bug report: https://github.com/Mbed-TLS/mbedtls/issues/6243
+
+--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
+@@ -2511,7 +2511,6 @@ int main( int argc, char *argv[] )
+         }
+         key_cert_init2 = 2;
+ #endif /* MBEDTLS_ECDSA_C */
+-    }
+ 
+ #if defined(MBEDTLS_USE_PSA_CRYPTO)
+     if( opt.key_opaque != 0 )
+@@ -2540,6 +2539,7 @@ int main( int argc, char *argv[] )
+     }
+ #endif /* MBEDTLS_USE_PSA_CRYPTO */
+ #endif /* MBEDTLS_CERTS_C */
+    }
+ 
+     mbedtls_printf( " ok (key types: %s - %s)\n", mbedtls_pk_get_name( &pkey ), mbedtls_pk_get_name( &pkey2 ) );
+ #endif /* MBEDTLS_X509_CRT_PARSE_C */
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -665,14 +665,14 @@
+@@ -670,14 +670,14 @@
  *
  * Enable Output Feedback mode (OFB) for symmetric ciphers.
  */
@ -17,7 +17,7 @@
 
 /**
  * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -790,20 +790,20 @@
+@@ -795,20 +795,20 @@
  * Comment macros to disable the curve and functions for it
  */
 /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */
@ -47,7 +47,7 @@
 
 /**
  * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -956,7 +956,7 @@
+@@ -961,7 +961,7 @@
  *             See dhm.h for more details.
  *
  */
@ -56,7 +56,7 @@
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -976,7 +976,7 @@
+@@ -981,7 +981,7 @@
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
  */
@ -65,7 +65,7 @@
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -1001,7 +1001,7 @@
+@@ -1006,7 +1006,7 @@
  *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
  */
@ -74,7 +74,7 @@
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1135,7 +1135,7 @@
+@@ -1140,7 +1140,7 @@
  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
  */
@ -83,7 +83,7 @@
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1159,7 +1159,7 @@
+@@ -1164,7 +1164,7 @@
  *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
  */
@ -92,7 +92,7 @@
 
 /**
  * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1263,7 +1263,7 @@
+@@ -1268,7 +1268,7 @@
  * This option is only useful if both MBEDTLS_SHA256_C and
  * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
  */
@ -101,7 +101,7 @@
 
 /**
  * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1478,14 +1478,14 @@
+@@ -1483,14 +1483,14 @@
  * Uncomment this macro to disable the use of CRT in RSA.
  *
  */
@ -118,7 +118,7 @@
 
 /**
  * \def MBEDTLS_SHA256_SMALLER
-@@ -1756,7 +1756,7 @@
+@@ -1761,7 +1761,7 @@
  *          configuration of this extension).
  *
  */
@ -127,7 +127,7 @@
 
 /**
  * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -2017,7 +2017,7 @@
+@@ -2022,7 +2022,7 @@
  *
  * Comment this macro to disable support for truncated HMAC in SSL
  */
@ -136,7 +136,7 @@
 
 /**
  * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -2185,7 +2185,7 @@
+@@ -2201,7 +2201,7 @@
  *
  * Comment this to disable run-time checking and save ROM space
  */
@ -145,7 +145,7 @@
 
 /**
  * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2534,7 +2534,7 @@
+@@ -2550,7 +2550,7 @@
  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  */
@ -154,7 +154,7 @@
 
 /**
  * \def MBEDTLS_ARIA_C
-@@ -2600,7 +2600,7 @@
+@@ -2616,7 +2616,7 @@
  * This module enables the AES-CCM ciphersuites, if other requisites are
  * enabled as well.
  */
@ -163,7 +163,7 @@
 
 /**
  * \def MBEDTLS_CERTS_C
-@@ -2612,7 +2612,7 @@
+@@ -2628,7 +2628,7 @@
  *
  * This module is used for testing (ssl_client/server).
  */
@ -172,7 +172,7 @@
 
 /**
  * \def MBEDTLS_CHACHA20_C
-@@ -2725,7 +2725,7 @@
+@@ -2741,7 +2741,7 @@
  * \warning   DES is considered a weak cipher and its use constitutes a
  *            security risk. We recommend considering stronger ciphers instead.
  */
@ -181,7 +181,7 @@
 
 /**
  * \def MBEDTLS_DHM_C
-@@ -2890,7 +2890,7 @@
+@@ -2906,7 +2906,7 @@
  * This module adds support for the Hashed Message Authentication Code
  * (HMAC)-based key derivation function (HKDF).
  */
@ -190,7 +190,7 @@
 
 /**
  * \def MBEDTLS_HMAC_DRBG_C
-@@ -3203,7 +3203,7 @@
+@@ -3219,7 +3219,7 @@
  *
  * This module enables abstraction of common (libc) functions.
  */
@ -199,7 +199,7 @@
 
 /**
  * \def MBEDTLS_POLY1305_C
-@@ -3279,7 +3279,7 @@
+@@ -3295,7 +3295,7 @@
  * Caller:  library/md.c
  *
  */
@ -208,7 +208,7 @@
 
