4 files changed, 170 insertions, 100 deletions

diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in
index 81496c15d69..7c154ccb315 100644
--- a/package/libs/wolfssl/Config.in
+++ b/package/libs/wolfssl/Config.in
@@ -1,4 +1,4 @@
-if PACKAGE_libwolfssl
+menu "wolfSSL Library Configuration"
 
 config WOLFSSL_HAS_AES_CCM
 	bool "Include AES-CCM support"
@@ -43,42 +43,54 @@ config WOLFSSL_HAS_OCSP
 config WOLFSSL_HAS_WPAS
 	bool "Include wpa_supplicant support"
 	select WOLFSSL_HAS_ARC4
+	select WOLFSSL_HAS_DH
 	select WOLFSSL_HAS_OCSP
 	select WOLFSSL_HAS_SESSION_TICKET
 	default y
 
 config WOLFSSL_HAS_ECC25519
 	bool "Include ECC Curve 25519 support"
-	default n
+	default y
+
+config WOLFSSL_HAS_ECC448
+	bool "Include ECC Curve 448 support"
 
 config WOLFSSL_HAS_OPENVPN
 	bool "Include OpenVPN support"
-	default n
+	default y
+
+config WOLFSSL_ALT_NAMES
+	bool "Include SAN (Subject Alternative Name) support"
+	default y
 
 config WOLFSSL_HAS_DEVCRYPTO
 	bool
 
-choice
-	prompt "Hardware Acceleration"
-	default WOLFSSL_HAS_NO_HW
-
-	config WOLFSSL_HAS_NO_HW
-		bool "None"
-
-	config WOLFSSL_HAS_AFALG
-		bool "AF_ALG"
-
-	config WOLFSSL_HAS_DEVCRYPTO_CBC
-		bool "/dev/crytpo - AES-CBC-only"
-		select WOLFSSL_HAS_DEVCRYPTO
-
-	config WOLFSSL_HAS_DEVCRYPTO_AES
-		bool "/dev/crypto - AES-only (all supported modes)"
-		select WOLFSSL_HAS_DEVCRYPTO
-
-	config WOLFSSL_HAS_DEVCRYPTO_FULL
-		bool "/dev/crypto - full"
-		select WOLFSSL_HAS_DEVCRYPTO
-endchoice
-
+if PACKAGE_libwolfssl
+	if PACKAGE_libwolfsslcpu-crypto
+		comment "Hardware Acceleration does not apply to libwolfsslcpu-crypto"
+	endif
+	choice
+		prompt "Hardware Acceleration"
+		default WOLFSSL_HAS_NO_HW
+
+		config WOLFSSL_HAS_NO_HW
+			bool "None"
+
+		config WOLFSSL_HAS_AFALG
+			bool "AF_ALG"
+
+		config WOLFSSL_HAS_DEVCRYPTO_CBC
+			bool "/dev/crypto - AES-CBC-only"
+			select WOLFSSL_HAS_DEVCRYPTO
+
+		config WOLFSSL_HAS_DEVCRYPTO_AES
+			bool "/dev/crypto - AES-only (all supported modes)"
+			select WOLFSSL_HAS_DEVCRYPTO
+
+		config WOLFSSL_HAS_DEVCRYPTO_FULL
+			bool "/dev/crypto - full"
+			select WOLFSSL_HAS_DEVCRYPTO
+	endchoice
 endif
+endmenu
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 0c95288a2ac..8477fb85c51 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,16 +8,16 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=5.6.6-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=3d2ca672d41c2c2fa667885a80d6fa03c3e91f0f4f72f87aef2bc947e8c87237
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1
-PKG_USE_MIPS16:=0
+PKG_BUILD_FLAGS:=no-mips16 lto
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=LICENSING COPYING
@@ -25,29 +25,49 @@ PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
 PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl
 
 PKG_CONFIG_DEPENDS:=\
-	CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AFALG \
-	CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA_POLY \
-	CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL \
-	CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \
-	CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \
-	CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \
-	CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_HAS_CERTGEN \
-	CONFIG_WOLFSSL_HAS_OPENVPN
-
-PKG_ABI_VERSION=$(patsubst %-stable,%,$(PKG_VERSION)).$(call version_abbrev,$(call confvar,$(PKG_CONFIG_DEPENDS)))
+	CONFIG_WOLFSSL_HAS_AES_CCM \
+	CONFIG_WOLFSSL_HAS_ARC4 \
+	CONFIG_WOLFSSL_HAS_CERTGEN \
+	CONFIG_WOLFSSL_HAS_CHACHA_POLY \
+	CONFIG_WOLFSSL_HAS_DH \
+	CONFIG_WOLFSSL_HAS_DTLS \
+	CONFIG_WOLFSSL_HAS_ECC25519 \
+	CONFIG_WOLFSSL_HAS_ECC448 \
+	CONFIG_WOLFSSL_HAS_OCSP \
+	CONFIG_WOLFSSL_HAS_OPENVPN CONFIG_WOLFSSL_ALT_NAMES \
+	CONFIG_WOLFSSL_HAS_SESSION_TICKET \
+	CONFIG_WOLFSSL_HAS_TLSV10 \
+	CONFIG_WOLFSSL_HAS_TLSV13 \
+	CONFIG_WOLFSSL_HAS_WPAS
+
+PKG_ABI_VERSION:=$(patsubst %-stable,%,$(PKG_VERSION)).$(call version_abbrev,$(call confvar,$(PKG_CONFIG_DEPENDS)))
+
+PKG_CONFIG_DEPENDS+=\
+	CONFIG_PACKAGE_libwolfssl-benchmark \
+	CONFIG_WOLFSSL_HAS_AFALG \
+	CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \
+	CONFIG_WOLFSSL_HAS_DEVCRYPTO_CBC \
+	CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL
 
