Selaa lähdekoodia

mbedTLS: Update to mbedTLS 3.6.4

mbedTLS 2.28 is now EOL, and will no longer receive security updates.

This commit backports from Godot 4 the changes needed to update to
mbedTLS 3.6 (new LTS), including TLSv1.3 support.

(cherry picked from commit 0770c9a4a3c2b60c79820df0af89a83f06a231aa)
Fabio Alessandrelli 3 kuukautta sitten
vanhempi
commit
ec635fdfd7
100 muutettua tiedostoa jossa 9118 lisäystä ja 9908 poistoa
  1. 15 5
      core/crypto/SCsub
  2. 3 0
      core/crypto/crypto_core.cpp
  3. 4 0
      doc/classes/EditorSettings.xml
  4. 4 0
      doc/classes/ProjectSettings.xml
  5. 1 0
      editor/editor_settings.cpp
  6. 37 14
      modules/mbedtls/SCsub
  7. 42 10
      modules/mbedtls/crypto_mbedtls.cpp
  8. 2 0
      modules/mbedtls/crypto_mbedtls.h
  9. 74 4
      modules/mbedtls/register_types.cpp
  10. 38 0
      modules/mbedtls/ssl_context_mbedtls.cpp
  11. 0 1
      modules/mbedtls/ssl_context_mbedtls.h
  12. 13 7
      thirdparty/README.md
  13. 47 0
      thirdparty/mbedtls/include/godot_core_mbedtls_config.h
  14. 79 0
      thirdparty/mbedtls/include/godot_module_mbedtls_config.h
  15. 26 70
      thirdparty/mbedtls/include/mbedtls/aes.h
  16. 0 132
      thirdparty/mbedtls/include/mbedtls/arc4.h
  17. 6 19
      thirdparty/mbedtls/include/mbedtls/aria.h
  18. 61 19
      thirdparty/mbedtls/include/mbedtls/asn1.h
  19. 35 24
      thirdparty/mbedtls/include/mbedtls/asn1write.h
  20. 1 5
      thirdparty/mbedtls/include/mbedtls/base64.h
  21. 44 52
      thirdparty/mbedtls/include/mbedtls/bignum.h
  22. 76 0
      thirdparty/mbedtls/include/mbedtls/block_cipher.h
  23. 0 275
      thirdparty/mbedtls/include/mbedtls/blowfish.h
  24. 194 0
      thirdparty/mbedtls/include/mbedtls/build_info.h
  25. 6 15
      thirdparty/mbedtls/include/mbedtls/camellia.h
  26. 255 27
      thirdparty/mbedtls/include/mbedtls/ccm.h
  27. 0 238
      thirdparty/mbedtls/include/mbedtls/certs.h
  28. 5 18
      thirdparty/mbedtls/include/mbedtls/chacha20.h
  29. 8 11
      thirdparty/mbedtls/include/mbedtls/chachapoly.h
  30. 431 231
      thirdparty/mbedtls/include/mbedtls/check_config.h
  31. 274 236
      thirdparty/mbedtls/include/mbedtls/cipher.h
  32. 27 19
      thirdparty/mbedtls/include/mbedtls/cmac.h
  33. 0 2533
      thirdparty/mbedtls/include/mbedtls/compat-1.3.h
  34. 46 0
      thirdparty/mbedtls/include/mbedtls/compat-2.x.h
  35. 535 0
      thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h
  36. 873 0
      thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h
  37. 359 0
      thirdparty/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h
  38. 145 0
      thirdparty/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h
  39. 91 0
      thirdparty/mbedtls/include/mbedtls/config_adjust_ssl.h
  40. 35 0
      thirdparty/mbedtls/include/mbedtls/config_adjust_x509.h
  41. 61 0
      thirdparty/mbedtls/include/mbedtls/config_psa.h
  42. 10 7
      thirdparty/mbedtls/include/mbedtls/constant_time.h
  43. 70 71
      thirdparty/mbedtls/include/mbedtls/ctr_drbg.h
  44. 16 160
      thirdparty/mbedtls/include/mbedtls/debug.h
  45. 4 11
      thirdparty/mbedtls/include/mbedtls/des.h
  46. 65 183
      thirdparty/mbedtls/include/mbedtls/dhm.h
  47. 72 47
      thirdparty/mbedtls/include/mbedtls/ecdh.h
  48. 209 147
      thirdparty/mbedtls/include/mbedtls/ecdsa.h
  49. 57 21
      thirdparty/mbedtls/include/mbedtls/ecjpake.h
  50. 296 137
      thirdparty/mbedtls/include/mbedtls/ecp.h
  51. 33 39
      thirdparty/mbedtls/include/mbedtls/entropy.h
  52. 13 18
      thirdparty/mbedtls/include/mbedtls/error.h
  53. 116 46
      thirdparty/mbedtls/include/mbedtls/gcm.h
  54. 0 67
      thirdparty/mbedtls/include/mbedtls/havege.h
  55. 1 5
      thirdparty/mbedtls/include/mbedtls/hkdf.h
  56. 15 42
      thirdparty/mbedtls/include/mbedtls/hmac_drbg.h
  57. 440 0
      thirdparty/mbedtls/include/mbedtls/lms.h
  58. 233 355
      thirdparty/mbedtls/include/mbedtls/mbedtls_config.h
  59. 138 93
      thirdparty/mbedtls/include/mbedtls/md.h
  60. 0 292
      thirdparty/mbedtls/include/mbedtls/md2.h
  61. 0 297
      thirdparty/mbedtls/include/mbedtls/md4.h
  62. 14 121
      thirdparty/mbedtls/include/mbedtls/md5.h
  63. 0 77
      thirdparty/mbedtls/include/mbedtls/md_internal.h
  64. 10 6
      thirdparty/mbedtls/include/mbedtls/memory_buffer_alloc.h
  65. 0 23
      thirdparty/mbedtls/include/mbedtls/net.h
  66. 9 6
      thirdparty/mbedtls/include/mbedtls/net_sockets.h
  67. 3 6
      thirdparty/mbedtls/include/mbedtls/nist_kw.h
  68. 116 31
      thirdparty/mbedtls/include/mbedtls/oid.h
  69. 31 11
      thirdparty/mbedtls/include/mbedtls/pem.h
  70. 525 135
      thirdparty/mbedtls/include/mbedtls/pk.h
  71. 0 241
      thirdparty/mbedtls/include/mbedtls/pkcs11.h
  72. 18 34
      thirdparty/mbedtls/include/mbedtls/pkcs12.h
  73. 51 18
      thirdparty/mbedtls/include/mbedtls/pkcs5.h
  74. 240 0
      thirdparty/mbedtls/include/mbedtls/pkcs7.h
  75. 60 12
      thirdparty/mbedtls/include/mbedtls/platform.h
  76. 24 5
      thirdparty/mbedtls/include/mbedtls/platform_time.h
  77. 53 83
      thirdparty/mbedtls/include/mbedtls/platform_util.h
  78. 7 20
      thirdparty/mbedtls/include/mbedtls/poly1305.h
  79. 20 0
      thirdparty/mbedtls/include/mbedtls/private_access.h
  80. 207 0
      thirdparty/mbedtls/include/mbedtls/psa_util.h
  81. 14 101
      thirdparty/mbedtls/include/mbedtls/ripemd160.h
  82. 183 366
      thirdparty/mbedtls/include/mbedtls/rsa.h
  83. 14 134
      thirdparty/mbedtls/include/mbedtls/sha1.h
  84. 39 126
      thirdparty/mbedtls/include/mbedtls/sha256.h
  85. 172 0
      thirdparty/mbedtls/include/mbedtls/sha3.h
  86. 42 137
      thirdparty/mbedtls/include/mbedtls/sha512.h
  87. 573 165
      thirdparty/mbedtls/include/mbedtls/ssl.h
  88. 67 23
      thirdparty/mbedtls/include/mbedtls/ssl_cache.h
  89. 143 197
      thirdparty/mbedtls/include/mbedtls/ssl_ciphersuites.h
  90. 18 12
      thirdparty/mbedtls/include/mbedtls/ssl_cookie.h
  91. 0 1339
      thirdparty/mbedtls/include/mbedtls/ssl_internal.h
  92. 92 19
      thirdparty/mbedtls/include/mbedtls/ssl_ticket.h
  93. 39 15
      thirdparty/mbedtls/include/mbedtls/threading.h
  94. 14 57
      thirdparty/mbedtls/include/mbedtls/timing.h
  95. 5 25
      thirdparty/mbedtls/include/mbedtls/version.h
  96. 188 56
      thirdparty/mbedtls/include/mbedtls/x509.h
  97. 27 13
      thirdparty/mbedtls/include/mbedtls/x509_crl.h
  98. 251 139
      thirdparty/mbedtls/include/mbedtls/x509_crt.h
  99. 108 26
      thirdparty/mbedtls/include/mbedtls/x509_csr.h
  100. 0 126
      thirdparty/mbedtls/include/mbedtls/xtea.h

+ 15 - 5
core/crypto/SCsub

@@ -20,17 +20,20 @@ if is_builtin or not has_module:
 # Only if the module is not enabled, we must compile here the required sources
 # to make a "light" build with only the necessary mbedtls files.
 if not has_module:
+    # Minimal mbedTLS config file
+    config_path = '\\"thirdparty/mbedtls/include/godot_core_mbedtls_config.h\\"'
+    env_crypto.Append(CPPDEFINES=[("MBEDTLS_CONFIG_FILE", config_path)])
+    # Build minimal mbedTLS library (MD5/SHA/Base64/AES).
     env_thirdparty = env_crypto.Clone()
     env_thirdparty.disable_warnings()
-    # Custom config file
-    env_thirdparty.Append(
-        CPPDEFINES=[("MBEDTLS_CONFIG_FILE", '\\"thirdparty/mbedtls/include/godot_core_mbedtls_config.h\\"')]
-    )
     thirdparty_mbedtls_dir = "#thirdparty/mbedtls/library/"
     thirdparty_mbedtls_sources = [
         "aes.c",
         "base64.c",
         "constant_time.c",
+        "ctr_drbg.c",
+        "entropy.c",
+        "md.c",
         "md5.c",
         "sha1.c",
         "sha256.c",
@@ -38,8 +41,15 @@ if not has_module:
     ]
     thirdparty_mbedtls_sources = [thirdparty_mbedtls_dir + file for file in thirdparty_mbedtls_sources]
     env_thirdparty.add_source_files(thirdparty_obj, thirdparty_mbedtls_sources)
+    # Needed to force rebuilding the library when the configuration file is updated.
+    env_thirdparty.Depends(thirdparty_obj, "#thirdparty/mbedtls/include/godot_core_mbedtls_config.h")
     env.core_sources += thirdparty_obj
-
+elif is_builtin:
+    # Module mbedTLS config file
+    config_path = '\\"thirdparty/mbedtls/include/godot_module_mbedtls_config.h\\"'
+    env_crypto.Append(CPPDEFINES=[("MBEDTLS_CONFIG_FILE", config_path)])
+    # Needed to force rebuilding the core files when the configuration file is updated.
+    thirdparty_obj = ["#thirdparty/mbedtls/include/godot_module_mbedtls_config.h"]
 
 # Godot source files
 

+ 3 - 0
core/crypto/crypto_core.cpp

@@ -35,6 +35,9 @@
 #include <mbedtls/md5.h>
 #include <mbedtls/sha1.h>
 #include <mbedtls/sha256.h>
+#if MBEDTLS_VERSION_MAJOR >= 3
+#include <mbedtls/compat-2.x.h>
+#endif
 
 // MD5
 CryptoCore::MD5Context::MD5Context() {

+ 4 - 0
doc/classes/EditorSettings.xml

@@ -561,6 +561,10 @@
 		<member name="network/ssl/editor_ssl_certificates" type="String" setter="" getter="">
 			The SSL certificate bundle to use for HTTP requests made within the editor (e.g. from the AssetLib tab). If left empty, the [url=https://github.com/godotengine/godot/blob/master/thirdparty/certs/ca-certificates.crt]included Mozilla certificate bundle[/url] will be used.
 		</member>
+		<member name="network/ssl/enable_tls_v1.3" type="bool" setter="" getter="">
+			If [code]true[/code], enable TLSv1.3 negotiation.
+			[b]Note:[/b] Only supported when using Mbed TLS 3.0 or later (Linux distribution packages may be compiled against older system Mbed TLS packages), otherwise the maximum supported TLS version is always TLSv1.2.
+		</member>
 		<member name="project_manager/sorting_order" type="int" setter="" getter="">
 			The sorting order to use in the project manager. When changing the sorting order in the project manager, this setting is set permanently in the editor settings.
 		</member>

+ 4 - 0
doc/classes/ProjectSettings.xml

@@ -1312,6 +1312,10 @@
 			The CA certificates bundle to use for SSL connections. If this is set to a non-empty value, this will [i]override[/i] Godot's default [url=https://github.com/godotengine/godot/blob/master/thirdparty/certs/ca-certificates.crt]Mozilla certificate bundle[/url]. If left empty, the default certificate bundle will be used.
 			If in doubt, leave this setting empty.
 		</member>
+		<member name="network/ssl/enable_tls_v1.3" type="bool" setter="" getter="" default="true">
+			If [code]true[/code], enable TLSv1.3 negotiation.
+			[b]Note:[/b] Only supported when using Mbed TLS 3.0 or later (Linux distribution packages may be compiled against older system Mbed TLS packages), otherwise the maximum supported TLS version is always TLSv1.2.
+		</member>
 		<member name="node/name_casing" type="int" setter="" getter="" default="0">
 			When creating node names automatically, set the type of casing in this project. This is mostly an editor setting.
 		</member>

+ 1 - 0
editor/editor_settings.cpp

@@ -677,6 +677,7 @@ void EditorSettings::_load_defaults(Ref<ConfigFile> p_extra_config) {
 	// SSL
 	_initial_set("network/ssl/editor_ssl_certificates", _SYSTEM_CERTS_PATH);
 	hints["network/ssl/editor_ssl_certificates"] = PropertyInfo(Variant::STRING, "network/ssl/editor_ssl_certificates", PROPERTY_HINT_GLOBAL_FILE, "*.crt,*.pem", PROPERTY_USAGE_DEFAULT | PROPERTY_USAGE_RESTART_IF_CHANGED);
+	_initial_set("network/ssl/enable_tls_v1.3", true);
 