 /**
  * \def MBEDTLS_RSA_C
-@@ -3486,7 +3486,7 @@
+@@ -3506,7 +3506,7 @@
  *
  * This module provides run-time version information.
  */
@ -217,12 +217,12 @@
 
 /**
  * \def MBEDTLS_X509_USE_C
-@@ -3596,7 +3596,7 @@
+@@ -3616,7 +3616,7 @@
  * Module:  library/xtea.c
  * Caller:
  */
 -#define MBEDTLS_XTEA_C
 +//#define MBEDTLS_XTEA_C
 
- /* \} name SECTION: mbed TLS modules */
+ /** \} name SECTION: mbed TLS modules */
 
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=openssl
 PKG_BASE:=1.1.1
-PKG_BUGFIX:=n
+PKG_BUGFIX:=q
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=$(AUTORELEASE)
 PKG_USE_MIPS16:=0
@ -27,7 +27,7 @@ PKG_SOURCE_URL:= \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \
 	ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/

-PKG_HASH:=40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a
+PKG_HASH:=d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca

 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
--- a/package/libs/openssl/patches/11895.patch
+++ b/package/libs/openssl/patches/11895.patch
@ -0,0 +1,227 @@
+From f4f6661af1bf15fe7416dcca8f5fc84dcabd5242 Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Thu, 21 May 2020 11:58:38 +0200
+Subject: [PATCH 1/2] Enable legacy AES API to use AESNI or VPAES if available
+
+When no assembler support is available, we fall back
+to either the constant time C implementation or the
+non-constant time C code implementation.
+
+This is controlled by -DOPENSSL_AES_CONST_TIME.
+So this makes the legacy API completely constant time,
+if OPENSSL_AES_CONST_TIME is defined, otherwise it uses constant time
+assembler implementations when available, and may fall back to the
+non-constant time implementation.
+
+This works so far only for intel and aarch64 CPUs.
+
+[extended tests]
+---
+ crypto/aes/aes_core.c | 15 ++++++++
+ crypto/evp/e_aes.c    | 82 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 97 insertions(+)
+
+diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c
+index ad00c729e70..36e35dfdf49 100644
+--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
+@@ -43,6 +43,21 @@
+ #include <openssl/aes.h>
+ #include "aes_local.h"
+ 
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
+int aes_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key);
+int aes_set_decrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key);
+void aes_encrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key);
+void aes_decrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key);
+# define AES_set_encrypt_key aes_set_encrypt_key
+# define AES_set_decrypt_key aes_set_decrypt_key
+# define AES_encrypt aes_encrypt
+# define AES_decrypt aes_decrypt
+#endif
+
+ #if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM)
+ typedef union {
+     unsigned char b[8];
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 405ddbf9bf0..8dbc947157d 100644
+--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
+@@ -100,6 +100,21 @@ typedef struct {
+ 
+ #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
+ 
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
+int aes_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key);
+int aes_set_decrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key);
+void aes_encrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key);
+void aes_decrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key);
+# define AES_set_encrypt_key aes_set_encrypt_key
+# define AES_set_dncrypt_key aes_set_decrypt_key
+# define AES_encrypt aes_encrypt
+# define AES_dncrypt aes_dncrypt
+#endif
+
+ #ifdef VPAES_ASM
+ int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
+                           AES_KEY *key);
+@@ -4287,3 +4302,70 @@ BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
+ BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
+                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ #endif                         /* OPENSSL_NO_OCB */
+
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
+# undef AES_set_encrypt_key
+# undef AES_set_decrypt_key
+# undef AES_encrypt
+# undef AES_decrypt
+
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key)
+{
+# ifdef AESNI_CAPABLE
+    if (AESNI_CAPABLE)
+        return aesni_set_encrypt_key(userKey, bits, key);
+# endif
+# ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE)
+        return vpaes_set_encrypt_key(userKey, bits, key);
+# endif
+    return aes_set_encrypt_key(userKey, bits, key);
+}
+
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key)
+{
+# ifdef AESNI_CAPABLE
+    if (AESNI_CAPABLE)
+        return aesni_set_decrypt_key(userKey, bits, key);
+# endif
+# ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE)
+        return vpaes_set_decrypt_key(userKey, bits, key);
+# endif
+    return aes_set_decrypt_key(userKey, bits, key);
+}
+
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key)
+{
+# ifdef AESNI_CAPABLE
+    if (AESNI_CAPABLE)
+        aesni_encrypt(in, out, key);
+    else
+# endif
+# ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE)
+        vpaes_encrypt(in, out, key);
+    else
+# endif
+    aes_encrypt(in, out, key);
+}
+
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key)
+{
+# ifdef AESNI_CAPABLE
+    if (AESNI_CAPABLE)
+        aesni_decrypt(in, out, key);
+    else
+# endif
+# ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE)
+        vpaes_decrypt(in, out, key);
+    else
+# endif
+    aes_decrypt(in, out, key);
+}
+#endif
+
+From 5de700ae03e0fdb8ca738f4c4912107437399d87 Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Sat, 23 May 2020 23:43:36 +0200
+Subject: [PATCH 2/2] Enable AES_cbc_encrypt to use AESNI or VPAES if available
+
+This makes the legacy API AES_cbc_encrypt outperform the EVP API.
+
+[extended tests]
+---
+ crypto/aes/aes_cbc.c |  7 +++++++
+ crypto/evp/e_aes.c   | 22 ++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/crypto/aes/aes_cbc.c b/crypto/aes/aes_cbc.c
+index 342841fc4ff..c1195bd432b 100644
+--- a/crypto/aes/aes_cbc.c
+++ b/crypto/aes/aes_cbc.c
+@@ -10,6 +10,13 @@
+ #include <openssl/aes.h>
+ #include <openssl/modes.h>
+ 
+#if defined(OPENSSL_CPUID_OBJ) && !defined(AES_ASM)
+void aes_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                     size_t len, const AES_KEY *key,