 include $(INCLUDE_DIR)/package.mk
 
-define Package/libwolfssl
+define Package/libwolfssl/Default
   SECTION:=libs
   SUBMENU:=SSL
   CATEGORY:=Libraries
-  TITLE:=wolfSSL library
   URL:=http://www.wolfssl.com/
+endef
+
+define Package/libwolfssl
+$(call Package/libwolfssl/Default)
+  TITLE:=wolfSSL library
   MENU:=1
   PROVIDES:=libcyassl
   DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
   ABI_VERSION:=$(PKG_ABI_VERSION)
+  VARIANT:=regular
+  DEFAULT_VARIANT:=1
+  CONFLICTS:=libwolfsslcpu-crypto
 endef
 
 define Package/libwolfssl/description
@@ -59,17 +79,58 @@ define Package/libwolfssl/config
 	source "$(SOURCE)/Config.in"
 endef
 
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto
-TARGET_LDFLAGS += -flto
+define Package/libwolfsslcpu-crypto
+$(call Package/libwolfssl/Default)
+  TITLE:=wolfSSL library with AES CPU instructions
+  PROVIDES:=libwolfssl libcyassl
+  DEPENDS:=@((aarch64||x86_64)&&(m||!TARGET_bcm27xx))
+  ABI_VERSION:=$(PKG_ABI_VERSION)
+  VARIANT:=cpu-crypto
+endef
+
+define Package/libwolfssl-benchmark
+$(call Package/libwolfssl/Default)
+  TITLE:=wolfSSL Benchmark Utility
+  DEPENDS:=libwolfssl
+endef
+
+define Package/libwolfsslcpu-crypto/description
+$(call Package/libwolfssl/description)
+This variant uses AES CPU instructions (Intel AESNI or ARMv8 Crypto Extension)
+endef
+
+define Package/libwolfsslcpu-crypto/config
+    if TARGET_armsr && PACKAGE_libwolfsslcpu-crypto = y
+	comment "You are about to build libwolfsslcpu-crypto into an armsr_64 image."
+	comment "Ensure all of your installation targets support the Crypto Extension. "
+	comment "Look for the 'aes' feature in /proc/cpuinfo. This library does not do "
+	comment "run-time detection and will crash if the CPU does not support it.     "
+    endif
+    if TARGET_bcm27xx && PACKAGE_libwolfsslcpu-crypto
+	comment "Beware that libwolfsslcpu-crypto will not run in a bcm27xx target.   "
+    endif
+endef
+
+define Package/libwolfssl-benchmark/description
+This is the wolfssl benchmark utility.
+endef
+
+TARGET_CFLAGS += \
+	$(FPIC) \
+	-fomit-frame-pointer \
+	-DFP_MAX_BITS=8192 \
+	$(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES)
 