 	// HTTP Proxy
 	_initial_set("network/http_proxy/host", "");

+ 37 - 14
modules/mbedtls/SCsub

@@ -12,24 +12,24 @@ thirdparty_obj = []
 if env["builtin_mbedtls"]:
     thirdparty_sources = [
         "aes.c",
+        "aesce.c",
         "aesni.c",
-        "arc4.c",
         "aria.c",
         "asn1parse.c",
         "asn1write.c",
         "base64.c",
         "bignum.c",
-        "blowfish.c",
+        "bignum_core.c",
+        "bignum_mod_raw.c",
         "camellia.c",
         "ccm.c",
-        "certs.c",
         "chacha20.c",
         "chachapoly.c",
         "cipher.c",
         "cipher_wrap.c",
         "cmac.c",
-        "ctr_drbg.c",
         "constant_time.c",
+        "ctr_drbg.c",
         "debug.c",
         "des.c",
         "dhm.c",
@@ -42,13 +42,10 @@ if env["builtin_mbedtls"]:
         "entropy_poll.c",
         "error.c",
         "gcm.c",
-        "havege.c",
         "hkdf.c",
         "hmac_drbg.c",
-        "md2.c",
-        "md4.c",
-        "md5.c",
         "md.c",
+        "md5.c",
         "memory_buffer_alloc.c",
         "mps_reader.c",
         "mps_trace.c",
@@ -58,30 +55,53 @@ if env["builtin_mbedtls"]:
         "padlock.c",
         "pem.c",
         "pk.c",
-        "pkcs11.c",
+        "pk_ecc.c",
+        "pk_wrap.c",
         "pkcs12.c",
         "pkcs5.c",
+        "pkcs7.c",
         "pkparse.c",
-        "pk_wrap.c",
         "pkwrite.c",
         "platform.c",
         "platform_util.c",
         "poly1305.c",
+        "psa_crypto.c",
+        "psa_crypto_aead.c",
+        "psa_crypto_cipher.c",
+        "psa_crypto_client.c",
+        "psa_crypto_driver_wrappers_no_static.c",
+        "psa_crypto_ecp.c",
+        "psa_crypto_ffdh.c",
+        "psa_crypto_hash.c",
+        "psa_crypto_mac.c",
+        "psa_crypto_pake.c",
+        "psa_crypto_rsa.c",
+        "psa_crypto_se.c",
+        "psa_crypto_slot_management.c",
+        "psa_crypto_storage.c",
+        "psa_its_file.c",
+        "psa_util.c",
         "ripemd160.c",
         "rsa.c",
-        "rsa_internal.c",
+        "rsa_alt_helpers.c",
         "sha1.c",
+        "sha3.c",
         "sha256.c",
         "sha512.c",
         "ssl_cache.c",
         "ssl_ciphersuites.c",
-        "ssl_cli.c",
+        "ssl_client.c",
         "ssl_cookie.c",
+        "ssl_debug_helpers_generated.c",
         "ssl_msg.c",
-        "ssl_srv.c",
         "ssl_ticket.c",
         "ssl_tls.c",
+        "ssl_tls12_client.c",
+        "ssl_tls12_server.c",
+        "ssl_tls13_client.c",
+        "ssl_tls13_generic.c",
         "ssl_tls13_keys.c",
+        "ssl_tls13_server.c",
         "threading.c",
         "timing.c",
         "version.c",
@@ -91,19 +111,22 @@ if env["builtin_mbedtls"]:
         "x509_crl.c",
         "x509_crt.c",
         "x509_csr.c",
+        "x509write.c",
         "x509write_crt.c",
         "x509write_csr.c",
-        "xtea.c",
     ]
 
     thirdparty_dir = "#thirdparty/mbedtls/library/"
     thirdparty_sources = [thirdparty_dir + file for file in thirdparty_sources]
 
     env_mbed_tls.Prepend(CPPPATH=["#thirdparty/mbedtls/include/"])
+    config_path = '\\"thirdparty/mbedtls/include/godot_module_mbedtls_config.h\\"'
+    env_mbed_tls.Append(CPPDEFINES=[("MBEDTLS_CONFIG_FILE", config_path)])
 
     env_thirdparty = env_mbed_tls.Clone()
     env_thirdparty.disable_warnings()
     env_thirdparty.add_source_files(thirdparty_obj, thirdparty_sources)
+    env_thirdparty.Depends(thirdparty_obj, "#thirdparty/mbedtls/include/godot_module_mbedtls_config.h")
     env.modules_sources += thirdparty_obj
 
 

+ 42 - 10
modules/mbedtls/crypto_mbedtls.cpp

@@ -71,7 +71,7 @@ Error CryptoKeyMbedTLS::load(String p_path, bool p_public_only) {
 	if (p_public_only) {
 		ret = mbedtls_pk_parse_public_key(&pkey, out.read().ptr(), out.size());
 	} else {
-		ret = mbedtls_pk_parse_key(&pkey, out.read().ptr(), out.size(), nullptr, 0);
+		ret = _parse_key(out.read().ptr(), out.size());
 	}
 	// We MUST zeroize the memory for safety!
 	mbedtls_platform_zeroize(out.write().ptr(), out.size());
@@ -112,7 +112,7 @@ Error CryptoKeyMbedTLS::load_from_string(String p_string_key, bool p_public_only
 	if (p_public_only) {
 		ret = mbedtls_pk_parse_public_key(&pkey, (unsigned char *)p_string_key.utf8().get_data(), p_string_key.utf8().size());
 	} else {
-		ret = mbedtls_pk_parse_key(&pkey, (unsigned char *)p_string_key.utf8().get_data(), p_string_key.utf8().size(), nullptr, 0);
+		ret = _parse_key((unsigned char *)p_string_key.utf8().get_data(), p_string_key.utf8().size());
 	}
 	ERR_FAIL_COND_V_MSG(ret, FAILED, "Error parsing key '" + itos(ret) + "'.");
 
@@ -138,6 +138,25 @@ String CryptoKeyMbedTLS::save_to_string(bool p_public_only) {
 	return s;
 }
 
+int CryptoKeyMbedTLS::_parse_key(const uint8_t *p_buf, int p_size) {
+#if MBEDTLS_VERSION_MAJOR >= 3
+	mbedtls_entropy_context rng_entropy;
+	mbedtls_ctr_drbg_context rng_drbg;
+
+	mbedtls_ctr_drbg_init(&rng_drbg);
+	mbedtls_entropy_init(&rng_entropy);
+	int ret = mbedtls_ctr_drbg_seed(&rng_drbg, mbedtls_entropy_func, &rng_entropy, nullptr, 0);
+	ERR_FAIL_COND_V_MSG(ret != 0, ret, vformat("mbedtls_ctr_drbg_seed returned -0x%x\n", (unsigned int)-ret));
+
+	ret = mbedtls_pk_parse_key(&pkey, p_buf, p_size, nullptr, 0, mbedtls_ctr_drbg_random, &rng_drbg);
+	mbedtls_ctr_drbg_free(&rng_drbg);
+	mbedtls_entropy_free(&rng_entropy);
+	return ret;
+#else
+	return mbedtls_pk_parse_key(&pkey, p_buf, p_size, nullptr, 0);
+#endif
+}
+
 X509Certificate *X509CertificateMbedTLS::create() {
 	return memnew(X509CertificateMbedTLS);
 }
@@ -267,10 +286,6 @@ Crypto *CryptoMbedTLS::create() {
 }
 
 void CryptoMbedTLS::initialize_crypto() {
-#ifdef DEBUG_ENABLED
-	mbedtls_debug_set_threshold(1);
-#endif
-
 	Crypto::_create = create;
 	Crypto::_load_default_certificates = load_default_certificates;
 	X509CertificateMbedTLS::make_default();
@@ -360,12 +375,18 @@ Ref<X509Certificate> CryptoMbedTLS::generate_self_signed_certificate(Ref<CryptoK
 	mbedtls_x509write_crt_set_version(&crt, MBEDTLS_X509_CRT_VERSION_3);
 	mbedtls_x509write_crt_set_md_alg(&crt, MBEDTLS_MD_SHA256);
 
+	uint8_t rand_serial[20];
+	mbedtls_ctr_drbg_random(&ctr_drbg, rand_serial, sizeof(rand_serial));
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+	mbedtls_x509write_crt_set_serial_raw(&crt, rand_serial, sizeof(rand_serial));
+#else
+
 	mbedtls_mpi serial;
 	mbedtls_mpi_init(&serial);
-	uint8_t rand_serial[20];
-	mbedtls_ctr_drbg_random(&ctr_drbg, rand_serial, 20);
-	ERR_FAIL_COND_V(mbedtls_mpi_read_binary(&serial, rand_serial, 20), nullptr);
+	ERR_FAIL_COND_V(mbedtls_mpi_read_binary(&serial, rand_serial, sizeof(rand_serial)), nullptr);
 	mbedtls_x509write_crt_set_serial(&crt, &serial);
+#endif
 
 	mbedtls_x509write_crt_set_validity(&crt, p_not_before.utf8().get_data(), p_not_after.utf8().get_data());
 	mbedtls_x509write_crt_set_basic_constraints(&crt, 1, -1);
@@ -374,7 +395,9 @@ Ref<X509Certificate> CryptoMbedTLS::generate_self_signed_certificate(Ref<CryptoK
 	unsigned char buf[4096];
 	memset(buf, 0, 4096);
 	int ret = mbedtls_x509write_crt_pem(&crt, buf, 4096, mbedtls_ctr_drbg_random, &ctr_drbg);
+#if MBEDTLS_VERSION_MAJOR < 3
 	mbedtls_mpi_free(&serial);
+#endif
 	mbedtls_x509write_crt_free(&crt);
 	ERR_FAIL_COND_V_MSG(ret != 0, nullptr, "Failed to generate certificate: " + itos(ret));
 	buf[4095] = '\0'; // Make sure strlen can't fail.
@@ -418,9 +441,18 @@ Vector<uint8_t> CryptoMbedTLS::sign(HashingContext::HashType p_hash_type, Vector
 	ERR_FAIL_COND_V_MSG(!key.is_valid(), Vector<uint8_t>(), "Invalid key provided.");
 	ERR_FAIL_COND_V_MSG(key->is_public_only(), Vector<uint8_t>(), "Invalid key provided. Cannot sign with public_only keys.");
 	size_t sig_size = 0;
+#if MBEDTLS_VERSION_MAJOR >= 3
+	unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
+#else
 	unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+#endif
 	Vector<uint8_t> out;
-	int ret = mbedtls_pk_sign(&(key->pkey), type, p_hash.ptr(), size, buf, &sig_size, mbedtls_ctr_drbg_random, &ctr_drbg);
+	int ret = mbedtls_pk_sign(&(key->pkey), type, p_hash.ptr(), size, buf,
+#if MBEDTLS_VERSION_MAJOR >= 3
+			sizeof(buf),
+#endif
+			&sig_size, mbedtls_ctr_drbg_random, &ctr_drbg);
+
 	ERR_FAIL_COND_V_MSG(ret, out, "Error while signing: " + itos(ret));
 	out.resize(sig_size);
 	memcpy(out.ptrw(), buf, sig_size);

+ 2 - 0
modules/mbedtls/crypto_mbedtls.h

@@ -46,6 +46,8 @@ private:
 	int locks = 0;
 	bool public_only = true;
 
+	int _parse_key(const uint8_t *p_buf, int p_size);
+
 public:
 	static CryptoKey *create();
 	static void make_default() { CryptoKey::_create = create; }

+ 74 - 4
modules/mbedtls/register_types.cpp

@@ -35,7 +35,67 @@
 #include "packet_peer_mbed_dtls.h"
 #include "stream_peer_mbedtls.h"
 
+#include "core/project_settings.h"
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+#include <psa/crypto.h>
+#endif
+
+static bool godot_mbedtls_initialized = false;
+
+#ifdef GODOT_MBEDTLS_THREADING_ALT
+extern "C" {
+void godot_mbedtls_mutex_init(mbedtls_threading_mutex_t *p_mutex) {
+	ERR_FAIL_NULL(p_mutex);
+	p_mutex->mutex = memnew(Mutex);
+}
+
+void godot_mbedtls_mutex_free(mbedtls_threading_mutex_t *p_mutex) {
+	ERR_FAIL_NULL(p_mutex);
+	ERR_FAIL_NULL(p_mutex->mutex);
+	memdelete((Mutex *)p_mutex->mutex);
+}
+
+int godot_mbedtls_mutex_lock(mbedtls_threading_mutex_t *p_mutex) {
+	ERR_FAIL_NULL_V(p_mutex, MBEDTLS_ERR_THREADING_BAD_INPUT_DATA);
+	ERR_FAIL_NULL_V(p_mutex->mutex, MBEDTLS_ERR_THREADING_BAD_INPUT_DATA);
+	((Mutex *)p_mutex->mutex)->lock();
+	return 0;
+}
+
+int godot_mbedtls_mutex_unlock(mbedtls_threading_mutex_t *p_mutex) {
+	ERR_FAIL_NULL_V(p_mutex, MBEDTLS_ERR_THREADING_BAD_INPUT_DATA);
+	ERR_FAIL_NULL_V(p_mutex->mutex, MBEDTLS_ERR_THREADING_BAD_INPUT_DATA);
+	((Mutex *)p_mutex->mutex)->unlock();
+	return 0;
+}
+};
+#endif
+
 void register_mbedtls_types() {
+	GLOBAL_DEF("network/ssl/enable_tls_v1.3", true);
+
+#ifdef GODOT_MBEDTLS_THREADING_ALT
+	mbedtls_threading_set_alt(
+			godot_mbedtls_mutex_init,
+			godot_mbedtls_mutex_free,
+			godot_mbedtls_mutex_lock,
+			godot_mbedtls_mutex_unlock);
+#endif
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+	int status = psa_crypto_init();
+	ERR_FAIL_COND_MSG(status != PSA_SUCCESS, "Failed to initialize psa crypto. The mbedTLS modules will not work.");
+#endif
+
+#ifdef DEBUG_ENABLED
+	if (OS::get_singleton()->is_stdout_verbose()) {
+		mbedtls_debug_set_threshold(1);
+	}
+#endif
+
+	godot_mbedtls_initialized = true;
+
 	CryptoMbedTLS::initialize_crypto();
 	StreamPeerMbedTLS::initialize_ssl();
 	PacketPeerMbedDTLS::initialize_dtls();
@@ -43,8 +103,18 @@ void register_mbedtls_types() {
 }
 
 void unregister_mbedtls_types() {
-	DTLSServerMbedTLS::finalize();
-	PacketPeerMbedDTLS::finalize_dtls();
-	StreamPeerMbedTLS::finalize_ssl();
-	CryptoMbedTLS::finalize_crypto();
+	if (godot_mbedtls_initialized) {
+		DTLSServerMbedTLS::finalize();
+		PacketPeerMbedDTLS::finalize_dtls();
+		StreamPeerMbedTLS::finalize_ssl();
+		CryptoMbedTLS::finalize_crypto();
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+		mbedtls_psa_crypto_free();
+#endif
+	}
+
+#ifdef GODOT_MBEDTLS_THREADING_ALT
+	mbedtls_threading_free_alt();
+#endif
 }