+                     unsigned char *ivec, const int enc);
+# define AES_cbc_encrypt aes_cbc_encrypt
+#endif
+
+ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                      size_t len, const AES_KEY *key,
+                      unsigned char *ivec, const int enc)
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 8dbc947157d..954425e6552 100644
+--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
+@@ -109,10 +109,14 @@ void aes_encrypt(const unsigned char *in, unsigned char *out,
+                  const AES_KEY *key);
+ void aes_decrypt(const unsigned char *in, unsigned char *out,
+                  const AES_KEY *key);
+void aes_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                     size_t len, const AES_KEY *key,
+                     unsigned char *ivec, const int enc);
+ # define AES_set_encrypt_key aes_set_encrypt_key
+ # define AES_set_dncrypt_key aes_set_decrypt_key
+ # define AES_encrypt aes_encrypt
+ # define AES_dncrypt aes_dncrypt
+# define AES_cbc_encrypt aes_cbc_encrypt
+ #endif
+ 
+ #ifdef VPAES_ASM
+@@ -4308,6 +4312,7 @@ BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
+ # undef AES_set_decrypt_key
+ # undef AES_encrypt
+ # undef AES_decrypt
+# undef AES_cbc_encrypt
+ 
+ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                         AES_KEY *key)
+@@ -4368,4 +4373,21 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
+ # endif
+     aes_decrypt(in, out, key);
+ }
+
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                     size_t len, const AES_KEY *key,
+                     unsigned char *ivec, const int enc)
+{
+# ifdef AESNI_CAPABLE
+    if (AESNI_CAPABLE)
+        aesni_cbc_encrypt(in, out, len, key, ivec, enc);
+    else
+# endif
+# ifdef VPAES_CAPABLE
+    if (VPAES_CAPABLE)
+        vpaes_cbc_encrypt(in, out, len, key, ivec, enc);
+    else
+# endif
+    aes_cbc_encrypt(in, out, len, key, ivec, enc);
+}
+ #endif
--- a/package/libs/openssl/patches/14578.patch
+++ b/package/libs/openssl/patches/14578.patch
--- a/package/libs/openssl/patches/16575.patch
+++ b/package/libs/openssl/patches/16575.patch
@ -0,0 +1,92 @@
+From 5e776d1ea16910373516853f4a2d586c12536aac Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Thu, 9 Sep 2021 19:34:49 +0200
+Subject: [PATCH] Make openssl speed aes use the -decrypt option
+
+with this patch, openssl speed -decrypt aes / aes-128-cbc / aes-128-ige
+uses AES_DECRYPT mode instead of AES_ENCRYPT mode.
+Previously this flag was only usable for the -evp cipher command.
+---
+ apps/speed.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/apps/speed.c b/apps/speed.c
+index d4ae7ab7bfd..723d99f591a 100644
+--- a/apps/speed.c
+++ b/apps/speed.c
+@@ -821,6 +821,7 @@ static int DES_ede3_cbc_encrypt_loop(void *args)
+ 
+ #define MAX_BLOCK_SIZE 128
+ 
+static int decrypt = 0;
+ static unsigned char iv[2 * MAX_BLOCK_SIZE / 8];
+ static AES_KEY aes_ks1, aes_ks2, aes_ks3;
+ static int AES_cbc_128_encrypt_loop(void *args)
+@@ -830,7 +831,8 @@ static int AES_cbc_128_encrypt_loop(void *args)
+     int count;
+     for (count = 0; COND(c[D_CBC_128_AES][testnum]); count++)
+         AES_cbc_encrypt(buf, buf,
+-                        (size_t)lengths[testnum], &aes_ks1, iv, AES_ENCRYPT);
+                        (size_t)lengths[testnum], &aes_ks1, iv,
+                        decrypt ? AES_DECRYPT : AES_ENCRYPT);
+     return count;
+ }
+ 
+@@ -841,7 +843,8 @@ static int AES_cbc_192_encrypt_loop(void *args)
+     int count;
+     for (count = 0; COND(c[D_CBC_192_AES][testnum]); count++)
+         AES_cbc_encrypt(buf, buf,
+-                        (size_t)lengths[testnum], &aes_ks2, iv, AES_ENCRYPT);
+                        (size_t)lengths[testnum], &aes_ks2, iv,
+                        decrypt ? AES_DECRYPT : AES_ENCRYPT);
+     return count;
+ }
+ 
+@@ -852,7 +855,8 @@ static int AES_cbc_256_encrypt_loop(void *args)
+     int count;
+     for (count = 0; COND(c[D_CBC_256_AES][testnum]); count++)
+         AES_cbc_encrypt(buf, buf,
+-                        (size_t)lengths[testnum], &aes_ks3, iv, AES_ENCRYPT);
+                        (size_t)lengths[testnum], &aes_ks3, iv,
+                        decrypt ? AES_DECRYPT : AES_ENCRYPT);
+     return count;
+ }
+ 
+@@ -864,7 +868,8 @@ static int AES_ige_128_encrypt_loop(void *args)
+     int count;
+     for (count = 0; COND(c[D_IGE_128_AES][testnum]); count++)
+         AES_ige_encrypt(buf, buf2,
+-                        (size_t)lengths[testnum], &aes_ks1, iv, AES_ENCRYPT);
+                        (size_t)lengths[testnum], &aes_ks1, iv,
+                        decrypt ? AES_DECRYPT : AES_ENCRYPT);
+     return count;
+ }
+ 
+@@ -876,7 +881,8 @@ static int AES_ige_192_encrypt_loop(void *args)
+     int count;
+     for (count = 0; COND(c[D_IGE_192_AES][testnum]); count++)
+         AES_ige_encrypt(buf, buf2,
+-                        (size_t)lengths[testnum], &aes_ks2, iv, AES_ENCRYPT);
+                        (size_t)lengths[testnum], &aes_ks2, iv,
+                        decrypt ? AES_DECRYPT : AES_ENCRYPT);
+     return count;
+ }
+ 
+@@ -888,7 +894,8 @@ static int AES_ige_256_encrypt_loop(void *args)
+     int count;
+     for (count = 0; COND(c[D_IGE_256_AES][testnum]); count++)
+         AES_ige_encrypt(buf, buf2,
+-                        (size_t)lengths[testnum], &aes_ks3, iv, AES_ENCRYPT);
+                        (size_t)lengths[testnum], &aes_ks3, iv,
+                        decrypt ? AES_DECRYPT : AES_ENCRYPT);
+     return count;
+ }
+ 
+@@ -915,7 +922,6 @@ static int RAND_bytes_loop(void *args)
+ }
+ 
+ static long save_count = 0;
+-static int decrypt = 0;
+ static int EVP_Update_loop(void *args)
+ {
+     loopargs_t *tempargs = *(loopargs_t **) args;
--- a/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
+++ b/package/libs/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch
@ -21,7 +21,7 @@ diff --git a/crypto/engine/build.info b/crypto/engine/build.info
 diff --git a/crypto/init.c b/crypto/init.c
 --- a/crypto/init.c
 +++ b/crypto/init.c
-@@ -329,18 +329,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
+@@ -328,18 +328,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_openssl)
     engine_load_openssl_int();
     return 1;
 }
@ -40,7 +40,7 @@ diff --git a/crypto/init.c b/crypto/init.c
 
