diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 0b8b9b8c8..b2053c831 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -2210,6 +2210,11 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
                 XMEMCPY(aes->asyncIv, iv, AES_BLOCK_SIZE);
         }
     #endif /* WOLFSSL_ASYNC_CRYPT */
+    #ifdef WOLF_CRYPTO_DEV
+        if (aes->devId != INVALID_DEVID) {
+            XMEMCPY(aes->devKey, userKey, keylen);
+        }
+    #endif
 
     #ifdef WOLFSSL_AESNI
         if (checkAESNI == 0) {
@@ -2904,6 +2909,13 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
             return BAD_FUNC_ARG;
         }
 
+    #ifdef WOLF_CRYPTO_DEV
+        if (aes->devId != INVALID_DEVID) {
+            int ret = wc_CryptoDev_AesCbcEncrypt(aes, out, in, sz);
+            if (ret != NOT_COMPILED_IN)
+                return ret;
+        }
+    #endif
     #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
         /* if async and byte count above threshold */
         if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
@@ -2995,6 +3007,13 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
             return BAD_FUNC_ARG;
         }
 
+    #ifdef WOLF_CRYPTO_DEV
+        if (aes->devId != INVALID_DEVID) {
+            int ret = wc_CryptoDev_AesCbcDecrypt(aes, out, in, sz);
+            if (ret != NOT_COMPILED_IN)
+                return ret;
+        }
+    #endif
     #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_AES)
         /* if async and byte count above threshold */
         if (aes->asyncDev.marker == WOLFSSL_ASYNC_MARKER_AES &&
@@ -8495,7 +8514,6 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
             authTag, authTagSz, authIn, authInSz);
         if (ret != NOT_COMPILED_IN)
             return ret;
-        ret = 0; /* reset error code and try using software */
     }
 #endif
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index f768d81c8..06b8aaf3d 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -9155,7 +9155,7 @@ int wc_KeyPemToDer(const unsigned char* pem, int pemSz,
     XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO);
 #endif
 
-    if (ret < 0) {
+    if (ret < 0 || der == NULL) {
         WOLFSSL_MSG("Bad Pem To Der");
     }
     else {
@@ -9196,7 +9196,7 @@ int wc_CertPemToDer(const unsigned char* pem, int pemSz,
 
 
     ret = PemToDer(pem, pemSz, type, &der, NULL, NULL, &eccKey);
-    if (ret < 0) {
+    if (ret < 0 || der == NULL) {
         WOLFSSL_MSG("Bad Pem To Der");
     }
     else {
@@ -9235,7 +9235,7 @@ int wc_PubKeyPemToDer(const unsigned char* pem, int pemSz,
     }
 
     ret = PemToDer(pem, pemSz, PUBLICKEY_TYPE, &der, NULL, NULL, NULL);
-    if (ret < 0) {
+    if (ret < 0 || der == NULL) {
         WOLFSSL_MSG("Bad Pem To Der");
     }
     else {
diff --git a/wolfcrypt/src/cryptodev.c b/wolfcrypt/src/cryptodev.c
index 55b7f00fa..2edaf74da 100644
--- a/wolfcrypt/src/cryptodev.c
+++ b/wolfcrypt/src/cryptodev.c
@@ -59,8 +59,9 @@ static CryptoDev* wc_CryptoDev_FindDevice(int devId)
 void wc_CryptoDev_Init(void)
 {
     int i;
-    for (i=0; i<MAX_CRYPTO_DEVICES; i++)
+    for (i=0; i<MAX_CRYPTO_DEVICES; i++) {
         gCryptoDev[i].devId = INVALID_DEVID;
+    }
 }
 
 int wc_CryptoDev_RegisterDevice(int devId, CryptoDevCallbackFunc cb, void* ctx)
@@ -256,7 +257,8 @@ int wc_CryptoDev_EccVerify(const byte* sig, word32 siglen,
 }
 #endif /* HAVE_ECC */
 