+ 38 - 0
modules/mbedtls/ssl_context_mbedtls.cpp

@@ -30,6 +30,12 @@
 
 #include "ssl_context_mbedtls.h"
 
+#include "core/project_settings.h"
+
+#ifdef TOOLS_ENABLED
+#include "editor/editor_settings.h"
+#endif
+
 static void my_debug(void *ctx, int level,
 		const char *file, int line,
 		const char *str) {
@@ -147,6 +153,22 @@ Error SSLContextMbedTLS::init_server(int p_transport, int p_authmode, Ref<Crypto
 		cookies = p_cookies;
 		mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &(cookies->cookie_ctx));
 	}
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+#ifdef TOOLS_ENABLED
+	if (EditorSettings::get_singleton()) {
+		if (!EditorSettings::get_singleton()->get_setting("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	} else
+#endif
+	{
+		if (!GLOBAL_GET("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	}
+#endif
+
 	mbedtls_ssl_setup(&ssl, &conf);
 	return OK;
 }
@@ -173,6 +195,22 @@ Error SSLContextMbedTLS::init_client(int p_transport, int p_authmode, Ref<X509Ce
 
 	// Set valid CAs
 	mbedtls_ssl_conf_ca_chain(&conf, &(cas->cert), nullptr);
+
+#if MBEDTLS_VERSION_MAJOR >= 3
+#ifdef TOOLS_ENABLED
+	if (EditorSettings::get_singleton()) {
+		if (!EditorSettings::get_singleton()->get_setting("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	} else
+#endif
+	{
+		if (!GLOBAL_GET("network/ssl/enable_tls_v1.3").operator bool()) {
+			mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
+		}
+	}
+#endif
+
 	mbedtls_ssl_setup(&ssl, &conf);
 	return OK;
 }

+ 0 - 1
modules/mbedtls/ssl_context_mbedtls.h

@@ -37,7 +37,6 @@
 #include "core/pool_vector.h"
 #include "core/reference.h"
 
-#include <mbedtls/config.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/debug.h>
 #include <mbedtls/entropy.h>

+ 13 - 7
thirdparty/README.md

@@ -284,20 +284,26 @@ Files extracted from upstream source:
 ## mbedtls
 
 - Upstream: https://github.com/Mbed-TLS/mbedtls
-- Version: 2.28.10 (2fc8413bfcb51354c8e679141b17b3f1a5942561, 2025)
+- Version: 3.6.4 (c765c831e5c2a0971410692f92f7a81d6ec65ec2, 2025)
 - License: Apache 2.0
 
 File extracted from upstream release tarball:
 
 - All `.h` from `include/mbedtls/` to `thirdparty/mbedtls/include/mbedtls/`
-  except `config_psa.h` and `psa_util.h`
-- All `.c` and `.h` from `library/` to `thirdparty/mbedtls/library/` except
-  those starting with `psa_*`
+  and all `.h` from `include/psa/` to `thirdparty/mbedtls/include/psa/`
+- From `library/` to `thirdparty/mbedtls/library/`:
+  - All `.c` and `.h` files
+  - Except `bignum_mod.c`, `block_cipher.c`, `ecp_curves_new.c`, `lmots.c`,
+  `lms.c`, `bignum_core_invasive.h`
 - The `LICENSE` file (edited to keep only the Apache 2.0 variant)
-- Applied the patch `windows-arm64-hardclock.diff` to fix Windows ARM64 build
-  Applied the patch `windows-entropy-bcrypt.diff` to fix Windows Store support
 - Added 2 files `godot_core_mbedtls_platform.c` and `godot_core_mbedtls_config.h`
-  providing configuration for light bundling with core.
+  providing configuration for light bundling with core
+- Added 2 files `godot_module_mbedtls_config.h` and `threading_alt.h`
+  to customize the build configuration when bundling the full library
+
+Patches:
+  
+- `0001-msvc-2019-psa-redeclaration.patch` (GH-90535)
 
 
 ## minimp3

+ 47 - 0
thirdparty/mbedtls/include/godot_core_mbedtls_config.h

@@ -1,3 +1,38 @@
+/**************************************************************************/
+/*  godot_core_mbedtls_config.h                                           */
+/**************************************************************************/
+/*                         This file is part of:                          */
+/*                             GODOT ENGINE                               */
+/*                        https://godotengine.org                         */
+/**************************************************************************/
+/* Copyright (c) 2014-present Godot Engine contributors (see AUTHORS.md). */
+/* Copyright (c) 2007-2014 Juan Linietsky, Ariel Manzur.                  */
+/*                                                                        */
+/* Permission is hereby granted, free of charge, to any person obtaining  */
+/* a copy of this software and associated documentation files (the        */
+/* "Software"), to deal in the Software without restriction, including    */
+/* without limitation the rights to use, copy, modify, merge, publish,    */
+/* distribute, sublicense, and/or sell copies of the Software, and to     */
+/* permit persons to whom the Software is furnished to do so, subject to  */
+/* the following conditions:                                              */
+/*                                                                        */
+/* The above copyright notice and this permission notice shall be         */
+/* included in all copies or substantial portions of the Software.        */
+/*                                                                        */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,        */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF     */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. */
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY   */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,   */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE      */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                 */
+/**************************************************************************/
+
+#ifndef GODOT_CORE_MBEDTLS_CONFIG_H
+#define GODOT_CORE_MBEDTLS_CONFIG_H
+
+#include <limits.h>
+
 // For AES
 #define MBEDTLS_CIPHER_MODE_CBC
 #define MBEDTLS_CIPHER_MODE_CFB
@@ -7,7 +42,19 @@
 
 #define MBEDTLS_AES_C
 #define MBEDTLS_BASE64_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
 #define MBEDTLS_MD5_C
 #define MBEDTLS_SHA1_C
 #define MBEDTLS_SHA256_C
 #define MBEDTLS_PLATFORM_ZEROIZE_ALT
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+
+// This is only to pass a check in the mbedtls check_config.h header, none of
+// the files we include as part of the core build uses it anyway, we already
+// define MBEDTLS_PLATFORM_ZEROIZE_ALT which is the only relevant function.
+#if defined(__MINGW32__)
+#define MBEDTLS_PLATFORM_C
+#endif
+
+#endif // GODOT_CORE_MBEDTLS_CONFIG_H

+ 79 - 0
thirdparty/mbedtls/include/godot_module_mbedtls_config.h

@@ -0,0 +1,79 @@
+/**************************************************************************/
+/*  godot_module_mbedtls_config.h                                         */
+/**************************************************************************/
+/*                         This file is part of:                          */
+/*                             GODOT ENGINE                               */
+/*                        https://godotengine.org                         */
+/**************************************************************************/
+/* Copyright (c) 2014-present Godot Engine contributors (see AUTHORS.md). */
+/* Copyright (c) 2007-2014 Juan Linietsky, Ariel Manzur.                  */
+/*                                                                        */
+/* Permission is hereby granted, free of charge, to any person obtaining  */
+/* a copy of this software and associated documentation files (the        */
+/* "Software"), to deal in the Software without restriction, including    */
+/* without limitation the rights to use, copy, modify, merge, publish,    */
+/* distribute, sublicense, and/or sell copies of the Software, and to     */
+/* permit persons to whom the Software is furnished to do so, subject to  */
+/* the following conditions:                                              */
+/*                                                                        */
+/* The above copyright notice and this permission notice shall be         */
+/* included in all copies or substantial portions of the Software.        */
+/*                                                                        */
+/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,        */
+/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF     */
+/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. */
+/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY   */
+/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,   */
+/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE      */
+/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.                 */
+/**************************************************************************/
+
+#ifndef GODOT_MODULE_MBEDTLS_CONFIG_H
+#define GODOT_MODULE_MBEDTLS_CONFIG_H
+
+#include "platform_config.h"
+
+#ifdef GODOT_MBEDTLS_INCLUDE_H
+
+// Allow platforms to customize the mbedTLS configuration.
+#include GODOT_MBEDTLS_INCLUDE_H
+
+#else
+
+// Include default mbedTLS config.
+#include <mbedtls/mbedtls_config.h>
+
+// Disable weak cryptography.
+#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#undef MBEDTLS_DES_C
+#undef MBEDTLS_DHM_C
+
+#ifdef THREADS_ENABLED
+// In mbedTLS 3, the PSA subsystem has an implicit shared context, MBEDTLS_THREADING_C is required to make it thread safe.
+#define MBEDTLS_THREADING_C
+#define MBEDTLS_THREADING_ALT
+#define GODOT_MBEDTLS_THREADING_ALT
+#endif
+
+#if !(defined(__linux__) && defined(__aarch64__))
+// ARMv8 hardware AES operations. Detection only possible on linux.
+// May technically be supported on some ARM32 arches but doesn't seem
+// to be in our current Linux SDK's neon-fp-armv8.
+#undef MBEDTLS_AESCE_C
+#endif
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+// MemorySanitizer is incompatible with ASM.
+#undef MBEDTLS_HAVE_ASM
+#undef MBEDTLS_AESNI_C
+#endif
+#endif
+
+// Disable deprecated
+#define MBEDTLS_DEPRECATED_REMOVED
+
+#endif // GODOT_MBEDTLS_INCLUDE_H
+
+#endif // GODOT_MODULE_MBEDTLS_CONFIG_H

+ 26 - 70
thirdparty/mbedtls/include/mbedtls/aes.h

@@ -27,12 +27,9 @@
 
 #ifndef MBEDTLS_AES_H
 #define MBEDTLS_AES_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 #include "mbedtls/platform_util.h"
 
 #include <stddef.h>
@@ -52,19 +49,6 @@
 /** Invalid input data. */
 #define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021
 
-/* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
-/** Feature not available. For example, an unsupported AES key size. */
-#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023
-
-/* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** AES hardware accelerator failed. */
-#define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025
-
-#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
-    !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -77,16 +61,22 @@ extern "C" {
  * \brief The AES context-type definition.
  */
 typedef struct mbedtls_aes_context {
-    int nr;                     /*!< The number of rounds. */
-    uint32_t *rk;               /*!< AES round keys. */
-    uint32_t buf[68];           /*!< Unaligned data buffer. This buffer can
-                                     hold 32 extra Bytes, which can be used for
-                                     one of the following purposes:
-                                     <ul><li>Alignment if VIA padlock is
-                                             used.</li>
-                                     <li>Simplifying key expansion in the 256-bit
-                                         case by generating an extra round key.
-                                         </li></ul> */
+    int MBEDTLS_PRIVATE(nr);                     /*!< The number of rounds. */
+    size_t MBEDTLS_PRIVATE(rk_offset);           /*!< The offset in array elements to AES
+                                                    round keys in the buffer. */
+#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) && !defined(MBEDTLS_PADLOCK_C)
+    uint32_t MBEDTLS_PRIVATE(buf)[44];           /*!< Aligned data buffer to hold
+                                                    10 round keys for 128-bit case. */
+#else
+    uint32_t MBEDTLS_PRIVATE(buf)[68];           /*!< Unaligned data buffer. This buffer can
+                                                    hold 32 extra Bytes, which can be used for
+                                                    one of the following purposes:
+                                                    <ul><li>Alignment if VIA padlock is
+                                                    used.</li>
+                                                    <li>Simplifying key expansion in the 256-bit
+                                                    case by generating an extra round key.
+                                                    </li></ul> */
+#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH && !MBEDTLS_PADLOCK_C */
 }
 mbedtls_aes_context;
 
@@ -95,10 +85,10 @@ mbedtls_aes_context;
  * \brief The AES XTS context-type definition.
  */
 typedef struct mbedtls_aes_xts_context {
-    mbedtls_aes_context crypt; /*!< The AES context to use for AES block
-                                        encryption or decryption. */
-    mbedtls_aes_context tweak; /*!< The AES context used for tweak
-                                        computation. */
+    mbedtls_aes_context MBEDTLS_PRIVATE(crypt); /*!< The AES context to use for AES block
+                                                   encryption or decryption. */
+    mbedtls_aes_context MBEDTLS_PRIVATE(tweak); /*!< The AES context used for tweak
+                                                   computation. */
 } mbedtls_aes_xts_context;
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 
@@ -165,6 +155,7 @@ MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
                            unsigned int keybits);
 
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
 /**
  * \brief          This function sets the decryption key.
  *
@@ -183,6 +174,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
 MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
                            unsigned int keybits);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /**
@@ -602,6 +594,7 @@ int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
                                  unsigned char output[16]);
 
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
 /**
  * \brief           Internal AES block decryption function. This is only
  *                  exposed to allow overriding it using see
@@ -617,44 +610,7 @@ MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
                                  unsigned char output[16]);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief           Deprecated internal AES block encryption function
- *                  without return value.
- *
- * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
- *
- * \param ctx       The AES context to use for encryption.
- * \param input     Plaintext block.
- * \param output    Output (ciphertext) block.
- */
-MBEDTLS_DEPRECATED void mbedtls_aes_encrypt(mbedtls_aes_context *ctx,
-                                            const unsigned char input[16],
-                                            unsigned char output[16]);
-
-/**
- * \brief           Deprecated internal AES block decryption function
- *                  without return value.
- *
- * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
- *
- * \param ctx       The AES context to use for decryption.
- * \param input     Ciphertext block.
- * \param output    Output (plaintext) block.
- */
-MBEDTLS_DEPRECATED void mbedtls_aes_decrypt(mbedtls_aes_context *ctx,
-                                            const unsigned char input[16],
-                                            unsigned char output[16]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 
 #if defined(MBEDTLS_SELF_TEST)
 /**