 # ifndef OPENSSL_NO_RDRAND
 static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT;
-@@ -365,6 +353,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic)
+@@ -364,6 +352,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_dynamic)
     return 1;
 }
 # ifndef OPENSSL_NO_STATIC_ENGINE
@ -59,7 +59,7 @@ diff --git a/crypto/init.c b/crypto/init.c
 #  if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK)
 static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT;
 DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock)
-@@ -713,11 +713,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+@@ -704,11 +704,6 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
     if ((opts & OPENSSL_INIT_ENGINE_OPENSSL)
             && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl))
         return 0;
@ -71,7 +71,7 @@ diff --git a/crypto/init.c b/crypto/init.c
 # ifndef OPENSSL_NO_RDRAND
     if ((opts & OPENSSL_INIT_ENGINE_RDRAND)
             && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand))
-@@ -727,6 +722,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
+@@ -718,6 +713,11 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
             && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic))
         return 0;
 # ifndef OPENSSL_NO_STATIC_ENGINE
--- a/package/libs/wolfssl/Config.in
+++ b/package/libs/wolfssl/Config.in
@ -1,4 +1,4 @@
-if PACKAGE_libwolfssl
+menu "wolfSSL Library Configuration"

 config WOLFSSL_HAS_AES_CCM
 	bool "Include AES-CCM support"
@ -52,6 +52,9 @@ config WOLFSSL_HAS_ECC25519
 	bool "Include ECC Curve 25519 support"
 	default y

+config WOLFSSL_HAS_ECC448
+	bool "Include ECC Curve 448 support"
+
 config WOLFSSL_HAS_OPENVPN
 	bool "Include OpenVPN support"
 	default y
@ -63,39 +66,31 @@ config WOLFSSL_ALT_NAMES
 config WOLFSSL_HAS_DEVCRYPTO
 	bool