-#if !defined(NO_AES) && defined(HAVE_AESGCM)
+#ifndef NO_AES
+#ifdef HAVE_AESGCM
 int wc_CryptoDev_AesGcmEncrypt(Aes* aes, byte* out,
                                const byte* in, word32 sz,
                                const byte* iv, word32 ivSz,
@@ -328,15 +330,144 @@ int wc_CryptoDev_AesGcmDecrypt(Aes* aes, byte* out,
 
     return ret;
 }
-#endif /* !NO_AES && HAVE_AESGCM */
+#endif /* HAVE_AESGCM */
 
-/* call to support callback for entire buffer hash */
-int wc_CryptoDev_Sha256Hash(const byte* data, word32 len, byte* hash)
+#ifdef HAVE_AES_CBC
+int wc_CryptoDev_AesCbcEncrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz)
 {
-    (void)data;
-    (void)len;
-    (void)hash;
-    return NOT_COMPILED_IN;
+    int ret = NOT_COMPILED_IN;
+    CryptoDev* dev;
+
+    /* locate registered callback */
+    dev = wc_CryptoDev_FindDevice(aes->devId);
+    if (dev) {
+        if (dev->cb) {
+            wc_CryptoInfo cryptoInfo;
+            XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+            cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+            cryptoInfo.cipher.type = WC_CIPHER_AES_CBC;
+            cryptoInfo.cipher.enc = 1;
+            cryptoInfo.cipher.aescbc.aes       = aes;
+            cryptoInfo.cipher.aescbc.out       = out;
+            cryptoInfo.cipher.aescbc.in        = in;
+            cryptoInfo.cipher.aescbc.sz        = sz;
+
+            ret = dev->cb(aes->devId, &cryptoInfo, dev->ctx);
+        }
+    }
+
+    return ret;
 }
 
+int wc_CryptoDev_AesCbcDecrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz)
+{
+    int ret = NOT_COMPILED_IN;
+    CryptoDev* dev;
+
+    /* locate registered callback */
+    dev = wc_CryptoDev_FindDevice(aes->devId);
+    if (dev) {
+        if (dev->cb) {
+            wc_CryptoInfo cryptoInfo;
+            XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+            cryptoInfo.algo_type = WC_ALGO_TYPE_CIPHER;
+            cryptoInfo.cipher.type = WC_CIPHER_AES_CBC;
+            cryptoInfo.cipher.enc = 0;
+            cryptoInfo.cipher.aescbc.aes       = aes;
+            cryptoInfo.cipher.aescbc.out       = out;
+            cryptoInfo.cipher.aescbc.in        = in;
+            cryptoInfo.cipher.aescbc.sz        = sz;
+
+            ret = dev->cb(aes->devId, &cryptoInfo, dev->ctx);
+        }
+    }
+
+    return ret;
+}
+#endif /* HAVE_AES_CBC */
+#endif /* !NO_AES */
+
+#ifndef NO_SHA
+int wc_CryptoDev_ShaHash(wc_Sha* sha, const byte* in,
+    word32 inSz, byte* digest)
+{
+    int ret = NOT_COMPILED_IN;
+    CryptoDev* dev;
+
+    /* locate registered callback */
+    dev = wc_CryptoDev_FindDevice(sha->devId);
+    if (dev) {
+        if (dev->cb) {
+            wc_CryptoInfo cryptoInfo;
+            XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+            cryptoInfo.algo_type = WC_ALGO_TYPE_HASH;
+            cryptoInfo.hash.type = WC_HASH_TYPE_SHA;
+            cryptoInfo.hash.sha1 = sha;
+            cryptoInfo.hash.in = in;
+            cryptoInfo.hash.inSz = inSz;
+            cryptoInfo.hash.digest = digest;
+
+            ret = dev->cb(sha->devId, &cryptoInfo, dev->ctx);
+        }
+    }
+
+    return ret;
+}
+#endif /* !NO_SHA */
+
+#ifndef NO_SHA256
+int wc_CryptoDev_Sha256Hash(wc_Sha256* sha256, const byte* in,
+    word32 inSz, byte* digest)
+{
+    int ret = NOT_COMPILED_IN;
+    CryptoDev* dev;
+
+    /* locate registered callback */
+    dev = wc_CryptoDev_FindDevice(sha256->devId);
+    if (dev) {
+        if (dev->cb) {
+            wc_CryptoInfo cryptoInfo;
+            XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+            cryptoInfo.algo_type = WC_ALGO_TYPE_HASH;
+            cryptoInfo.hash.type = WC_HASH_TYPE_SHA256;
+            cryptoInfo.hash.sha256 = sha256;
+            cryptoInfo.hash.in = in;
+            cryptoInfo.hash.inSz = inSz;
+            cryptoInfo.hash.digest = digest;
+
+            ret = dev->cb(sha256->devId, &cryptoInfo, dev->ctx);
+        }
+    }
+
+    return ret;
+}
+#endif /* !NO_SHA256 */
+
+#ifndef WC_NO_RNG
+int wc_CryptoDev_RandomBlock(WC_RNG* rng, byte* out, word32 sz)
+{
+    int ret = NOT_COMPILED_IN;
+    CryptoDev* dev;
+
+    /* locate registered callback */
+    dev = wc_CryptoDev_FindDevice(rng->devId);
+    if (dev) {
+        if (dev->cb) {
+            wc_CryptoInfo cryptoInfo;
+            XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo));
+            cryptoInfo.algo_type = WC_ALGO_TYPE_RNG;
+            cryptoInfo.rng.rng = rng;
+            cryptoInfo.rng.out = out;
+            cryptoInfo.rng.sz = sz;
+
+            ret = dev->cb(rng->devId, &cryptoInfo, dev->ctx);
+        }
+    }
+
+    return ret;
+}
+#endif /* !WC_NO_RNG */
+
 #endif /* WOLF_CRYPTO_DEV */
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index 55fea97d1..a7b872a82 100755
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -104,6 +104,10 @@ int wc_RNG_GenerateByte(WC_RNG* rng, byte* b)
 