+ 0 - 132
thirdparty/mbedtls/include/mbedtls/arc4.h

@@ -1,132 +0,0 @@
-/**
- * \file arc4.h
- *
- * \brief The ARCFOUR stream cipher
- *
- * \warning   ARC4 is considered a weak cipher and its use constitutes a
- *            security risk. We recommend considering stronger ciphers instead.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- *
- */
-#ifndef MBEDTLS_ARC4_H
-#define MBEDTLS_ARC4_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include <stddef.h>
-
-/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** ARC4 hardware accelerator failed. */
-#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_ARC4_ALT)
-// Regular implementation
-//
-
-/**
- * \brief     ARC4 context structure
- *
- * \warning   ARC4 is considered a weak cipher and its use constitutes a
- *            security risk. We recommend considering stronger ciphers instead.
- *
- */
-typedef struct mbedtls_arc4_context {
-    int x;                      /*!< permutation index */
-    int y;                      /*!< permutation index */
-    unsigned char m[256];       /*!< permutation table */
-}
-mbedtls_arc4_context;
-
-#else  /* MBEDTLS_ARC4_ALT */
-#include "arc4_alt.h"
-#endif /* MBEDTLS_ARC4_ALT */
-
-/**
- * \brief          Initialize ARC4 context
- *
- * \param ctx      ARC4 context to be initialized
- *
- * \warning        ARC4 is considered a weak cipher and its use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- *
- */
-void mbedtls_arc4_init(mbedtls_arc4_context *ctx);
-
-/**
- * \brief          Clear ARC4 context
- *
- * \param ctx      ARC4 context to be cleared
- *
- * \warning        ARC4 is considered a weak cipher and its use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- *
- */
-void mbedtls_arc4_free(mbedtls_arc4_context *ctx);
-
-/**
- * \brief          ARC4 key schedule
- *
- * \param ctx      ARC4 context to be setup
- * \param key      the secret key
- * \param keylen   length of the key, in bytes
- *
- * \warning        ARC4 is considered a weak cipher and its use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- *
- */
-void mbedtls_arc4_setup(mbedtls_arc4_context *ctx, const unsigned char *key,
-                        unsigned int keylen);
-
-/**
- * \brief          ARC4 cipher function
- *
- * \param ctx      ARC4 context
- * \param length   length of the input data
- * \param input    buffer holding the input data
- * \param output   buffer for the output data
- *
- * \return         0 if successful
- *
- * \warning        ARC4 is considered a weak cipher and its use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- *
- */
-int mbedtls_arc4_crypt(mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
-                       unsigned char *output);
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- *
- * \warning        ARC4 is considered a weak cipher and its use constitutes a
- *                 security risk. We recommend considering stronger ciphers
- *                 instead.
- *
- */
-int mbedtls_arc4_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* arc4.h */

+ 6 - 19
thirdparty/mbedtls/include/mbedtls/aria.h

@@ -16,12 +16,9 @@
 
 #ifndef MBEDTLS_ARIA_H
 #define MBEDTLS_ARIA_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -35,24 +32,12 @@
 #define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maximum number of rounds in ARIA. */
 #define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(-0x005C)
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 /** Bad input data. */
 #define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C
 
 /** Invalid data input length. */
 #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E
 
-/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
- */
-/** Feature not available. For example, an unsupported ARIA key size. */
-#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE  -0x005A
-
-/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** ARIA hardware accelerator failed. */
-#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED      -0x0058
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -65,9 +50,9 @@ extern "C" {
  * \brief The ARIA context-type definition.
  */
 typedef struct mbedtls_aria_context {
-    unsigned char nr;           /*!< The number of rounds (12, 14 or 16) */
+    unsigned char MBEDTLS_PRIVATE(nr);           /*!< The number of rounds (12, 14 or 16) */
     /*! The ARIA round keys. */
-    uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
+    uint32_t MBEDTLS_PRIVATE(rk)[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
 }
 mbedtls_aria_context;
 
@@ -113,6 +98,7 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
                             const unsigned char *key,
                             unsigned int keybits);
 
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
 /**
  * \brief          This function sets the decryption key.
  *
@@ -131,6 +117,7 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
 int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
                             const unsigned char *key,
                             unsigned int keybits);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 
 /**
  * \brief          This function performs an ARIA single-block encryption or

+ 61 - 19
thirdparty/mbedtls/include/mbedtls/asn1.h

@@ -9,12 +9,10 @@
  */
 #ifndef MBEDTLS_ASN1_H
 #define MBEDTLS_ASN1_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
 
 #include <stddef.h>
 
@@ -29,8 +27,9 @@
 
 /**
  * \name ASN1 Error codes
- * These error codes are OR'ed to X509 error codes for
+ * These error codes are combined with other error codes for
  * higher error granularity.
+ * e.g. X.509 and PKCS #7 error codes
  * ASN1 is a standard to specify data structures.
  * \{
  */
@@ -85,15 +84,14 @@
 
 /* Slightly smaller way to check if tag is a string tag
  * compared to canonical implementation. */
-#define MBEDTLS_ASN1_IS_STRING_TAG(tag)                                     \
-    ((tag) < 32u && (                                                      \
+#define MBEDTLS_ASN1_IS_STRING_TAG(tag)                                \
+    ((unsigned int) (tag) < 32u && (                                   \
          ((1u << (tag)) & ((1u << MBEDTLS_ASN1_BMP_STRING)       |     \
                            (1u << MBEDTLS_ASN1_UTF8_STRING)      |     \
                            (1u << MBEDTLS_ASN1_T61_STRING)       |     \
                            (1u << MBEDTLS_ASN1_IA5_STRING)       |     \
                            (1u << MBEDTLS_ASN1_UNIVERSAL_STRING) |     \
-                           (1u << MBEDTLS_ASN1_PRINTABLE_STRING) |     \
-                           (1u << MBEDTLS_ASN1_BIT_STRING))) != 0))
+                           (1u << MBEDTLS_ASN1_PRINTABLE_STRING))) != 0))
 
 /*
  * Bit masks for each of the components of an ASN.1 tag as specified in
@@ -162,7 +160,15 @@ mbedtls_asn1_bitstring;
  */
 typedef struct mbedtls_asn1_sequence {
     mbedtls_asn1_buf buf;                   /**< Buffer containing the given ASN.1 item. */
-    struct mbedtls_asn1_sequence *next;    /**< The next entry in the sequence. */
+
+    /** The next entry in the sequence.
+     *
+     * The details of memory management for sequences are not documented and
+     * may change in future versions. Set this field to \p NULL when
+     * initializing a structure, and do not modify it except via Mbed TLS
+     * library functions.
+     */
+    struct mbedtls_asn1_sequence *next;
 }
 mbedtls_asn1_sequence;
 
@@ -172,11 +178,27 @@ mbedtls_asn1_sequence;
 typedef struct mbedtls_asn1_named_data {
     mbedtls_asn1_buf oid;                   /**< The object identifier. */
     mbedtls_asn1_buf val;                   /**< The named value. */
-    struct mbedtls_asn1_named_data *next;  /**< The next entry in the sequence. */
-    unsigned char next_merged;      /**< Merge next item into the current one? */
+
+    /** The next entry in the sequence.
+     *
+     * The details of memory management for named data sequences are not
+     * documented and may change in future versions. Set this field to \p NULL
+     * when initializing a structure, and do not modify it except via Mbed TLS
+     * library functions.
+     */
+    struct mbedtls_asn1_named_data *next;
+
+    /** Merge next item into the current one?
+     *
+     * This field exists for the sake of Mbed TLS's X.509 certificate parsing
+     * code and may change in future versions of the library.
+     */
+    unsigned char MBEDTLS_PRIVATE(next_merged);
 }
 mbedtls_asn1_named_data;
 
+#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
 /**
  * \brief       Get the length of an ASN.1 element.
  *              Updates the pointer to immediately behind the length.
@@ -223,7 +245,9 @@ int mbedtls_asn1_get_len(unsigned char **p,
 int mbedtls_asn1_get_tag(unsigned char **p,
                          const unsigned char *end,
                          size_t *len, int tag);
+#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
 
+#if defined(MBEDTLS_ASN1_PARSE_C)
 /**
  * \brief       Retrieve a boolean ASN.1 tag and its value.
  *              Updates the pointer to immediately behind the full tag.
@@ -568,31 +592,49 @@ int mbedtls_asn1_get_alg_null(unsigned char **p,
  *
  * \return      NULL if not found, or a pointer to the existing entry.
  */
-mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(mbedtls_asn1_named_data *list,
-                                                      const char *oid, size_t len);
+const mbedtls_asn1_named_data *mbedtls_asn1_find_named_data(const mbedtls_asn1_named_data *list,
+                                                            const char *oid, size_t len);
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief       Free a mbedtls_asn1_named_data entry
  *
+ * \deprecated  This function is deprecated and will be removed in a
+ *              future version of the library.
+ *              Please use mbedtls_asn1_free_named_data_list()
+ *              or mbedtls_asn1_free_named_data_list_shallow().
+ *
  * \param entry The named data entry to free.
  *              This function calls mbedtls_free() on
  *              `entry->oid.p` and `entry->val.p`.
  */
-void mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *entry);
+void MBEDTLS_DEPRECATED mbedtls_asn1_free_named_data(mbedtls_asn1_named_data *entry);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
 
 /**
  * \brief       Free all entries in a mbedtls_asn1_named_data list.
  *
  * \param head  Pointer to the head of the list of named data entries to free.
- *              This function calls mbedtls_asn1_free_named_data() and
- *              mbedtls_free() on each list element and
- *              sets \c *head to \c NULL.
+ *              This function calls mbedtls_free() on
+ *              `entry->oid.p` and `entry->val.p` and then on `entry`
+ *              for each list entry, and sets \c *head to \c NULL.
  */
 void mbedtls_asn1_free_named_data_list(mbedtls_asn1_named_data **head);
 
+/**
+ * \brief       Free all shallow entries in a mbedtls_asn1_named_data list,
+ *              but do not free internal pointer targets.
+ *
+ * \param name  Head of the list of named data entries to free.
+ *              This function calls mbedtls_free() on each list element.
+ */
+void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name);
+
 /** \} name Functions to parse ASN.1 data structures */
 /** \} addtogroup asn1_module */
 
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
 #ifdef __cplusplus
 }
 #endif

+ 35 - 24
thirdparty/mbedtls/include/mbedtls/asn1write.h

@@ -10,11 +10,7 @@
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/asn1.h"
 
@@ -27,10 +23,21 @@
         (g) += ret;                                 \
     } while (0)
 
+#define MBEDTLS_ASN1_CHK_CLEANUP_ADD(g, f)                      \
+    do                                                  \
+    {                                                   \
+        if ((ret = (f)) < 0)                         \
+        goto cleanup;                              \
+        else                                            \
+        (g) += ret;                                 \
+    } while (0)
+
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
 /**
  * \brief           Write a length field in ASN.1 format.
  *
@@ -43,7 +50,7 @@ extern "C" {
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_len(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start,
                            size_t len);
 /**
  * \brief           Write an ASN.1 tag in ASN.1 format.
@@ -57,9 +64,11 @@ int mbedtls_asn1_write_len(unsigned char **p, unsigned char *start,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_tag(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start,
                            unsigned char tag);
+#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA*/
 
+#if defined(MBEDTLS_ASN1_WRITE_C)
 /**
  * \brief           Write raw buffer data.
  *
@@ -73,7 +82,7 @@ int mbedtls_asn1_write_tag(unsigned char **p, unsigned char *start,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_raw_buffer(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_raw_buffer(unsigned char **p, const unsigned char *start,
                                   const unsigned char *buf, size_t size);
 
 #if defined(MBEDTLS_BIGNUM_C)
@@ -91,7 +100,7 @@ int mbedtls_asn1_write_raw_buffer(unsigned char **p, unsigned char *start,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_mpi(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_mpi(unsigned char **p, const unsigned char *start,
                            const mbedtls_mpi *X);
 #endif /* MBEDTLS_BIGNUM_C */
 
@@ -107,7 +116,7 @@ int mbedtls_asn1_write_mpi(unsigned char **p, unsigned char *start,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_null(unsigned char **p, unsigned char *start);
+int mbedtls_asn1_write_null(unsigned char **p, const unsigned char *start);
 
 /**
  * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
@@ -123,7 +132,7 @@ int mbedtls_asn1_write_null(unsigned char **p, unsigned char *start);
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_oid(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_oid(unsigned char **p, const unsigned char *start,
                            const char *oid, size_t oid_len);
 
 /**
@@ -142,7 +151,7 @@ int mbedtls_asn1_write_oid(unsigned char **p, unsigned char *start,
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_algorithm_identifier(unsigned char **p,
-                                            unsigned char *start,
+                                            const unsigned char *start,
                                             const char *oid, size_t oid_len,
                                             size_t par_len);
 
@@ -163,7 +172,7 @@ int mbedtls_asn1_write_algorithm_identifier(unsigned char **p,
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
 int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p,
-                                                unsigned char *start,
+                                                const unsigned char *start,
                                                 const char *oid, size_t oid_len,
                                                 size_t par_len, int has_par);
 
@@ -180,7 +189,7 @@ int mbedtls_asn1_write_algorithm_identifier_ext(unsigned char **p,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_bool(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_bool(unsigned char **p, const unsigned char *start,
                             int boolean);
 
 /**
@@ -197,7 +206,7 @@ int mbedtls_asn1_write_bool(unsigned char **p, unsigned char *start,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_int(unsigned char **p, unsigned char *start, int val);
+int mbedtls_asn1_write_int(unsigned char **p, const unsigned char *start, int val);
 