-config WOLFSSL_ASM_CAPABLE
-	bool
-	default x86_64 || (aarch64 && !TARGET_bcm27xx)
+if PACKAGE_libwolfssl
+	if PACKAGE_libwolfsslcpu-crypto
+		comment "Hardware Acceleration does not apply to libwolfsslcpu-crypto"
+	endif
+	choice
+		prompt "Hardware Acceleration"
+		default WOLFSSL_HAS_NO_HW

-choice
-	prompt "Hardware Acceleration"
-	default WOLFSSL_HAS_CPU_CRYPTO if WOLFSSL_ASM_CAPABLE
-	default WOLFSSL_HAS_NO_HW
+		config WOLFSSL_HAS_NO_HW
+			bool "None"

-	config WOLFSSL_HAS_NO_HW
-		bool "None"
+		config WOLFSSL_HAS_AFALG
+			bool "AF_ALG"

-	config WOLFSSL_HAS_CPU_CRYPTO
-		bool "Use CPU crypto instructions"
-		depends on WOLFSSL_ASM_CAPABLE
-		help
-		This will use Intel AESNI insturctions or armv8 Crypto Extensions.
-		Either of them should easily outperform hardware crypto in WolfSSL.
+		config WOLFSSL_HAS_DEVCRYPTO_CBC
+			bool "/dev/crytpo - AES-CBC-only"
+			select WOLFSSL_HAS_DEVCRYPTO

-	config WOLFSSL_HAS_AFALG
-		bool "AF_ALG"
-
-	config WOLFSSL_HAS_DEVCRYPTO_CBC
-		bool "/dev/crytpo - AES-CBC-only"
-		select WOLFSSL_HAS_DEVCRYPTO
-
-	config WOLFSSL_HAS_DEVCRYPTO_AES
-		bool "/dev/crypto - AES-only (all supported modes)"
-		select WOLFSSL_HAS_DEVCRYPTO
-
-	config WOLFSSL_HAS_DEVCRYPTO_FULL
-		bool "/dev/crypto - full"
-		select WOLFSSL_HAS_DEVCRYPTO
-endchoice
+		config WOLFSSL_HAS_DEVCRYPTO_AES
+			bool "/dev/crypto - AES-only (all supported modes)"
+			select WOLFSSL_HAS_DEVCRYPTO

+		config WOLFSSL_HAS_DEVCRYPTO_FULL
+			bool "/dev/crypto - full"
+			select WOLFSSL_HAS_DEVCRYPTO
+	endchoice
 endif
+endmenu
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@ -8,14 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=wolfssl
-PKG_VERSION:=5.3.0-stable
+PKG_VERSION:=5.5.1-stable
 PKG_RELEASE:=$(AUTORELEASE)

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=1a3bb310dc01d3e73d9ad91b6ea8249d081016f8eef4ae8f21d3421f91ef1de9
+PKG_HASH:=97339e6956c90e7c881ba5c748dd04f7c30e5dbe0c06da765418c51375a6dee3

-PKG_FLAGS:=nonshared
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1
 PKG_USE_MIPS16:=0
@ -33,6 +32,7 @@ PKG_CONFIG_DEPENDS:=\
 	CONFIG_WOLFSSL_HAS_DH \
 	CONFIG_WOLFSSL_HAS_DTLS \
 	CONFIG_WOLFSSL_HAS_ECC25519 \
+	CONFIG_WOLFSSL_HAS_ECC448 \
 	CONFIG_WOLFSSL_HAS_OCSP \
 	CONFIG_WOLFSSL_HAS_OPENVPN CONFIG_WOLFSSL_ALT_NAMES \
 	CONFIG_WOLFSSL_HAS_SESSION_TICKET \
@ -43,8 +43,8 @@ PKG_CONFIG_DEPENDS:=\
 PKG_ABI_VERSION:=$(patsubst %-stable,%,$(PKG_VERSION)).$(call version_abbrev,$(call confvar,$(PKG_CONFIG_DEPENDS)))

 PKG_CONFIG_DEPENDS+=\
+	CONFIG_PACKAGE_libwolfssl-benchmark \
 	CONFIG_WOLFSSL_HAS_AFALG \
-	CONFIG_WOLFSSL_HAS_CPU_CRYPTO \
 	CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \
 	CONFIG_WOLFSSL_HAS_DEVCRYPTO_CBC \
 	CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL
@ -61,11 +61,13 @@ endef
 define Package/libwolfssl
 $(call Package/libwolfssl/Default)
  TITLE:=wolfSSL library
-  PKGFLAGS:=nonshared
  MENU:=1
  PROVIDES:=libcyassl
  DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
  ABI_VERSION:=$(PKG_ABI_VERSION)
+  VARIANT:=regular
+  DEFAULT_VARIANT:=1
+  CONFLICTS:=libwolfsslcpu-crypto
 endef

 define Package/libwolfssl/description
@ -77,12 +79,38 @@ define Package/libwolfssl/config
 	source "$(SOURCE)/Config.in"
 endef