 # --enable-stunnel needed for OpenSSL API compatibility bits
 CONFIGURE_ARGS += \
+	--enable-reproducible-build \
 	--enable-lighty \
 	--enable-opensslall \
 	--enable-opensslextra \
 	--enable-sni \
 	--enable-stunnel \
-	--disable-crypttests \
+	--enable-altcertchains \
+	--$(if $(CONFIG_PACKAGE_libwolfssl-benchmark),enable,disable)-crypttests \
 	--disable-examples \
 	--disable-jobserver \
 	--$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
@@ -84,11 +145,49 @@ CONFIGURE_ARGS += \
 	--$(if $(CONFIG_WOLFSSL_HAS_SESSION_TICKET),enable,disable)-session-ticket \
 	--$(if $(CONFIG_WOLFSSL_HAS_DTLS),enable,disable)-dtls \
 	--$(if $(CONFIG_WOLFSSL_HAS_ECC25519),enable,disable)-curve25519 \
+	--$(if $(CONFIG_WOLFSSL_HAS_ECC448),enable,disable)-curve448 \
+	--$(if $(CONFIG_WOLFSSL_HAS_OPENVPN),enable,disable)-openvpn
+
+define Package/libwolfsslcpu-crypto/preinst-aarch64
+#!/bin/sh
+exec >&2
+printf "[libwolfsslcpu-crypto] Checking for Arm v8-A Cryptographic Extension support: "
+if [ -n "$${IPKG_INSTROOT}" ]; then
+    printf "...[offline]... "
+    eval "$$(grep '^DISTRIB_TARGET=' "$${IPKG_INSTROOT}/etc/openwrt_release")"
+    echo "$${DISTRIB_TARGET}" | grep '^bcm27xx/.*' > /dev/null && {
+	echo "not supported"
+	echo "Error: Target $${DISTRIB_TARGET} does not support Arm Cryptographic Extension."
+	echo "Install the regular libwolfssl package instead of libwolfsslcpu-crypto."
+	exit 1
+    }
+else
+    grep -q '^Features.*\baes\b' /proc/cpuinfo || {
+	echo "not supported"
+	echo "Error: Arm v8-A Cryptographic Extension not supported."
+	echo "Install the regular libwolfssl package instead of libwolfsslcpu-crypto."
+	echo "Contents of /proc/cpuinfo:"
+	cat /proc/cpuinfo
+	exit 1
+    }
+fi
+echo OK
+exit 0
+endef
+
+ifeq ($(BUILD_VARIANT),regular)
+CONFIGURE_ARGS += \
 	--$(if $(CONFIG_WOLFSSL_HAS_AFALG),enable,disable)-afalg \
-	--$(if $(CONFIG_WOLFSSL_HAS_OPENVPN),enable,disable)-openvpn \
 	--enable-devcrypto=$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_CBC),cbc\
 			  ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES),aes\
 			  ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL),yes,no)))
+else ifdef CONFIG_aarch64
+    CONFIGURE_ARGS += --enable-armasm
+    TARGET_CFLAGS:=$(TARGET_CFLAGS:-mcpu%=-mcpu%+crypto)
+    Package/libwolfsslcpu-crypto/preinst=$(Package/libwolfsslcpu-crypto/preinst-aarch64)
+else ifdef CONFIG_TARGET_x86_64
+	CONFIGURE_ARGS += --enable-intelasm
+endif
 
 ifeq ($(CONFIG_WOLFSSL_HAS_OCSP),y)
 CONFIGURE_ARGS += \
@@ -97,7 +196,7 @@ endif
 
 ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y)
 CONFIGURE_ARGS += \
-	--enable-wpas --enable-sha512 --enable-fortress --enable-fastmath
+	--enable-wpas --enable-fortress --enable-fastmath
 endif
 
 define Build/InstallDev
@@ -117,4 +216,13 @@ define Package/libwolfssl/install
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.so.* $(1)/usr/lib/
 endef
 
+Package/libwolfsslcpu-crypto/install=$(Package/libwolfssl/install)
+
+define Package/libwolfssl-benchmark/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(CP) $(PKG_BUILD_DIR)/wolfcrypt/benchmark/.libs/benchmark $(1)/usr/bin/wolfssl-benchmark
+endef
+
 $(eval $(call BuildPackage,libwolfssl))
+$(eval $(call BuildPackage,libwolfsslcpu-crypto))
+$(eval $(call BuildPackage,libwolfssl-benchmark))
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c89ff1be9df..019645d7967 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,10 +1,10 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
- #endif
+@@ -2774,7 +2774,7 @@ extern void uITRON4_free(void *p) ;
  
  /* warning for not using harden build options (default with ./configure) */
--#ifndef WC_NO_HARDEN
+ /* do not warn if big integer support is disabled */
+-#if !defined(WC_NO_HARDEN) && !defined(NO_BIG_INT)
 +#if 0
      #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \
          (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch
deleted file mode 100644
index 2d33c062092..00000000000
--- a/package/libs/wolfssl/patches/200-ecc-rng.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-Since commit 6467de5a8840 ("Randomize z ordinates in scalar
-mult when timing resistant") wolfssl requires a RNG for an EC
-key when the hardened built option is selected.
-
-wc_ecc_set_rng is only available when built hardened, so there
-is no safe way to install the RNG to the key regardless whether
-or not wolfssl is compiled hardened.
-
-Always export wc_ecc_set_rng so tools such as hostapd can install
-RNG regardless of the built settings for wolfssl.
-
---- a/wolfcrypt/src/ecc.c
-+++ b/wolfcrypt/src/ecc.c
-@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void)
- 
- #endif /* FP_ECC */
- 
--#ifdef ECC_TIMING_RESISTANT
- int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
- {
-     int err = 0;
- 
-+#ifdef ECC_TIMING_RESISTANT
-     if (key == NULL) {
-         err = BAD_FUNC_ARG;
-     }
-     else {
-         key->rng = rng;
-     }
-+#endif
- 
-     return err;
- }
--#endif
- 
- #ifdef HAVE_ECC_ENCRYPT
- 
---- a/wolfssl/wolfcrypt/ecc.h
-+++ b/wolfssl/wolfcrypt/ecc.h
-@@ -584,10 +584,8 @@ WOLFSSL_API
- void wc_ecc_fp_free(void);
- WOLFSSL_LOCAL
- void wc_ecc_fp_init(void);
--#ifdef ECC_TIMING_RESISTANT
- WOLFSSL_API
- int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
--#endif
- 
- WOLFSSL_API
- int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);