 /**
  * \brief           Write an enum tag (#MBEDTLS_ASN1_ENUMERATED) and value
@@ -212,7 +221,7 @@ int mbedtls_asn1_write_int(unsigned char **p, unsigned char *start, int val);
  * \return          The number of bytes written to \p p on success.
  * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
  */
-int mbedtls_asn1_write_enum(unsigned char **p, unsigned char *start, int val);
+int mbedtls_asn1_write_enum(unsigned char **p, const unsigned char *start, int val);
 
 /**
  * \brief           Write a string in ASN.1 format using a specific
@@ -231,7 +240,7 @@ int mbedtls_asn1_write_enum(unsigned char **p, unsigned char *start, int val);
  * \return          The number of bytes written to \p p on success.
  * \return          A negative error code on failure.
  */
-int mbedtls_asn1_write_tagged_string(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_tagged_string(unsigned char **p, const unsigned char *start,
                                      int tag, const char *text,
                                      size_t text_len);
 
@@ -251,7 +260,7 @@ int mbedtls_asn1_write_tagged_string(unsigned char **p, unsigned char *start,
  * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_printable_string(unsigned char **p,
-                                        unsigned char *start,
+                                        const unsigned char *start,
                                         const char *text, size_t text_len);
 
 /**
@@ -269,7 +278,7 @@ int mbedtls_asn1_write_printable_string(unsigned char **p,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative error code on failure.
  */
-int mbedtls_asn1_write_utf8_string(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_utf8_string(unsigned char **p, const unsigned char *start,
                                    const char *text, size_t text_len);
 
 /**
@@ -287,7 +296,7 @@ int mbedtls_asn1_write_utf8_string(unsigned char **p, unsigned char *start,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative error code on failure.
  */
-int mbedtls_asn1_write_ia5_string(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_ia5_string(unsigned char **p, const unsigned char *start,
                                   const char *text, size_t text_len);
 
 /**
@@ -304,7 +313,7 @@ int mbedtls_asn1_write_ia5_string(unsigned char **p, unsigned char *start,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative error code on failure.
  */
-int mbedtls_asn1_write_bitstring(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_bitstring(unsigned char **p, const unsigned char *start,
                                  const unsigned char *buf, size_t bits);
 
 /**
@@ -325,7 +334,7 @@ int mbedtls_asn1_write_bitstring(unsigned char **p, unsigned char *start,
  * \return          A negative error code on failure.
  */
 int mbedtls_asn1_write_named_bitstring(unsigned char **p,
-                                       unsigned char *start,
+                                       const unsigned char *start,
                                        const unsigned char *buf,
                                        size_t bits);
 
@@ -343,7 +352,7 @@ int mbedtls_asn1_write_named_bitstring(unsigned char **p,
  * \return          The number of bytes written to \p p on success.
  * \return          A negative error code on failure.
  */
-int mbedtls_asn1_write_octet_string(unsigned char **p, unsigned char *start,
+int mbedtls_asn1_write_octet_string(unsigned char **p, const unsigned char *start,
                                     const unsigned char *buf, size_t size);
 
 /**
@@ -365,7 +374,7 @@ int mbedtls_asn1_write_octet_string(unsigned char **p, unsigned char *start,
  *                  the existing buffer to fit \p val_len.
  *
  * \return          A pointer to the new / existing entry on success.
- * \return          \c NULL if if there was a memory allocation error.
+ * \return          \c NULL if there was a memory allocation error.
  */
 mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data **list,
                                                        const char *oid, size_t oid_len,
@@ -376,4 +385,6 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(mbedtls_asn1_named_data *
 }
 #endif
 
+#endif /* MBEDTLS_ASN1_WRITE_C */
+
 #endif /* MBEDTLS_ASN1_WRITE_H */

+ 1 - 5
thirdparty/mbedtls/include/mbedtls/base64.h

@@ -10,11 +10,7 @@
 #ifndef MBEDTLS_BASE64_H
 #define MBEDTLS_BASE64_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 

+ 44 - 52
thirdparty/mbedtls/include/mbedtls/bignum.h

@@ -9,12 +9,10 @@
  */
 #ifndef MBEDTLS_BIGNUM_H
 #define MBEDTLS_BIGNUM_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -54,15 +52,15 @@
 
 #if !defined(MBEDTLS_MPI_WINDOW_SIZE)
 /*
- * Maximum window size used for modular exponentiation. Default: 2
+ * Maximum window size used for modular exponentiation. Default: 3
  * Minimum value: 1. Maximum value: 6.
  *
  * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
- * for the sliding window calculation. (So 64 by default)
+ * for the sliding window calculation. (So 8 by default)
  *
  * Reduction in size, reduces speed.
  */
-#define MBEDTLS_MPI_WINDOW_SIZE                           2        /**< Maximum window size used. */
+#define MBEDTLS_MPI_WINDOW_SIZE                           3        /**< Maximum window size used. */
 #endif /* !MBEDTLS_MPI_WINDOW_SIZE */
 
 #if !defined(MBEDTLS_MPI_MAX_SIZE)
@@ -120,6 +118,7 @@
         #endif /* !MBEDTLS_HAVE_INT64 */
 typedef  int64_t mbedtls_mpi_sint;
 typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
     #elif defined(__GNUC__) && (                         \
     defined(__amd64__) || defined(__x86_64__)     || \
     defined(__ppc64__) || defined(__powerpc64__)  || \
@@ -132,6 +131,7 @@ typedef uint64_t mbedtls_mpi_uint;
         #endif /* MBEDTLS_HAVE_INT64 */
 typedef  int64_t mbedtls_mpi_sint;
 typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
         #if !defined(MBEDTLS_NO_UDBL_DIVISION)
 /* mbedtls_t_udbl defined as 128-bit unsigned int */
 typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
@@ -147,6 +147,7 @@ typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
         #endif /* !MBEDTLS_HAVE_INT64 */
 typedef  int64_t mbedtls_mpi_sint;
 typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
         #if !defined(MBEDTLS_NO_UDBL_DIVISION)
 /* mbedtls_t_udbl defined as 128-bit unsigned int */
 typedef __uint128_t mbedtls_t_udbl;
@@ -156,6 +157,7 @@ typedef __uint128_t mbedtls_t_udbl;
 /* Force 64-bit integers with unknown compiler */
 typedef  int64_t mbedtls_mpi_sint;
 typedef uint64_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT64_MAX
     #endif
 #endif /* !MBEDTLS_HAVE_INT32 */
 
@@ -166,12 +168,22 @@ typedef uint64_t mbedtls_mpi_uint;
     #endif /* !MBEDTLS_HAVE_INT32 */
 typedef  int32_t mbedtls_mpi_sint;
 typedef uint32_t mbedtls_mpi_uint;
+#define MBEDTLS_MPI_UINT_MAX                UINT32_MAX
     #if !defined(MBEDTLS_NO_UDBL_DIVISION)
 typedef uint64_t mbedtls_t_udbl;
         #define MBEDTLS_HAVE_UDBL
     #endif /* !MBEDTLS_NO_UDBL_DIVISION */
 #endif /* !MBEDTLS_HAVE_INT64 */
 
+/*
+ * Sanity check that exactly one of MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64 is defined,
+ * so that code elsewhere doesn't have to check.
+ */
+#if (!(defined(MBEDTLS_HAVE_INT32) || defined(MBEDTLS_HAVE_INT64))) || \
+    (defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64))
+#error "Only 32-bit or 64-bit limbs are supported in bignum"
+#endif
+
 /** \typedef mbedtls_mpi_uint
  * \brief The type of machine digits in a bignum, called _limbs_.
  *
@@ -182,7 +194,7 @@ typedef uint64_t mbedtls_t_udbl;
 /** \typedef mbedtls_mpi_sint
  * \brief The signed type corresponding to #mbedtls_mpi_uint.
  *
- * This is always a signed integer type with no padding bits. The size
+ * This is always an signed integer type with no padding bits. The size
  * is platform-dependent.
  */
 
@@ -194,6 +206,12 @@ extern "C" {
  * \brief          MPI structure
  */
 typedef struct mbedtls_mpi {
+    /** Pointer to limbs.
+     *
+     * This may be \c NULL if \c n is 0.
+     */
+    mbedtls_mpi_uint *MBEDTLS_PRIVATE(p);
+
     /** Sign: -1 if the mpi is negative, 1 otherwise.
      *
      * The number 0 must be represented with `s = +1`. Although many library
@@ -205,16 +223,19 @@ typedef struct mbedtls_mpi {
      * Note that this implies that calloc() or `... = {0}` does not create
      * a valid MPI representation. You must call mbedtls_mpi_init().
      */
-    int s;
+    signed short MBEDTLS_PRIVATE(s);
 
     /** Total number of limbs in \c p.  */
-    size_t n;
-
-    /** Pointer to limbs.
-     *
-     * This may be \c NULL if \c n is 0.
+    unsigned short MBEDTLS_PRIVATE(n);
+    /* Make sure that MBEDTLS_MPI_MAX_LIMBS fits in n.
+     * Use the same limit value on all platforms so that we don't have to
+     * think about different behavior on the rare platforms where
+     * unsigned short can store values larger than the minimum required by
+     * the C language, which is 65535.
      */
-    mbedtls_mpi_uint *p;
+#if MBEDTLS_MPI_MAX_LIMBS > 65535
+#error "MBEDTLS_MPI_MAX_LIMBS > 65535 is not supported"
+#endif
 }
 mbedtls_mpi;
 
@@ -585,6 +606,8 @@ int mbedtls_mpi_write_binary_le(const mbedtls_mpi *X,
  * \brief          Perform a left-shift on an MPI: X <<= count
  *
  * \param X        The MPI to shift. This must point to an initialized MPI.
+ *                 The MPI pointed by \p X may be resized to fit
+ *                 the resulting number.
  * \param count    The number of bits to shift by.
  *
  * \return         \c 0 if successful.
@@ -858,7 +881,7 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A,
                         mbedtls_mpi_sint b);
 
 /**
- * \brief          Perform a sliding-window exponentiation: X = A^E mod N
+ * \brief          Perform a modular exponentiation: X = A^E mod N
  *
  * \param X        The destination MPI. This must point to an initialized MPI.
  *                 This must not alias E or N.
@@ -906,7 +929,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
  *                 be relevant in applications like deterministic ECDSA.
  */
 int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
-                            int (*f_rng)(void *, unsigned char *, size_t),
+                            mbedtls_f_rng_t *f_rng,
                             void *p_rng);
 
 /** Generate a random number uniformly in a range.
@@ -944,7 +967,7 @@ int mbedtls_mpi_fill_random(mbedtls_mpi *X, size_t size,
 int mbedtls_mpi_random(mbedtls_mpi *X,
                        mbedtls_mpi_sint min,
                        const mbedtls_mpi *N,
-                       int (*f_rng)(void *, unsigned char *, size_t),
+                       mbedtls_f_rng_t *f_rng,
                        void *p_rng);
 
 /**
@@ -980,37 +1003,6 @@ int mbedtls_mpi_gcd(mbedtls_mpi *G, const mbedtls_mpi *A,
 int mbedtls_mpi_inv_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
                         const mbedtls_mpi *N);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          Perform a Miller-Rabin primality test with error
- *                 probability of 2<sup>-80</sup>.
- *
- * \deprecated     Superseded by mbedtls_mpi_is_prime_ext() which allows
- *                 specifying the number of Miller-Rabin rounds.
- *
- * \param X        The MPI to check for primality.
- *                 This must point to an initialized MPI.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *                 This may be \c NULL if \p f_rng doesn't use a
- *                 context parameter.
- *
- * \return         \c 0 if successful, i.e. \p X is probably prime.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
- * \return         Another negative error code on other kinds of failure.
- */
-MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
-                                            int (*f_rng)(void *, unsigned char *, size_t),
-                                            void *p_rng);
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief          Miller-Rabin primality test.
  *
@@ -1039,7 +1031,7 @@ MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
  * \return         Another negative error code on other kinds of failure.
  */
 int mbedtls_mpi_is_prime_ext(const mbedtls_mpi *X, int rounds,
-                             int (*f_rng)(void *, unsigned char *, size_t),
+                             mbedtls_f_rng_t *f_rng,
                              void *p_rng);
 /**
  * \brief Flags for mbedtls_mpi_gen_prime()
@@ -1072,7 +1064,7 @@ typedef enum {
  *                 \c 3 and #MBEDTLS_MPI_MAX_BITS.
  */
 int mbedtls_mpi_gen_prime(mbedtls_mpi *X, size_t nbits, int flags,
-                          int (*f_rng)(void *, unsigned char *, size_t),
+                          mbedtls_f_rng_t *f_rng,
                           void *p_rng);
 
 #if defined(MBEDTLS_SELF_TEST)

+ 76 - 0
thirdparty/mbedtls/include/mbedtls/block_cipher.h

@@ -0,0 +1,76 @@
+/**
+ * \file block_cipher.h
+ *
+ * \brief Internal abstraction layer.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_BLOCK_CIPHER_H
+#define MBEDTLS_BLOCK_CIPHER_H
+
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+#include "psa/crypto_types.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+    MBEDTLS_BLOCK_CIPHER_ID_NONE = 0,  /**< Unset. */
+    MBEDTLS_BLOCK_CIPHER_ID_AES,       /**< The AES cipher. */
+    MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
+    MBEDTLS_BLOCK_CIPHER_ID_ARIA,      /**< The Aria cipher. */
+} mbedtls_block_cipher_id_t;
+
+/**
+ * Used internally to indicate whether a context uses legacy or PSA.
+ *
+ * Internal use only.
+ */
+typedef enum {
+    MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY = 0,
+    MBEDTLS_BLOCK_CIPHER_ENGINE_PSA,
+} mbedtls_block_cipher_engine_t;
+
+typedef struct {
+    mbedtls_block_cipher_id_t MBEDTLS_PRIVATE(id);
+#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
+    mbedtls_block_cipher_engine_t MBEDTLS_PRIVATE(engine);
+    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psa_key_id);
+#endif
+    union {
+        unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
+#if defined(MBEDTLS_AES_C)
+        mbedtls_aes_context MBEDTLS_PRIVATE(aes);
+#endif
+#if defined(MBEDTLS_ARIA_C)
+        mbedtls_aria_context MBEDTLS_PRIVATE(aria);
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+        mbedtls_camellia_context MBEDTLS_PRIVATE(camellia);
+#endif
+    } MBEDTLS_PRIVATE(ctx);
+} mbedtls_block_cipher_context_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_BLOCK_CIPHER_H */