+define Package/libwolfsslcpu-crypto
+$(call Package/libwolfssl/Default)
+  TITLE:=wolfSSL library with AES CPU instructions
+  PROVIDES:=libwolfssl libcyassl
+  DEPENDS:=@((aarch64||x86_64)&&(m||!TARGET_bcm27xx))
+  ABI_VERSION:=$(PKG_ABI_VERSION)
+  VARIANT:=cpu-crypto
+endef
+
 define Package/libwolfssl-benchmark
 $(call Package/libwolfssl/Default)
  TITLE:=wolfSSL Benchmark Utility
  DEPENDS:=libwolfssl
 endef

+define Package/libwolfsslcpu-crypto/description
+$(call Package/libwolfssl/description)
+This variant uses AES CPU instructions (Intel AESNI or ARMv8 Crypto Extension)
+endef
+
+define Package/libwolfsslcpu-crypto/config
+    if TARGET_armvirt && PACKAGE_libwolfsslcpu-crypto = y
+	comment "You are about to build libwolfsslcpu-crypto into an armvirt_64 image."
+	comment "Ensure all of your installation targets support the Crypto Extension. "
+	comment "Look for the 'aes' feature in /proc/cpuinfo. This library does not do "
+	comment "run-time detection and will crash if the CPU does not support it.     "
+    endif
+    if TARGET_bcm27xx && PACKAGE_libwolfsslcpu-crypto
+	comment "Beware that libwolfsslcpu-crypto will not run in a bcm27xx target.   "
+    endif
+endef
+
 define Package/libwolfssl-benchmark/description
 This is the wolfssl benchmark utility.
 endef
@ -120,11 +148,24 @@ CONFIGURE_ARGS += \
 	--$(if $(CONFIG_WOLFSSL_HAS_SESSION_TICKET),enable,disable)-session-ticket \
 	--$(if $(CONFIG_WOLFSSL_HAS_DTLS),enable,disable)-dtls \
 	--$(if $(CONFIG_WOLFSSL_HAS_ECC25519),enable,disable)-curve25519 \
+	--$(if $(CONFIG_WOLFSSL_HAS_ECC448),enable,disable)-curve448 \
+	--$(if $(CONFIG_WOLFSSL_HAS_OPENVPN),enable,disable)-openvpn
+
+ifeq ($(BUILD_VARIANT),regular)
+CONFIGURE_ARGS += \
 	--$(if $(CONFIG_WOLFSSL_HAS_AFALG),enable,disable)-afalg \
-	--$(if $(CONFIG_WOLFSSL_HAS_OPENVPN),enable,disable)-openvpn \
 	--enable-devcrypto=$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_CBC),cbc\
 			  ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES),aes\
 			  ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL),yes,no)))
+else ifdef CONFIG_aarch64
+    CONFIGURE_ARGS += --enable-armasm
+    TARGET_CFLAGS:=$(TARGET_CFLAGS:-mcpu%=-mcpu%+crypto)
+    WOLFSSL_NOASM_REGEX:=^bcm27xx/.*
+    Package/libwolfsslcpu-crypto/preinst=\
+	$(subst @@WOLFSSL_NOASM_REGEX@@,$(WOLFSSL_NOASM_REGEX),$(file <preinst.arm-ce))
+else ifdef CONFIG_TARGET_x86_64
+	CONFIGURE_ARGS += --enable-intelasm
+endif

 ifeq ($(CONFIG_WOLFSSL_HAS_OCSP),y)
 CONFIGURE_ARGS += \
@ -136,15 +177,6 @@ CONFIGURE_ARGS += \
 	--enable-wpas --enable-fortress --enable-fastmath
 endif

-ifdef CONFIG_WOLFSSL_HAS_CPU_CRYPTO
-    ifdef CONFIG_aarch64
-	CONFIGURE_ARGS += --enable-armasm
-	TARGET_CFLAGS:=$(TARGET_CFLAGS:-mcpu%=-mcpu%+crypto)
-    else ifdef CONFIG_TARGET_x86_64
-	CONFIGURE_ARGS += --enable-intelasm
-    endif
-endif
-
 define Build/InstallDev
 	$(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
@ -162,10 +194,13 @@ define Package/libwolfssl/install
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.so.* $(1)/usr/lib/
 endef

+Package/libwolfsslcpu-crypto/install=$(Package/libwolfssl/install)
+
 define Package/libwolfssl-benchmark/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(CP) $(PKG_BUILD_DIR)/wolfcrypt/benchmark/.libs/benchmark $(1)/usr/bin/wolfssl-benchmark
 endef

 $(eval $(call BuildPackage,libwolfssl))
+$(eval $(call BuildPackage,libwolfsslcpu-crypto))
 $(eval $(call BuildPackage,libwolfssl-benchmark))
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2359,7 +2359,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2454,7 +2454,7 @@ extern void uITRON4_free(void *p) ;
 #endif
 
 /* warning for not using harden build options (default with ./configure) */
--- a/package/libs/wolfssl/patches/200-ecc-rng.patch
+++ b/package/libs/wolfssl/patches/200-ecc-rng.patch
@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl.