 #include <wolfssl/wolfcrypt/sha256.h>
 
+#ifdef WOLF_CRYPTO_DEV
+    #include <wolfssl/wolfcrypt/cryptodev.h>
+#endif
+
 #ifdef NO_INLINE
     #include <wolfssl/wolfcrypt/misc.h>
 #else
@@ -272,7 +276,7 @@ typedef struct DRBG {
     word32 lastBlock;
     byte V[DRBG_SEED_LEN];
     byte C[DRBG_SEED_LEN];
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
     void* heap;
     int devId;
 #endif
@@ -321,7 +325,7 @@ static int Hash_df(DRBG* drbg, byte* out, word32 outSz, byte type,
 
     for (i = 0, ctr = 1; i < len; i++, ctr++) {
 #ifndef WOLFSSL_SMALL_STACK_CACHE
-    #ifdef WOLFSSL_ASYNC_CRYPT
+    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
         ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
     #else
         ret = wc_InitSha256(sha);
@@ -449,7 +453,7 @@ static int Hash_gen(DRBG* drbg, byte* out, word32 outSz, const byte* V)
     XMEMCPY(data, V, sizeof(data));
     for (i = 0; i < len; i++) {
 #ifndef WOLFSSL_SMALL_STACK_CACHE
-    #ifdef WOLFSSL_ASYNC_CRYPT
+    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
         ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
     #else
         ret = wc_InitSha256(sha);
@@ -552,7 +556,7 @@ static int Hash_DRBG_Generate(DRBG* drbg, byte* out, word32 outSz)
         ret = Hash_gen(drbg, out, outSz, drbg->V);
         if (ret == DRBG_SUCCESS) {
 #ifndef WOLFSSL_SMALL_STACK_CACHE
-        #ifdef WOLFSSL_ASYNC_CRYPT
+        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
             ret = wc_InitSha256_ex(sha, drbg->heap, drbg->devId);
         #else
             ret = wc_InitSha256(sha);
@@ -598,7 +602,7 @@ static int Hash_DRBG_Instantiate(DRBG* drbg, const byte* seed, word32 seedSz,
     int ret = DRBG_FAILURE;
 
     XMEMSET(drbg, 0, sizeof(DRBG));
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
     drbg->heap = heap;
     drbg->devId = devId;
 #else
@@ -607,7 +611,7 @@ static int Hash_DRBG_Instantiate(DRBG* drbg, const byte* seed, word32 seedSz,
 #endif
 