+ 0 - 275
thirdparty/mbedtls/include/mbedtls/blowfish.h

@@ -1,275 +0,0 @@
-/**
- * \file blowfish.h
- *
- * \brief Blowfish block cipher
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_BLOWFISH_H
-#define MBEDTLS_BLOWFISH_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "mbedtls/platform_util.h"
-
-#define MBEDTLS_BLOWFISH_ENCRYPT     1
-#define MBEDTLS_BLOWFISH_DECRYPT     0
-#define MBEDTLS_BLOWFISH_MAX_KEY_BITS     448
-#define MBEDTLS_BLOWFISH_MIN_KEY_BITS     32
-#define MBEDTLS_BLOWFISH_ROUNDS      16         /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
-#define MBEDTLS_BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(-0x0016)
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-/** Bad input data. */
-#define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016
-
-/** Invalid data input length. */
-#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018
-
-/* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
- */
-/** Blowfish hardware accelerator failed. */
-#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_BLOWFISH_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          Blowfish context structure
- */
-typedef struct mbedtls_blowfish_context {
-    uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2];    /*!<  Blowfish round keys    */
-    uint32_t S[4][256];                 /*!<  key dependent S-boxes  */
-}
-mbedtls_blowfish_context;
-
-#else  /* MBEDTLS_BLOWFISH_ALT */
-#include "blowfish_alt.h"
-#endif /* MBEDTLS_BLOWFISH_ALT */
-
-/**
- * \brief          Initialize a Blowfish context.
- *
- * \param ctx      The Blowfish context to be initialized.
- *                 This must not be \c NULL.
- */
-void mbedtls_blowfish_init(mbedtls_blowfish_context *ctx);
-
-/**
- * \brief          Clear a Blowfish context.
- *
- * \param ctx      The Blowfish context to be cleared.
- *                 This may be \c NULL, in which case this function
- *                 returns immediately. If it is not \c NULL, it must
- *                 point to an initialized Blowfish context.
- */
-void mbedtls_blowfish_free(mbedtls_blowfish_context *ctx);
-
-/**
- * \brief          Perform a Blowfish key schedule operation.
- *
- * \param ctx      The Blowfish context to perform the key schedule on.
- * \param key      The encryption key. This must be a readable buffer of
- *                 length \p keybits Bits.
- * \param keybits  The length of \p key in Bits. This must be between
- *                 \c 32 and \c 448 and a multiple of \c 8.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_blowfish_setkey(mbedtls_blowfish_context *ctx, const unsigned char *key,
-                            unsigned int keybits);
-
-/**
- * \brief          Perform a Blowfish-ECB block encryption/decryption operation.
- *
- * \param ctx      The Blowfish context to use. This must be initialized
- *                 and bound to a key.
- * \param mode     The mode of operation. Possible values are
- *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
- *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
- * \param input    The input block. This must be a readable buffer
- *                 of size \c 8 Bytes.
- * \param output   The output block. This must be a writable buffer
- *                 of size \c 8 Bytes.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_blowfish_crypt_ecb(mbedtls_blowfish_context *ctx,
-                               int mode,
-                               const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
-                               unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE]);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/**
- * \brief          Perform a Blowfish-CBC buffer encryption/decryption operation.
- *
- * \note           Upon exit, the content of the IV is updated so that you can
- *                 call the function same function again on the following
- *                 block(s) of data and get the same result as if it was
- *                 encrypted in one call. This allows a "streaming" usage.
- *                 If on the other hand you need to retain the contents of the
- *                 IV, you should either save it manually or use the cipher
- *                 module instead.
- *
- * \param ctx      The Blowfish context to use. This must be initialized
- *                 and bound to a key.
- * \param mode     The mode of operation. Possible values are
- *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
- *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
- * \param length   The length of the input data in Bytes. This must be
- *                 multiple of \c 8.
- * \param iv       The initialization vector. This must be a read/write buffer
- *                 of length \c 8 Bytes. It is updated by this function.
- * \param input    The input data. This must be a readable buffer of length
- *                 \p length Bytes.
- * \param output   The output data. This must be a writable buffer of length
- *                 \p length Bytes.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_blowfish_crypt_cbc(mbedtls_blowfish_context *ctx,
-                               int mode,
-                               size_t length,
-                               unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
-                               const unsigned char *input,
-                               unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_CIPHER_MODE_CFB)
-/**
- * \brief          Perform a Blowfish CFB buffer encryption/decryption operation.
- *
- * \note           Upon exit, the content of the IV is updated so that you can
- *                 call the function same function again on the following
- *                 block(s) of data and get the same result as if it was
- *                 encrypted in one call. This allows a "streaming" usage.
- *                 If on the other hand you need to retain the contents of the
- *                 IV, you should either save it manually or use the cipher
- *                 module instead.
- *
- * \param ctx      The Blowfish context to use. This must be initialized
- *                 and bound to a key.
- * \param mode     The mode of operation. Possible values are
- *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
- *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
- * \param length   The length of the input data in Bytes.
- * \param iv_off   The offset in the initialization vector.
- *                 The value pointed to must be smaller than \c 8 Bytes.
- *                 It is updated by this function to support the aforementioned
- *                 streaming usage.
- * \param iv       The initialization vector. This must be a read/write buffer
- *                 of size \c 8 Bytes. It is updated after use.
- * \param input    The input data. This must be a readable buffer of length
- *                 \p length Bytes.
- * \param output   The output data. This must be a writable buffer of length
- *                 \p length Bytes.
- *
- * \return         \c 0 if successful.
- * \return         A negative error code on failure.
- */
-int mbedtls_blowfish_crypt_cfb64(mbedtls_blowfish_context *ctx,
-                                 int mode,
-                                 size_t length,
-                                 size_t *iv_off,
-                                 unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
-                                 const unsigned char *input,
-                                 unsigned char *output);
-#endif /*MBEDTLS_CIPHER_MODE_CFB */
-
-#if defined(MBEDTLS_CIPHER_MODE_CTR)
-/**
- * \brief      Perform a Blowfish-CTR buffer encryption/decryption operation.
- *
- * \warning    You must never reuse a nonce value with the same key. Doing so
- *             would void the encryption for the two messages encrypted with
- *             the same nonce and key.
- *
- *             There are two common strategies for managing nonces with CTR:
- *
- *             1. You can handle everything as a single message processed over
- *             successive calls to this function. In that case, you want to
- *             set \p nonce_counter and \p nc_off to 0 for the first call, and
- *             then preserve the values of \p nonce_counter, \p nc_off and \p
- *             stream_block across calls to this function as they will be
- *             updated by this function.
- *
- *             With this strategy, you must not encrypt more than 2**64
- *             blocks of data with the same key.
- *
- *             2. You can encrypt separate messages by dividing the \p
- *             nonce_counter buffer in two areas: the first one used for a
- *             per-message nonce, handled by yourself, and the second one
- *             updated by this function internally.
- *
- *             For example, you might reserve the first 4 bytes for the
- *             per-message nonce, and the last 4 bytes for internal use. In that
- *             case, before calling this function on a new message you need to
- *             set the first 4 bytes of \p nonce_counter to your chosen nonce
- *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
- *             stream_block to be ignored). That way, you can encrypt at most
- *             2**32 messages of up to 2**32 blocks each with the same key.
- *
- *             The per-message nonce (or information sufficient to reconstruct
- *             it) needs to be communicated with the ciphertext and must be unique.
- *             The recommended way to ensure uniqueness is to use a message
- *             counter.
- *
- *             Note that for both strategies, sizes are measured in blocks and
- *             that a Blowfish block is 8 bytes.
- *
- * \warning    Upon return, \p stream_block contains sensitive data. Its
- *             content must not be written to insecure storage and should be
- *             securely discarded as soon as it's no longer needed.
- *
- * \param ctx           The Blowfish context to use. This must be initialized
- *                      and bound to a key.
- * \param length        The length of the input data in Bytes.
- * \param nc_off        The offset in the current stream_block (for resuming
- *                      within current cipher stream). The offset pointer
- *                      should be \c 0 at the start of a stream and must be
- *                      smaller than \c 8. It is updated by this function.
- * \param nonce_counter The 64-bit nonce and counter. This must point to a
- *                      read/write buffer of length \c 8 Bytes.
- * \param stream_block  The saved stream-block for resuming. This must point to
- *                      a read/write buffer of length \c 8 Bytes.
- * \param input         The input data. This must be a readable buffer of
- *                      length \p length Bytes.
- * \param output        The output data. This must be a writable buffer of
- *                      length \p length Bytes.
- *
- * \return              \c 0 if successful.
- * \return              A negative error code on failure.
- */
-int mbedtls_blowfish_crypt_ctr(mbedtls_blowfish_context *ctx,
-                               size_t length,
-                               size_t *nc_off,
-                               unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
-                               unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
-                               const unsigned char *input,
-                               unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CTR */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* blowfish.h */

+ 194 - 0
thirdparty/mbedtls/include/mbedtls/build_info.h

@@ -0,0 +1,194 @@
+/**
+ * \file mbedtls/build_info.h
+ *
+ * \brief Build-time configuration info
+ *
+ *  Include this file if you need to depend on the
+ *  configuration options defined in mbedtls_config.h or MBEDTLS_CONFIG_FILE
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_BUILD_INFO_H
+#define MBEDTLS_BUILD_INFO_H
+
+/*
+ * This set of compile-time defines can be used to determine the version number
+ * of the Mbed TLS library used. Run-time variables for the same can be found in
+ * version.h
+ */
+
+/**
+ * The version number x.y.z is split into three parts.
+ * Major, Minor, Patchlevel
+ */
+#define MBEDTLS_VERSION_MAJOR  3
+#define MBEDTLS_VERSION_MINOR  6
+#define MBEDTLS_VERSION_PATCH  4
+
+/**
+ * The single version number has the following structure:
+ *    MMNNPP00
+ *    Major version | Minor version | Patch version
+ */
+#define MBEDTLS_VERSION_NUMBER         0x03060400
+#define MBEDTLS_VERSION_STRING         "3.6.4"
+#define MBEDTLS_VERSION_STRING_FULL    "Mbed TLS 3.6.4"
+
+/* Macros for build-time platform detection */
+
+#if !defined(MBEDTLS_ARCH_IS_ARM64) && \
+    (defined(__aarch64__) || defined(_M_ARM64) || defined(_M_ARM64EC))
+#define MBEDTLS_ARCH_IS_ARM64
+#endif
+
+#if !defined(MBEDTLS_ARCH_IS_ARM32) && \
+    (defined(__arm__) || defined(_M_ARM) || \
+    defined(_M_ARMT) || defined(__thumb__) || defined(__thumb2__))
+#define MBEDTLS_ARCH_IS_ARM32
+#endif
+
+#if !defined(MBEDTLS_ARCH_IS_X64) && \
+    (defined(__amd64__) || defined(__x86_64__) || \
+    ((defined(_M_X64) || defined(_M_AMD64)) && !defined(_M_ARM64EC)))
+#define MBEDTLS_ARCH_IS_X64
+#endif
+
+#if !defined(MBEDTLS_ARCH_IS_X86) && \
+    (defined(__i386__) || defined(_X86_) || \
+    (defined(_M_IX86) && !defined(_M_I86)))
+#define MBEDTLS_ARCH_IS_X86
+#endif
+
+#if !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
+    (defined(_M_ARM64) || defined(_M_ARM64EC))
+#define MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64
+#endif
+
+/* This is defined if the architecture is Armv8-A, or higher */
+#if !defined(MBEDTLS_ARCH_IS_ARMV8_A)
+#if defined(__ARM_ARCH) && defined(__ARM_ARCH_PROFILE)
+#if (__ARM_ARCH >= 8) && (__ARM_ARCH_PROFILE == 'A')
+/* GCC, clang, armclang and IAR */
+#define MBEDTLS_ARCH_IS_ARMV8_A
+#endif
+#elif defined(__ARM_ARCH_8A)
+/* Alternative defined by clang */
+#define MBEDTLS_ARCH_IS_ARMV8_A
+#elif defined(_M_ARM64) || defined(_M_ARM64EC)
+/* MSVC ARM64 is at least Armv8.0-A */
+#define MBEDTLS_ARCH_IS_ARMV8_A
+#endif
+#endif
+
+#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
+    && !defined(__llvm__) && !defined(__INTEL_COMPILER)
+/* Defined if the compiler really is gcc and not clang, etc */
+#define MBEDTLS_COMPILER_IS_GCC
+#define MBEDTLS_GCC_VERSION \
+    (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
+#endif
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/* Define `inline` on some non-C99-compliant compilers. */
+#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#if defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Something went wrong: MBEDTLS_CONFIG_FILES_READ defined before reading the config files!"
+#endif
+#if defined(MBEDTLS_CONFIG_IS_FINALIZED)
+#error "Something went wrong: MBEDTLS_CONFIG_IS_FINALIZED defined before reading the config files!"
+#endif
+
+/* X.509, TLS and non-PSA crypto configuration */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/mbedtls_config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CONFIG_VERSION) && ( \
+    MBEDTLS_CONFIG_VERSION < 0x03000000 || \
+                             MBEDTLS_CONFIG_VERSION > MBEDTLS_VERSION_NUMBER)
+#error "Invalid config version, defined value of MBEDTLS_CONFIG_VERSION is unsupported"
+#endif
+
+/* Target and application specific configurations
+ *
+ * Allow user to override any previous default.
+ *
+ */
+#if defined(MBEDTLS_USER_CONFIG_FILE)
+#include MBEDTLS_USER_CONFIG_FILE
+#endif
+
+/* PSA crypto configuration */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG_FILE)
+#include MBEDTLS_PSA_CRYPTO_CONFIG_FILE
+#else
+#include "psa/crypto_config.h"
+#endif
+#if defined(MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE)
+#include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
+#endif
+#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
+
+/* Indicate that all configuration files have been read.
+ * It is now time to adjust the configuration (follow through on dependencies,
+ * make PSA and legacy crypto consistent, etc.).
+ */
+#define MBEDTLS_CONFIG_FILES_READ
+
+/* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if
+ * MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined
+ * to ensure a 128-bit key size in CTR_DRBG.
+ */
+#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) && defined(MBEDTLS_CTR_DRBG_C)
+#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+#endif
+
+/* Auto-enable MBEDTLS_MD_C if needed by a module that didn't require it
+ * in a previous release, to ensure backwards compatibility.
+ */
+#if defined(MBEDTLS_PKCS5_C)
+#define MBEDTLS_MD_C
+#endif
+
+/* PSA crypto specific configuration options
+ * - If config_psa.h reads a configuration option in preprocessor directive,
+ *   this symbol should be set before its inclusion. (e.g. MBEDTLS_MD_C)
+ * - If config_psa.h writes a configuration option in conditional directive,
+ *   this symbol should be consulted after its inclusion.
+ *   (e.g. MBEDTLS_MD_LIGHT)
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
+    defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ || \
+    defined(MBEDTLS_PSA_CRYPTO_CLIENT) /* The same as the previous, but with separation only */
+#include "mbedtls/config_psa.h"
+#endif
+
+#include "mbedtls/config_adjust_legacy_crypto.h"
+
+#include "mbedtls/config_adjust_x509.h"
+
+#include "mbedtls/config_adjust_ssl.h"
+
+/* Indicate that all configuration symbols are set,
+ * even the ones that are calculated programmatically.
+ * It is now safe to query the configuration (to check it, to size buffers,
+ * etc.).
+ */
+#define MBEDTLS_CONFIG_IS_FINALIZED
+
+#include "mbedtls/check_config.h"
+
+#endif /* MBEDTLS_BUILD_INFO_H */