 --- a/wolfcrypt/src/ecc.c
 +++ b/wolfcrypt/src/ecc.c
-@@ -12132,21 +12132,21 @@ void wc_ecc_fp_free(void)
+@@ -12505,21 +12505,21 @@ void wc_ecc_fp_free(void)
 
 #endif /* FP_ECC */
 
@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl.
 
 --- a/wolfssl/wolfcrypt/ecc.h
 +++ b/wolfssl/wolfcrypt/ecc.h
-@@ -650,10 +650,8 @@ WOLFSSL_API
+@@ -656,10 +656,8 @@ WOLFSSL_ABI WOLFSSL_API
 void wc_ecc_fp_free(void);
 WOLFSSL_LOCAL
 void wc_ecc_fp_init(void);
--- a/package/libs/wolfssl/patches/300-AESNI-fix-configure-to-use-minimal-compiler-flags.patch
+++ b/package/libs/wolfssl/patches/300-AESNI-fix-configure-to-use-minimal-compiler-flags.patch
@ -1,44 +0,0 @@
-From 9ba77300f9f5dea9f53aed00bf6c33d10b7b2fce Mon Sep 17 00:00:00 2001
-From: Sean Parkinson <sean@wolfssl.com>
-Date: Thu, 7 Jul 2022 09:30:48 +1000
-Subject: [PATCH] AESNI: fix configure to use minimal compiler flags
-
-
-diff --git a/configure.ac b/configure.ac
-index df97ac75c..6abb0c744 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -2142,21 +2142,19 @@ then
-     if test "$ENABLED_AESNI" = "yes" || test "$ENABLED_INTELASM" = "yes"
-     then
-         AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESNI"
-        if test "$GCC" = "yes"
-+        if test "$CC" != "icc"
-         then
-            # clang needs these flags
-            if test "$CC" = "clang"
-            then
-                AM_CFLAGS="$AM_CFLAGS -maes -mpclmul"
-            else
-                # GCC needs these flags, icc doesn't
-                # opt levels greater than 2 may cause problems on systems w/o
-                # aesni
-                if test "$CC" != "icc"
-                then
-                    AM_CFLAGS="$AM_CFLAGS -maes -msse4 -mpclmul"
-                fi
-            fi
-+            case $host_os in
-+            mingw*)
-+                # Windows uses intrinsics for GCM which uses SSE4 instructions.
-+                # MSVC has own build files.
-+                AM_CFLAGS="$AM_CFLAGS -maes -msse4 -mpclmul"
-+                ;;
-+            *)
-+                # Intrinsics used in AES_set_decrypt_key (TODO: rework)
-+                AM_CFLAGS="$AM_CFLAGS -maes"
-+                ;;
-+            esac
-         fi
-         AS_IF([test "x$ENABLED_AESGCM" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
-     fi
--- a/package/libs/wolfssl/preinst.arm-ce
+++ b/package/libs/wolfssl/preinst.arm-ce
@ -0,0 +1,25 @@
+#!/bin/sh
+exec >&2
+printf "[libwolfsslcpu-crypto] Checking for Arm v8-A Cryptographic Extension support: "
+if [ -n "${IPKG_INSTROOT}" ]; then
+    printf "...[offline]... "
+    eval "$(grep '^DISTRIB_TARGET=' "${IPKG_INSTROOT}/etc/openwrt_release")"
+    ### @@WOLFSSL_NOASM_REGEX@@ is expanded from WOLFSSL_NOASM_REGEX in the Makefile
+    echo "${DISTRIB_TARGET}" | grep '@@WOLFSSL_NOASM_REGEX@@' > /dev/null && {
+	echo "not supported"
+	echo "Error: Target ${DISTRIB_TARGET} does not support Arm Cryptographic Extension."
+	echo "Install the regular libwolfssl package instead of libwolfsslcpu-crypto."
+	exit 1
+    }
+else
+    grep -q '^Features.*\baes\b' /proc/cpuinfo || {
+	echo "not supported"
+	echo "Error: Arm v8-A Cryptographic Extension not supported."
+	echo "Install the regular libwolfssl package instead of libwolfsslcpu-crypto."
+	echo "Contents of /proc/cpuinfo:"
+	cat /proc/cpuinfo
+	exit 1
+    }
+fi
+echo OK
+exit 0
--- a/package/network/services/ipset-dns/Makefile
+++ b/package/network/services/ipset-dns/Makefile
@ -11,7 +11,7 @@ PKG_NAME:=ipset-dns
 PKG_RELEASE:=1

 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=http://git.zx2c4.com/ipset-dns
+PKG_SOURCE_URL:=https://git.zx2c4.com/ipset-dns
 PKG_SOURCE_DATE:=2017-10-08
 PKG_SOURCE_VERSION:=ade2cf88e933f4f90451e0a6171f0aa4a523f989
 PKG_MIRROR_HASH:=34ad1f5c7d2eab90b795f2a512102891428216e3d439d918a8992846550e9697
--- a/package/network/utils/ipset/Makefile
+++ b/package/network/utils/ipset/Makefile
@ -13,7 +13,7 @@ PKG_VERSION:=7.15
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=http://ipset.netfilter.org
+PKG_SOURCE_URL:=https://ipset.netfilter.org
 PKG_HASH:=0a5545aaadb640142c1f888d366a78ddf8724799967fa20686a70053bd621751

 PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
--- a/package/network/utils/tcpdump/Makefile
+++ b/package/network/utils/tcpdump/Makefile
@ -12,7 +12,7 @@ PKG_VERSION:=4.9.3
 PKG_RELEASE:=4

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.tcpdump.org/release/
+PKG_SOURCE_URL:=https://www.tcpdump.org/release/
 PKG_HASH:=2cd47cb3d460b6ff75f4a9940f594317ad456cfbf2bd2c8e5151e16559db6410

 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
--- a/package/utils/bsdiff/Makefile
+++ b/package/utils/bsdiff/Makefile
@ -12,7 +12,7 @@ PKG_VERSION:=4.3
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.daemonology.net/bsdiff/
+PKG_SOURCE_URL:=https://www.daemonology.net/bsdiff/
 PKG_HASH:=18821588b2dc5bf159aa37d3bcb7b885d85ffd1e19f23a0c57a58723fea85f48
 PKG_MAINTAINER:=Hauke Mehrtens <hauke@hauke-m.de>
 HOST_BUILD_DEPENDS:=bzip2/host
@ -27,7 +27,7 @@ define Package/bsdiff
  CATEGORY:=Utilities
  DEPENDS:=+libbz2
  TITLE:=Binary diff tool
-  URL:=http://www.daemonology.net/bsdiff/
+  URL:=https://www.daemonology.net/bsdiff/
 endef

 define Package/bspatch
@ -35,7 +35,7 @@ define Package/bspatch
  CATEGORY:=Utilities
  DEPENDS:=+libbz2
  TITLE:=Binary patch tool
-  URL:=http://www.daemonology.net/bsdiff/
+  URL:=https://www.daemonology.net/bsdiff/
 endef


--- a/package/utils/lua/Makefile
+++ b/package/utils/lua/Makefile
@ -12,8 +12,8 @@ PKG_VERSION:=5.1.5
 PKG_RELEASE:=9

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.lua.org/ftp/ \
-	http://www.tecgraf.puc-rio.br/lua/ftp/
+PKG_SOURCE_URL:=https://www.lua.org/ftp/ \
+	https://www.tecgraf.puc-rio.br/lua/ftp/
 PKG_HASH:=2640fc56a795f29d28ef15e13c34a47e223960b0240e8cb0a82d9b0738695333
 PKG_BUILD_PARALLEL:=1
 PKG_FLAGS := nonshared
@ -31,7 +31,7 @@ define Package/lua/Default
  SECTION:=lang
  CATEGORY:=Languages
  TITLE:=Lua programming language
-  URL:=http://www.lua.org/
+  URL:=https://www.lua.org/
  MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 endef

--- a/package/utils/lua5.3/Makefile
+++ b/package/utils/lua5.3/Makefile
@ -12,8 +12,8 @@ PKG_VERSION:=5.3.5
 PKG_RELEASE:=4

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.lua.org/ftp/ \
-	http://www.tecgraf.puc-rio.br/lua/ftp/
+PKG_SOURCE_URL:=https://www.lua.org/ftp/ \
+	https://www.tecgraf.puc-rio.br/lua/ftp/
 PKG_HASH:=0c2eed3f960446e1a3e4b9a1ca2f3ff893b6ce41942cf54d5dd59ab4b3b058ac
 PKG_BUILD_PARALLEL:=1

@ -30,7 +30,7 @@ define Package/lua5.3/Default
  SECTION:=lang
  CATEGORY:=Languages
  TITLE:=Lua programming language
-  URL:=http://www.lua.org/
+  URL:=https://www.lua.org/
  MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
 endef

--- a/toolchain/fortify-headers/Makefile
+++ b/toolchain/fortify-headers/Makefile
@ -11,7 +11,7 @@ PKG_NAME:=fortify-headers
 PKG_VERSION:=1.1
 PKG_RELEASE=1

-PKG_SOURCE_URL:=http://dl.2f30.org/releases
+PKG_SOURCE_URL:=https://dl.2f30.org/releases
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_HASH:=6ba5d860a2d2ba4c3346924b93930c34856eafe148bdbdf271ecab8065201fb6

--- a/tools/libressl/Makefile
+++ b/tools/libressl/Makefile
@ -15,7 +15,7 @@ PKG_RELEASE:=1
 PKG_CPE_ID:=cpe:/a:openbsd:libressl

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://mirror.ox.ac.uk/pub/OpenBSD/LibreSSL \
+PKG_SOURCE_URL:=https://mirror.ox.ac.uk/pub/OpenBSD/LibreSSL \
 	http://ftp.jaist.ac.jp/pub/OpenBSD/LibreSSL \
 	https://ftp.openbsd.org/pub/OpenBSD/LibreSSL