 #ifdef WOLFSSL_SMALL_STACK_CACHE
-    #ifdef WOLFSSL_ASYNC_CRYPT
+    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
         ret = wc_InitSha256_ex(&drbg->sha256, drbg->heap, drbg->devId);
     #else
         ret = wc_InitSha256(&drbg->sha256);
@@ -697,7 +701,7 @@ static int _InitRng(WC_RNG* rng, byte* nonce, word32 nonceSz,
 #else
     rng->heap = heap;
 #endif
-#ifdef WOLFSSL_ASYNC_CRYPT
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
     rng->devId = devId;
 #else
     (void)devId;
@@ -827,6 +831,14 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
     if (rng == NULL || output == NULL)
         return BAD_FUNC_ARG;
 
+#ifdef WOLF_CRYPTO_DEV
+    if (rng->devId != INVALID_DEVID) {
+        ret = wc_CryptoDev_RandomBlock(rng, output, sz);
+        if (ret != NOT_COMPILED_IN)
+            return ret;
+    }
+#endif
+
 #ifdef HAVE_INTEL_RDRAND
     if (IS_INTEL_RDRAND(intel_flags))
         return wc_GenerateRand_IntelRD(NULL, output, sz);
@@ -2063,19 +2075,19 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
 #elif defined(WOLFSSL_ESPIDF)
     #if defined(WOLFSSL_ESPWROOM32)
         #include <esp_system.h>
-        
+
         int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
         {
             int i;
-            
+
             for (i = 0; i< sz; i++) {
                output[i] =  esp_random( );
             }
-        
+
             return 0;
         }
     #endif /* end WOLFSSL_ESPWROOM32 */
- 
+
 #elif defined(CUSTOM_RAND_GENERATE_BLOCK)
     /* #define CUSTOM_RAND_GENERATE_BLOCK myRngFunc
      * extern int myRngFunc(byte* output, word32 sz);
diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c
index 49a3737f1..e84435371 100644
--- a/wolfcrypt/src/sha.c
+++ b/wolfcrypt/src/sha.c
@@ -43,6 +43,10 @@
 #include <wolfssl/wolfcrypt/sha.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 
+#ifdef WOLF_CRYPTO_DEV
+    #include <wolfssl/wolfcrypt/cryptodev.h>
+#endif
+
 /* fips wrapper calls, user can call direct */
 #if defined(HAVE_FIPS) && \
     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
@@ -430,6 +434,10 @@ int wc_InitSha_ex(wc_Sha* sha, void* heap, int devId)
         return BAD_FUNC_ARG;
 
     sha->heap = heap;
+#ifdef WOLF_CRYPTO_DEV
+    sha->devId = devId;
+#endif
+
 #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
     !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
     sha->ctx.mode = ESP32_SHA_INIT;
@@ -460,6 +468,13 @@ int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)
     /* do block size increments */
     local = (byte*)sha->buffer;
 
+#ifdef WOLF_CRYPTO_DEV
+    if (sha->devId != INVALID_DEVID) {
+        int ret = wc_CryptoDev_ShaHash(sha, data, len, NULL);
+        if (ret != NOT_COMPILED_IN)
+            return ret;
+    }
+#endif
 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA)
     if (sha->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA) {
     #if defined(HAVE_INTEL_QA)
@@ -535,6 +550,13 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash)
 
     local = (byte*)sha->buffer;
 
+#ifdef WOLF_CRYPTO_DEV
+    if (sha->devId != INVALID_DEVID) {
+        int ret = wc_CryptoDev_ShaHash(sha, NULL, 0, hash);
+        if (ret != NOT_COMPILED_IN)
+            return ret;
+    }
+#endif
 #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA)
     if (sha->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA) {
     #if defined(HAVE_INTEL_QA)
diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c
index 70922f90d..548b2f0b7 100644
--- a/wolfcrypt/src/sha256.c
+++ b/wolfcrypt/src/sha256.c
@@ -46,6 +46,10 @@
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/wolfcrypt/cpuid.h>
 