+ 6 - 15
thirdparty/mbedtls/include/mbedtls/camellia.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_CAMELLIA_H
 #define MBEDTLS_CAMELLIA_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -24,20 +21,12 @@
 #define MBEDTLS_CAMELLIA_ENCRYPT     1
 #define MBEDTLS_CAMELLIA_DECRYPT     0
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(-0x0024)
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 /** Bad input data. */
 #define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024
 
 /** Invalid data input length. */
 #define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026
 
-/* MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED is deprecated and should not be used.
- */
-/** Camellia hardware accelerator failed. */
-#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -50,8 +39,8 @@ extern "C" {
  * \brief          CAMELLIA context structure
  */
 typedef struct mbedtls_camellia_context {
-    int nr;                     /*!<  number of rounds  */
-    uint32_t rk[68];            /*!<  CAMELLIA round keys    */
+    int MBEDTLS_PRIVATE(nr);                     /*!<  number of rounds  */
+    uint32_t MBEDTLS_PRIVATE(rk)[68];            /*!<  CAMELLIA round keys    */
 }
 mbedtls_camellia_context;
 
@@ -92,6 +81,7 @@ int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
                                 const unsigned char *key,
                                 unsigned int keybits);
 
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
 /**
  * \brief          Perform a CAMELLIA key schedule operation for decryption.
  *
@@ -107,6 +97,7 @@ int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
 int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
                                 const unsigned char *key,
                                 unsigned int keybits);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 
 /**
  * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.

+ 255 - 27
thirdparty/mbedtls/include/mbedtls/ccm.h

@@ -34,24 +34,26 @@
 
 #ifndef MBEDTLS_CCM_H
 #define MBEDTLS_CCM_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/cipher.h"
 
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "mbedtls/block_cipher.h"
+#endif
+
+#define MBEDTLS_CCM_DECRYPT       0
+#define MBEDTLS_CCM_ENCRYPT       1
+#define MBEDTLS_CCM_STAR_DECRYPT  2
+#define MBEDTLS_CCM_STAR_ENCRYPT  3
+
 /** Bad input parameters to the function. */
 #define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D
 /** Authenticated decryption failed. */
 #define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F
 
-/* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** CCM hardware accelerator failed. */
-#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -65,7 +67,30 @@ extern "C" {
  *           to the APIs called.
  */
 typedef struct mbedtls_ccm_context {
-    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+    unsigned char MBEDTLS_PRIVATE(y)[16];    /*!< The Y working buffer */
+    unsigned char MBEDTLS_PRIVATE(ctr)[16];  /*!< The counter buffer */
+    size_t MBEDTLS_PRIVATE(plaintext_len);   /*!< Total plaintext length */
+    size_t MBEDTLS_PRIVATE(add_len);         /*!< Total authentication data length */
+    size_t MBEDTLS_PRIVATE(tag_len);         /*!< Total tag length */
+    size_t MBEDTLS_PRIVATE(processed);       /*!< Track how many bytes of input data
+                                                  were processed (chunked input).
+                                                  Used independently for both auth data
+                                                  and plaintext/ciphertext.
+                                                  This variable is set to zero after
+                                                  auth data input is finished. */
+    unsigned int MBEDTLS_PRIVATE(q);         /*!< The Q working value */
+    unsigned int MBEDTLS_PRIVATE(mode);      /*!< The operation to perform:
+                                              #MBEDTLS_CCM_ENCRYPT or
+                                              #MBEDTLS_CCM_DECRYPT or
+                                              #MBEDTLS_CCM_STAR_ENCRYPT or
+                                              #MBEDTLS_CCM_STAR_DECRYPT. */
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx);    /*!< The cipher context used. */
+#else
+    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
+#endif
+    int MBEDTLS_PRIVATE(state);              /*!< Working value holding context's
+                                                  state. Used for chunked data input */
 }
 mbedtls_ccm_context;
 
@@ -126,10 +151,10 @@ void mbedtls_ccm_free(mbedtls_ccm_context *ctx);
  * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
  *                  or 13. The length L of the message length field is
  *                  15 - \p iv_len.
- * \param add       The additional data field. If \p add_len is greater than
- *                  zero, \p add must be a readable buffer of at least that
+ * \param ad        The additional data field. If \p ad_len is greater than
+ *                  zero, \p ad must be a readable buffer of at least that
  *                  length.
- * \param add_len   The length of additional data in Bytes.
+ * \param ad_len    The length of additional data in Bytes.
  *                  This must be less than `2^16 - 2^8`.
  * \param input     The buffer holding the input data. If \p length is greater
  *                  than zero, \p input must be a readable buffer of at least
@@ -147,7 +172,7 @@ void mbedtls_ccm_free(mbedtls_ccm_context *ctx);
  */
 int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
                                 const unsigned char *iv, size_t iv_len,
-                                const unsigned char *add, size_t add_len,
+                                const unsigned char *ad, size_t ad_len,
                                 const unsigned char *input, unsigned char *output,
                                 unsigned char *tag, size_t tag_len);
 
@@ -167,14 +192,15 @@ int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
  * \param ctx       The CCM context to use for encryption. This must be
  *                  initialized and bound to a key.
  * \param length    The length of the input data in Bytes.
+ *                  For tag length = 0, input length is ignored.
  * \param iv        The initialization vector (nonce). This must be a readable
  *                  buffer of at least \p iv_len Bytes.
  * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
  *                  or 13. The length L of the message length field is
  *                  15 - \p iv_len.
- * \param add       The additional data field. This must be a readable buffer of
- *                  at least \p add_len Bytes.
- * \param add_len   The length of additional data in Bytes.
+ * \param ad        The additional data field. This must be a readable buffer of
+ *                  at least \p ad_len Bytes.
+ * \param ad_len    The length of additional data in Bytes.
  *                  This must be less than 2^16 - 2^8.
  * \param input     The buffer holding the input data. If \p length is greater
  *                  than zero, \p input must be a readable buffer of at least
@@ -195,7 +221,7 @@ int mbedtls_ccm_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
  */
 int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
                                      const unsigned char *iv, size_t iv_len,
-                                     const unsigned char *add, size_t add_len,
+                                     const unsigned char *ad, size_t ad_len,
                                      const unsigned char *input, unsigned char *output,
                                      unsigned char *tag, size_t tag_len);
 
@@ -211,9 +237,9 @@ int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
  * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
  *                  or 13. The length L of the message length field is
  *                  15 - \p iv_len.
- * \param add       The additional data field. This must be a readable buffer
- *                  of at least that \p add_len Bytes..
- * \param add_len   The length of additional data in Bytes.
+ * \param ad        The additional data field. This must be a readable buffer
+ *                  of at least that \p ad_len Bytes..
+ * \param ad_len    The length of additional data in Bytes.
  *                  This must be less than 2^16 - 2^8.
  * \param input     The buffer holding the input data. If \p length is greater
  *                  than zero, \p input must be a readable buffer of at least
@@ -232,7 +258,7 @@ int mbedtls_ccm_star_encrypt_and_tag(mbedtls_ccm_context *ctx, size_t length,
  */
 int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
                              const unsigned char *iv, size_t iv_len,
-                             const unsigned char *add, size_t add_len,
+                             const unsigned char *ad, size_t ad_len,
                              const unsigned char *input, unsigned char *output,
                              const unsigned char *tag, size_t tag_len);
 
@@ -248,14 +274,15 @@ int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
  * \param ctx       The CCM context to use for decryption. This must be
  *                  initialized and bound to a key.
  * \param length    The length of the input data in Bytes.
+ *                  For tag length = 0, input length is ignored.
  * \param iv        The initialization vector (nonce). This must be a readable
  *                  buffer of at least \p iv_len Bytes.
  * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
  *                  or 13. The length L of the message length field is
  *                  15 - \p iv_len.
- * \param add       The additional data field. This must be a readable buffer of
- *                  at least that \p add_len Bytes.
- * \param add_len   The length of additional data in Bytes.
+ * \param ad        The additional data field. This must be a readable buffer of
+ *                  at least that \p ad_len Bytes.
+ * \param ad_len    The length of additional data in Bytes.
  *                  This must be less than 2^16 - 2^8.
  * \param input     The buffer holding the input data. If \p length is greater
  *                  than zero, \p input must be a readable buffer of at least
@@ -277,11 +304,212 @@ int mbedtls_ccm_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
  */
 int mbedtls_ccm_star_auth_decrypt(mbedtls_ccm_context *ctx, size_t length,
                                   const unsigned char *iv, size_t iv_len,
-                                  const unsigned char *add, size_t add_len,
+                                  const unsigned char *ad, size_t ad_len,
                                   const unsigned char *input, unsigned char *output,
                                   const unsigned char *tag, size_t tag_len);
 
-#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief           This function starts a CCM encryption or decryption
+ *                  operation.
+ *
+ *                  This function and mbedtls_ccm_set_lengths() must be called
+ *                  before calling mbedtls_ccm_update_ad() or
+ *                  mbedtls_ccm_update(). This function can be called before
+ *                  or after mbedtls_ccm_set_lengths().
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must be initialized.
+ * \param mode      The operation to perform: #MBEDTLS_CCM_ENCRYPT or
+ *                  #MBEDTLS_CCM_DECRYPT or #MBEDTLS_CCM_STAR_ENCRYPT or
+ *                  #MBEDTLS_CCM_STAR_DECRYPT.
+ * \param iv        The initialization vector. This must be a readable buffer
+ *                  of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  \p mode is invalid,
+ *                  \p iv_len is invalid (lower than \c 7 or greater than
+ *                  \c 13).
+ */
+int mbedtls_ccm_starts(mbedtls_ccm_context *ctx,
+                       int mode,
+                       const unsigned char *iv,
+                       size_t iv_len);
+
+/**
+ * \brief           This function declares the lengths of the message
+ *                  and additional data for a CCM encryption or decryption
+ *                  operation.
+ *
+ *                  This function and mbedtls_ccm_starts() must be called
+ *                  before calling mbedtls_ccm_update_ad() or
+ *                  mbedtls_ccm_update(). This function can be called before
+ *                  or after mbedtls_ccm_starts().
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must be initialized.
+ * \param total_ad_len   The total length of additional data in bytes.
+ *                       This must be less than `2^16 - 2^8`.
+ * \param plaintext_len  The length in bytes of the plaintext to encrypt or
+ *                       result of the decryption (thus not encompassing the
+ *                       additional data that are not encrypted).
+ * \param tag_len   The length of the tag to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *                  For CCM*, zero is also valid.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  \p total_ad_len is greater than \c 0xFF00.
+ */
+int mbedtls_ccm_set_lengths(mbedtls_ccm_context *ctx,
+                            size_t total_ad_len,
+                            size_t plaintext_len,
+                            size_t tag_len);
+
+/**
+ * \brief           This function feeds an input buffer as associated data
+ *                  (authenticated but not encrypted data) in a CCM
+ *                  encryption or decryption operation.
+ *
+ *                  You may call this function zero, one or more times
+ *                  to pass successive parts of the additional data. The
+ *                  lengths \p ad_len of the data parts should eventually add
+ *                  up exactly to the total length of additional data
+ *                  \c total_ad_len passed to mbedtls_ccm_set_lengths(). You
+ *                  may not call this function after calling
+ *                  mbedtls_ccm_update().
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must have been started with
+ *                  mbedtls_ccm_starts(), the lengths of the message and
+ *                  additional data must have been declared with
+ *                  mbedtls_ccm_set_lengths() and this must not have yet
+ *                  received any input with mbedtls_ccm_update().
+ * \param ad        The buffer holding the additional data, or \c NULL
+ *                  if \p ad_len is \c 0.
+ * \param ad_len    The length of the additional data. If \c 0,
+ *                  \p ad may be \c NULL.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  total input length too long.
+ */
+int mbedtls_ccm_update_ad(mbedtls_ccm_context *ctx,
+                          const unsigned char *ad,
+                          size_t ad_len);
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing CCM
+ *                  encryption or decryption operation.
+ *
+ *                  You may call this function zero, one or more times
+ *                  to pass successive parts of the input: the plaintext to
+ *                  encrypt, or the ciphertext (not including the tag) to
+ *                  decrypt. After the last part of the input, call
+ *                  mbedtls_ccm_finish(). The lengths \p input_len of the
+ *                  data parts should eventually add up exactly to the
+ *                  plaintext length \c plaintext_len passed to
+ *                  mbedtls_ccm_set_lengths().
+ *
+ *                  This function may produce output in one of the following
+ *                  ways:
+ *                  - Immediate output: the output length is always equal
+ *                    to the input length.
+ *                  - Buffered output: except for the last part of input data,
+ *                    the output consists of a whole number of 16-byte blocks.
+ *                    If the total input length so far (not including
+ *                    associated data) is 16 \* *B* + *A* with *A* < 16 then
+ *                    the total output length is 16 \* *B*.
+ *                    For the last part of input data, the output length is
+ *                    equal to the input length plus the number of bytes (*A*)
+ *                    buffered in the previous call to the function (if any).
+ *                    The function uses the plaintext length
+ *                    \c plaintext_len passed to mbedtls_ccm_set_lengths()
+ *                    to detect the last part of input data.
+ *
+ *                  In particular:
+ *                  - It is always correct to call this function with
+ *                    \p output_size >= \p input_len + 15.
+ *                  - If \p input_len is a multiple of 16 for all the calls
+ *                    to this function during an operation (not necessary for
+ *                    the last one) then it is correct to use \p output_size
+ *                    =\p input_len.
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx           The CCM context. This must have been started with
+ *                      mbedtls_ccm_starts() and the lengths of the message and
+ *                      additional data must have been declared with
+ *                      mbedtls_ccm_set_lengths().
+ * \param input         The buffer holding the input data. If \p input_len
+ *                      is greater than zero, this must be a readable buffer
+ *                      of at least \p input_len bytes.
+ * \param input_len     The length of the input data in bytes.
+ * \param output        The buffer for the output data. If \p output_size
+ *                      is greater than zero, this must be a writable buffer of
+ *                      at least \p output_size bytes.
+ * \param output_size   The size of the output buffer in bytes.
+ *                      See the function description regarding the output size.
+ * \param output_len    On success, \p *output_len contains the actual
+ *                      length of the output written in \p output.
+ *                      On failure, the content of \p *output_len is
+ *                      unspecified.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                 \p ctx is in an invalid state,
+ *                 total input length too long,
+ *                 or \p output_size too small.
+ */
+int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
+                       const unsigned char *input, size_t input_len,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_len);
+
+/**
+ * \brief           This function finishes the CCM operation and generates
+ *                  the authentication tag.
+ *
+ *                  It wraps up the CCM stream, and generates the
+ *                  tag. The tag can have a maximum length of 16 Bytes.
+ *
+ * \note            This function is not implemented in Mbed TLS yet.
+ *
+ * \param ctx       The CCM context. This must have been started with
+ *                  mbedtls_ccm_starts() and the lengths of the message and
+ *                  additional data must have been declared with
+ *                  mbedtls_ccm_set_lengths().
+ * \param tag       The buffer for holding the tag. If \p tag_len is greater
+ *                  than zero, this must be a writable buffer of at least \p
+ *                  tag_len Bytes.
+ * \param tag_len   The length of the tag. Must match the tag length passed to
+ *                  mbedtls_ccm_set_lengths() function.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_BAD_INPUT on failure:
+ *                  \p ctx is in an invalid state,
+ *                  invalid value of \p tag_len,
+ *                  the total amount of additional data passed to
+ *                  mbedtls_ccm_update_ad() was lower than the total length of
+ *                  additional data \c total_ad_len passed to
+ *                  mbedtls_ccm_set_lengths(),
+ *                  the total amount of input data passed to
+ *                  mbedtls_ccm_update() was lower than the plaintext length
+ *                  \c plaintext_len passed to mbedtls_ccm_set_lengths().
+ */
+int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
+                       unsigned char *tag, size_t tag_len);
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
 /**
  * \brief          The CCM checkup routine.
  *