+#ifdef WOLF_CRYPTO_DEV
+    #include <wolfssl/wolfcrypt/cryptodev.h>
+#endif
+
 /* fips wrapper calls, user can call direct */
 #if defined(HAVE_FIPS) && \
     (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))
@@ -308,6 +312,9 @@ static int InitSha256(wc_Sha256* sha256)
             return BAD_FUNC_ARG;
 
         sha256->heap = heap;
+    #ifdef WOLF_CRYPTO_DEV
+        sha256->devId = devId;
+    #endif
 
         ret = InitSha256(sha256);
         if (ret != 0)
@@ -520,6 +527,9 @@ static int InitSha256(wc_Sha256* sha256)
             return BAD_FUNC_ARG;
 
         sha256->heap = heap;
+    #ifdef WOLF_CRYPTO_DEV
+        sha256->devId = devId;
+    #endif
 
         ret = InitSha256(sha256);
         if (ret != 0)
@@ -675,14 +685,6 @@ static int InitSha256(wc_Sha256* sha256)
             return 0;
         }
 
-    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
-        if (sha256->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA256) {
-        #if defined(HAVE_INTEL_QA)
-            return IntelQaSymSha256(&sha256->asyncDev, NULL, data, len);
-        #endif
-        }
-    #endif /* WOLFSSL_ASYNC_CRYPT */
-
         /* do block size increments */
         local = (byte*)sha256->buffer;
 
@@ -807,6 +809,30 @@ static int InitSha256(wc_Sha256* sha256)
 
     int wc_Sha256Update(wc_Sha256* sha256, const byte* data, word32 len)
     {
+        if (sha256 == NULL || (data == NULL && len > 0)) {
+            return BAD_FUNC_ARG;
+        }
+
+        if (data == NULL && len == 0) {
+            /* valid, but do nothing */
+            return 0;
+        }
+
+    #ifdef WOLF_CRYPTO_DEV
+        if (sha256->devId != INVALID_DEVID) {
+            int ret = wc_CryptoDev_Sha256Hash(sha256, data, len, NULL);
+            if (ret != NOT_COMPILED_IN)
+                return ret;
+        }
+    #endif
+    #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
+        if (sha256->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA256) {
+        #if defined(HAVE_INTEL_QA)
+            return IntelQaSymSha256(&sha256->asyncDev, NULL, data, len);
+        #endif
+        }
+    #endif /* WOLFSSL_ASYNC_CRYPT */
+
         return Sha256Update(sha256, data, len);
     }
 
@@ -939,6 +965,14 @@ static int InitSha256(wc_Sha256* sha256)
             return BAD_FUNC_ARG;
         }
 
+    #ifdef WOLF_CRYPTO_DEV
+        if (sha256->devId != INVALID_DEVID) {
+            ret = wc_CryptoDev_Sha256Hash(sha256, NULL, 0, hash);
+            if (ret != NOT_COMPILED_IN)
+                return ret;
+        }
+    #endif
+
     #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_SHA256)
         if (sha256->asyncDev.marker == WOLFSSL_ASYNC_MARKER_SHA256) {
         #if defined(HAVE_INTEL_QA)
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index cffd0edd9..df5b4b42f 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -22825,7 +22825,19 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
     if (info == NULL)
         return BAD_FUNC_ARG;
 
-    if (info->algo_type == WC_ALGO_TYPE_PK) {
+    if (info->algo_type == WC_ALGO_TYPE_RNG) {
+    #ifndef WC_NO_RNG
+        /* set devId to invalid, so software is used */
+        info->rng.rng->devId = INVALID_DEVID;
+
+        ret = wc_RNG_GenerateBlock(info->rng.rng,
+            info->rng.out, info->rng.sz);
+
+        /* reset devId */
+        info->rng.rng->devId = devIdArg;
+    #endif
+    }
+    else if (info->algo_type == WC_ALGO_TYPE_PK) {
     #ifdef DEBUG_WOLFSSL
         printf("CryptoDevCb: Pk Type %d\n", info->pk.type);
     #endif
@@ -22918,9 +22930,9 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
     #endif /* HAVE_ECC */
     }
     else if (info->algo_type == WC_ALGO_TYPE_CIPHER) {
-    #if !defined(NO_AES) && defined(HAVE_AESGCM)
+#ifndef NO_AES
+    #ifdef HAVE_AESGCM
         if (info->cipher.type == WC_CIPHER_AES_GCM) {
-
             if (info->cipher.enc) {
                 /* set devId to invalid, so software is used */
                 info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID;
@@ -22960,8 +22972,86 @@ static int myCryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx)
                 info->cipher.aesgcm_dec.aes->devId = devIdArg;
             }
         }
-    #endif /* !NO_AES && HAVE_AESGCM */
+    #endif /* HAVE_AESGCM */
+    #ifdef HAVE_AES_CBC
+        if (info->cipher.type == WC_CIPHER_AES_CBC) {
+            if (info->cipher.enc) {
+                /* set devId to invalid, so software is used */
+                info->cipher.aescbc.aes->devId = INVALID_DEVID;
+
+                ret = wc_AesCbcEncrypt(
+                    info->cipher.aescbc.aes,
+                    info->cipher.aescbc.out,
+                    info->cipher.aescbc.in,
+                    info->cipher.aescbc.sz);
+
+                /* reset devId */
+                info->cipher.aescbc.aes->devId = devIdArg;
+            }
+            else {
+                /* set devId to invalid, so software is used */
+                info->cipher.aescbc.aes->devId = INVALID_DEVID;
+
+                ret = wc_AesCbcDecrypt(
+                    info->cipher.aescbc.aes,
+                    info->cipher.aescbc.out,
+                    info->cipher.aescbc.in,
+                    info->cipher.aescbc.sz);
+
+                /* reset devId */
+                info->cipher.aescbc.aes->devId = devIdArg;
+            }
+        }
+    #endif /* HAVE_AES_CBC */
+#endif /* !NO_AES */
     }
+#if !defined(NO_SHA) || !defined(NO_SHA256)
+    else if (info->algo_type == WC_ALGO_TYPE_HASH) {
+    #if !defined(NO_SHA)
+        if (info->hash.type == WC_HASH_TYPE_SHA) {
+            /* set devId to invalid, so software is used */
+            info->hash.sha1->devId = INVALID_DEVID;
+
+            if (info->hash.in != NULL) {
+                ret = wc_ShaUpdate(
+                    info->hash.sha1,
+                    info->hash.in,
+                    info->hash.inSz);
+            }
+            else if (info->hash.digest != NULL) {
+                ret = wc_ShaFinal(
+                    info->hash.sha1,
+                    info->hash.digest);
+            }
+
+            /* reset devId */
+            info->hash.sha1->devId = devIdArg;
+        }
+        else
+    #endif
+    #if !defined(NO_SHA256)
+        if (info->hash.type == WC_HASH_TYPE_SHA256) {
+            /* set devId to invalid, so software is used */
+            info->hash.sha256->devId = INVALID_DEVID;
+
+            if (info->hash.in != NULL) {
+                ret = wc_Sha256Update(
+                    info->hash.sha256,
+                    info->hash.in,
+                    info->hash.inSz);
+            }
+            else if (info->hash.digest != NULL) {
+                ret = wc_Sha256Final(
+                    info->hash.sha256,
+                    info->hash.digest);
+            }
+
+            /* reset devId */
+            info->hash.sha256->devId = devIdArg;
+        }
+    #endif
+    }
+#endif /* !NO_SHA || !NO_SHA256 */
 
     (void)devIdArg;
     (void)myCtx;
@@ -22981,6 +23071,10 @@ int cryptodev_test(void)
     devId = 1;
     ret = wc_CryptoDev_RegisterDevice(devId, myCryptoDevCb, &myCtx);
 
+#ifndef WC_NO_RNG
+    if (ret == 0)
+        ret = random_test();
+#endif /* WC_NO_RNG */
 #ifndef NO_RSA
     if (ret == 0)
         ret = rsa_test();
@@ -22989,9 +23083,25 @@ int cryptodev_test(void)
     if (ret == 0)
         ret = ecc_test();
 #endif
-#if !defined(NO_AES) && defined(HAVE_AESGCM)
+#ifndef NO_AES
+    #ifdef HAVE_AESGCM
     if (ret == 0)
         ret = aesgcm_test();
+    #endif
+    #ifdef HAVE_AES_CBC
+    if (ret == 0)
+        ret = aes_cbc_test();
+    #endif
+#endif /* !NO_AES */
+#if !defined(NO_SHA) || !defined(NO_SHA256)
+    #ifndef NO_SHA
+    if (ret == 0)
+        ret = sha_test();
+    #endif
+    #ifndef NO_SHA256
+    if (ret == 0)
+        ret = sha256_test();
+    #endif
 #endif
 
     /* reset devId */
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index 2c42c493c..b2119feb6 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -151,7 +151,8 @@ typedef struct Aes {
     byte use_aesni;
 #endif /* WOLFSSL_AESNI */
 #ifdef WOLF_CRYPTO_DEV
-    int   devId;
+    int    devId;
+    word32 devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
 #endif
 #ifdef HAVE_PKCS11
     byte id[AES_MAX_ID_LEN];
diff --git a/wolfssl/wolfcrypt/cryptodev.h b/wolfssl/wolfcrypt/cryptodev.h
index 7f3035fe2..d27161d61 100644
--- a/wolfssl/wolfcrypt/cryptodev.h
+++ b/wolfssl/wolfcrypt/cryptodev.h
@@ -38,6 +38,15 @@
 #ifndef NO_AES
     #include <wolfssl/wolfcrypt/aes.h>
 #endif
+#ifndef NO_SHA
+    #include <wolfssl/wolfcrypt/sha.h>
+#endif
+#ifndef NO_SHA256
+    #include <wolfssl/wolfcrypt/sha256.h>
+#endif
+#ifndef WC_NO_RNG
+    #include <wolfssl/wolfcrypt/random.h>
+#endif
 
 /* Crypto Information Structure for callbacks */
 typedef struct wc_CryptoInfo {
@@ -96,11 +105,12 @@ typedef struct wc_CryptoInfo {
         #endif
         };
     } pk;
+#ifndef NO_AES
     struct {
         int type; /* enum wc_CipherType */
         int enc;
         union {
-        #if !defined(NO_AES) && defined(HAVE_AESGCM)
+        #ifdef HAVE_AESGCM
             struct {
                 Aes*        aes;
                 byte*       out;
@@ -125,19 +135,52 @@ typedef struct wc_CryptoInfo {
                 const byte* authIn;
                 word32      authInSz;
             } aesgcm_dec;
-        #endif
+        #endif /* HAVE_AESGCM */
+        #ifdef HAVE_AES_CBC
+            struct {
+                Aes*        aes;
+                byte*       out;
+                const byte* in;
+                word32      sz;
+            } aescbc;
+        #endif /* HAVE_AES_CBC */
         };
     } cipher;
+#endif
+#if !defined(NO_SHA) || !defined(NO_SHA256)
+    struct {
+        int type; /* enum wc_HashType */
+        const byte* in;
+        word32 inSz;
+        byte* digest;
+        union {
+        #ifndef NO_SHA
+            wc_Sha* sha1;
+        #endif
+        #ifndef NO_SHA256
+            wc_Sha256* sha256;
+        #endif
+        };
+    } hash;
+#endif /* !NO_SHA || !NO_SHA256 */
+#ifndef WC_NO_RNG
+    struct {
+        WC_RNG* rng;
+        byte* out;
+        word32 sz;
+    } rng;
+#endif
 } wc_CryptoInfo;
 
 typedef int (*CryptoDevCallbackFunc)(int devId, wc_CryptoInfo* info, void* ctx);
 
+
+
 WOLFSSL_LOCAL void wc_CryptoDev_Init(void);
 
 WOLFSSL_API int  wc_CryptoDev_RegisterDevice(int devId, CryptoDevCallbackFunc cb, void* ctx);
 WOLFSSL_API void wc_CryptoDev_UnRegisterDevice(int devId);
 
-
 #ifndef NO_RSA
 WOLFSSL_LOCAL int wc_CryptoDev_Rsa(const byte* in, word32 inLen, byte* out,
     word32* outLen, int type, RsaKey* key, WC_RNG* rng);
@@ -162,8 +205,8 @@ WOLFSSL_LOCAL int wc_CryptoDev_EccVerify(const byte* sig, word32 siglen,
     const byte* hash, word32 hashlen, int* res, ecc_key* key);
 #endif /* HAVE_ECC */
 
-#if !defined(NO_AES) && defined(HAVE_AESGCM)
-
+#ifndef NO_AES
+#ifdef HAVE_AESGCM
 WOLFSSL_LOCAL int wc_CryptoDev_AesGcmEncrypt(Aes* aes, byte* out,
      const byte* in, word32 sz, const byte* iv, word32 ivSz,
      byte* authTag, word32 authTagSz, const byte* authIn, word32 authInSz);
@@ -172,10 +215,28 @@ WOLFSSL_LOCAL int wc_CryptoDev_AesGcmDecrypt(Aes* aes, byte* out,
      const byte* in, word32 sz, const byte* iv, word32 ivSz,
      const byte* authTag, word32 authTagSz,
      const byte* authIn, word32 authInSz);
+#endif /* HAVE_AESGCM */
+#ifdef HAVE_AES_CBC
+WOLFSSL_LOCAL int wc_CryptoDev_AesCbcEncrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz);
+WOLFSSL_LOCAL int wc_CryptoDev_AesCbcDecrypt(Aes* aes, byte* out,
+                               const byte* in, word32 sz);
+#endif /* HAVE_AES_CBC */
+#endif /* !NO_AES */
 
-#endif /* !NO_AES && HAVE_AESGCM */
+#ifndef NO_SHA
+WOLFSSL_LOCAL int wc_CryptoDev_ShaHash(wc_Sha* sha, const byte* in,
+    word32 inSz, byte* digest);
+#endif /* !NO_SHA */
 
-WOLFSSL_LOCAL int wc_CryptoDev_Sha256Hash(const byte* data, word32 len, byte* hash);
+#ifndef NO_SHA256
+WOLFSSL_LOCAL int wc_CryptoDev_Sha256Hash(wc_Sha256* sha256, const byte* in,
+    word32 inSz, byte* digest);
+#endif /* !NO_SHA256 */
+
+#ifndef WC_NO_RNG
+WOLFSSL_LOCAL int wc_CryptoDev_RandomBlock(WC_RNG* rng, byte* out, word32 sz);
+#endif
 
 #endif /* WOLF_CRYPTO_DEV */
 
diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h
index 03c638e4c..f661dffa2 100644
--- a/wolfssl/wolfcrypt/random.h
+++ b/wolfssl/wolfcrypt/random.h
@@ -157,6 +157,8 @@ struct WC_RNG {
 #endif
 #ifdef WOLFSSL_ASYNC_CRYPT
     WC_ASYNC_DEV asyncDev;
+#endif
+#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLF_CRYPTO_DEV)
     int devId;
 #endif
 };
diff --git a/wolfssl/wolfcrypt/sha.h b/wolfssl/wolfcrypt/sha.h
index 1985ecbbb..63ecff29c 100644
--- a/wolfssl/wolfcrypt/sha.h
+++ b/wolfssl/wolfcrypt/sha.h
@@ -123,6 +123,10 @@ typedef struct wc_Sha {
     #ifdef WOLFSSL_ASYNC_CRYPT
         WC_ASYNC_DEV asyncDev;
     #endif /* WOLFSSL_ASYNC_CRYPT */
+    #ifdef WOLF_CRYPTO_DEV
+        int    devId;
+        void*  devCtx; /* generic crypto callback context */
+    #endif
 #endif
 #if defined(WOLFSSL_ESP32WROOM32_CRYPT) && \
    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h
index 5d9f8ed8c..1d91d4ae3 100644
--- a/wolfssl/wolfcrypt/sha256.h
+++ b/wolfssl/wolfcrypt/sha256.h
@@ -158,6 +158,10 @@ typedef struct wc_Sha256 {
    !defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)
     WC_ESP32SHA ctx;
 #endif
+#ifdef WOLF_CRYPTO_DEV
+    int    devId;
+    void*  devCtx; /* generic crypto callback context */
+#endif
 #endif
 } wc_Sha256;
 
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 0d8a6a628..1d1ad9596 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -522,8 +522,9 @@
         WC_ALGO_TYPE_HASH = 1,
         WC_ALGO_TYPE_CIPHER = 2,
         WC_ALGO_TYPE_PK = 3,
+        WC_ALGO_TYPE_RNG = 4,
 
-        WC_ALGO_TYPE_MAX = WC_ALGO_TYPE_PK
+        WC_ALGO_TYPE_MAX = WC_ALGO_TYPE_RNG
     };
 
     /* hash types */