+ 0 - 238
thirdparty/mbedtls/include/mbedtls/certs.h

@@ -1,238 +0,0 @@
-/**
- * \file certs.h
- *
- * \brief Sample certificates and DHM parameters for testing
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_CERTS_H
-#define MBEDTLS_CERTS_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include <stddef.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* List of all PEM-encoded CA certificates, terminated by NULL;
- * PEM encoded if MBEDTLS_PEM_PARSE_C is enabled, DER encoded
- * otherwise. */
-extern const char *mbedtls_test_cas[];
-extern const size_t mbedtls_test_cas_len[];
-
-/* List of all DER-encoded CA certificates, terminated by NULL */
-extern const unsigned char *mbedtls_test_cas_der[];
-extern const size_t mbedtls_test_cas_der_len[];
-
-#if defined(MBEDTLS_PEM_PARSE_C)
-/* Concatenation of all CA certificates in PEM format if available */
-extern const char   mbedtls_test_cas_pem[];
-extern const size_t mbedtls_test_cas_pem_len;
-#endif /* MBEDTLS_PEM_PARSE_C */
-
-/*
- * CA test certificates
- */
-
-extern const char mbedtls_test_ca_crt_ec_pem[];
-extern const char mbedtls_test_ca_key_ec_pem[];
-extern const char mbedtls_test_ca_pwd_ec_pem[];
-extern const char mbedtls_test_ca_key_rsa_pem[];
-extern const char mbedtls_test_ca_pwd_rsa_pem[];
-extern const char mbedtls_test_ca_crt_rsa_sha1_pem[];
-extern const char mbedtls_test_ca_crt_rsa_sha256_pem[];
-
-extern const unsigned char mbedtls_test_ca_crt_ec_der[];
-extern const unsigned char mbedtls_test_ca_key_ec_der[];
-extern const unsigned char mbedtls_test_ca_key_rsa_der[];
-extern const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[];
-extern const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[];
-
-extern const size_t mbedtls_test_ca_crt_ec_pem_len;
-extern const size_t mbedtls_test_ca_key_ec_pem_len;
-extern const size_t mbedtls_test_ca_pwd_ec_pem_len;
-extern const size_t mbedtls_test_ca_key_rsa_pem_len;
-extern const size_t mbedtls_test_ca_pwd_rsa_pem_len;
-extern const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len;
-extern const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len;
-
-extern const size_t mbedtls_test_ca_crt_ec_der_len;
-extern const size_t mbedtls_test_ca_key_ec_der_len;
-extern const size_t mbedtls_test_ca_pwd_ec_der_len;
-extern const size_t mbedtls_test_ca_key_rsa_der_len;
-extern const size_t mbedtls_test_ca_pwd_rsa_der_len;
-extern const size_t mbedtls_test_ca_crt_rsa_sha1_der_len;
-extern const size_t mbedtls_test_ca_crt_rsa_sha256_der_len;
-
-/* Config-dependent dispatch between PEM and DER encoding
- * (PEM if enabled, otherwise DER) */
-
-extern const char mbedtls_test_ca_crt_ec[];
-extern const char mbedtls_test_ca_key_ec[];
-extern const char mbedtls_test_ca_pwd_ec[];
-extern const char mbedtls_test_ca_key_rsa[];
-extern const char mbedtls_test_ca_pwd_rsa[];
-extern const char mbedtls_test_ca_crt_rsa_sha1[];
-extern const char mbedtls_test_ca_crt_rsa_sha256[];
-
-extern const size_t mbedtls_test_ca_crt_ec_len;
-extern const size_t mbedtls_test_ca_key_ec_len;
-extern const size_t mbedtls_test_ca_pwd_ec_len;
-extern const size_t mbedtls_test_ca_key_rsa_len;
-extern const size_t mbedtls_test_ca_pwd_rsa_len;
-extern const size_t mbedtls_test_ca_crt_rsa_sha1_len;
-extern const size_t mbedtls_test_ca_crt_rsa_sha256_len;
-
-/* Config-dependent dispatch between SHA-1 and SHA-256
- * (SHA-256 if enabled, otherwise SHA-1) */
-
-extern const char mbedtls_test_ca_crt_rsa[];
-extern const size_t mbedtls_test_ca_crt_rsa_len;
-
-/* Config-dependent dispatch between EC and RSA
- * (RSA if enabled, otherwise EC) */
-
-extern const char *mbedtls_test_ca_crt;
-extern const char *mbedtls_test_ca_key;
-extern const char *mbedtls_test_ca_pwd;
-extern const size_t mbedtls_test_ca_crt_len;
-extern const size_t mbedtls_test_ca_key_len;
-extern const size_t mbedtls_test_ca_pwd_len;
-
-/*
- * Server test certificates
- */
-
-extern const char mbedtls_test_srv_crt_ec_pem[];
-extern const char mbedtls_test_srv_key_ec_pem[];
-extern const char mbedtls_test_srv_pwd_ec_pem[];
-extern const char mbedtls_test_srv_key_rsa_pem[];
-extern const char mbedtls_test_srv_pwd_rsa_pem[];
-extern const char mbedtls_test_srv_crt_rsa_sha1_pem[];
-extern const char mbedtls_test_srv_crt_rsa_sha256_pem[];
-
-extern const unsigned char mbedtls_test_srv_crt_ec_der[];
-extern const unsigned char mbedtls_test_srv_key_ec_der[];
-extern const unsigned char mbedtls_test_srv_key_rsa_der[];
-extern const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[];
-extern const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[];
-
-extern const size_t mbedtls_test_srv_crt_ec_pem_len;
-extern const size_t mbedtls_test_srv_key_ec_pem_len;
-extern const size_t mbedtls_test_srv_pwd_ec_pem_len;
-extern const size_t mbedtls_test_srv_key_rsa_pem_len;
-extern const size_t mbedtls_test_srv_pwd_rsa_pem_len;
-extern const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len;
-extern const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len;
-
-extern const size_t mbedtls_test_srv_crt_ec_der_len;
-extern const size_t mbedtls_test_srv_key_ec_der_len;
-extern const size_t mbedtls_test_srv_pwd_ec_der_len;
-extern const size_t mbedtls_test_srv_key_rsa_der_len;
-extern const size_t mbedtls_test_srv_pwd_rsa_der_len;
-extern const size_t mbedtls_test_srv_crt_rsa_sha1_der_len;
-extern const size_t mbedtls_test_srv_crt_rsa_sha256_der_len;
-
-/* Config-dependent dispatch between PEM and DER encoding
- * (PEM if enabled, otherwise DER) */
-
-extern const char mbedtls_test_srv_crt_ec[];
-extern const char mbedtls_test_srv_key_ec[];
-extern const char mbedtls_test_srv_pwd_ec[];
-extern const char mbedtls_test_srv_key_rsa[];
-extern const char mbedtls_test_srv_pwd_rsa[];
-extern const char mbedtls_test_srv_crt_rsa_sha1[];
-extern const char mbedtls_test_srv_crt_rsa_sha256[];
-
-extern const size_t mbedtls_test_srv_crt_ec_len;
-extern const size_t mbedtls_test_srv_key_ec_len;
-extern const size_t mbedtls_test_srv_pwd_ec_len;
-extern const size_t mbedtls_test_srv_key_rsa_len;
-extern const size_t mbedtls_test_srv_pwd_rsa_len;
-extern const size_t mbedtls_test_srv_crt_rsa_sha1_len;
-extern const size_t mbedtls_test_srv_crt_rsa_sha256_len;
-
-/* Config-dependent dispatch between SHA-1 and SHA-256
- * (SHA-256 if enabled, otherwise SHA-1) */
-
-extern const char mbedtls_test_srv_crt_rsa[];
-extern const size_t mbedtls_test_srv_crt_rsa_len;
-
-/* Config-dependent dispatch between EC and RSA
- * (RSA if enabled, otherwise EC) */
-
-extern const char *mbedtls_test_srv_crt;
-extern const char *mbedtls_test_srv_key;
-extern const char *mbedtls_test_srv_pwd;
-extern const size_t mbedtls_test_srv_crt_len;
-extern const size_t mbedtls_test_srv_key_len;
-extern const size_t mbedtls_test_srv_pwd_len;
-
-/*
- * Client test certificates
- */
-
-extern const char mbedtls_test_cli_crt_ec_pem[];
-extern const char mbedtls_test_cli_key_ec_pem[];
-extern const char mbedtls_test_cli_pwd_ec_pem[];
-extern const char mbedtls_test_cli_key_rsa_pem[];
-extern const char mbedtls_test_cli_pwd_rsa_pem[];
-extern const char mbedtls_test_cli_crt_rsa_pem[];
-
-extern const unsigned char mbedtls_test_cli_crt_ec_der[];
-extern const unsigned char mbedtls_test_cli_key_ec_der[];
-extern const unsigned char mbedtls_test_cli_key_rsa_der[];
-extern const unsigned char mbedtls_test_cli_crt_rsa_der[];
-
-extern const size_t mbedtls_test_cli_crt_ec_pem_len;
-extern const size_t mbedtls_test_cli_key_ec_pem_len;
-extern const size_t mbedtls_test_cli_pwd_ec_pem_len;
-extern const size_t mbedtls_test_cli_key_rsa_pem_len;
-extern const size_t mbedtls_test_cli_pwd_rsa_pem_len;
-extern const size_t mbedtls_test_cli_crt_rsa_pem_len;
-
-extern const size_t mbedtls_test_cli_crt_ec_der_len;
-extern const size_t mbedtls_test_cli_key_ec_der_len;
-extern const size_t mbedtls_test_cli_key_rsa_der_len;
-extern const size_t mbedtls_test_cli_crt_rsa_der_len;
-
-/* Config-dependent dispatch between PEM and DER encoding
- * (PEM if enabled, otherwise DER) */
-
-extern const char mbedtls_test_cli_crt_ec[];
-extern const char mbedtls_test_cli_key_ec[];
-extern const char mbedtls_test_cli_pwd_ec[];
-extern const char mbedtls_test_cli_key_rsa[];
-extern const char mbedtls_test_cli_pwd_rsa[];
-extern const char mbedtls_test_cli_crt_rsa[];
-
-extern const size_t mbedtls_test_cli_crt_ec_len;
-extern const size_t mbedtls_test_cli_key_ec_len;
-extern const size_t mbedtls_test_cli_pwd_ec_len;
-extern const size_t mbedtls_test_cli_key_rsa_len;
-extern const size_t mbedtls_test_cli_pwd_rsa_len;
-extern const size_t mbedtls_test_cli_crt_rsa_len;
-
-/* Config-dependent dispatch between EC and RSA
- * (RSA if enabled, otherwise EC) */
-
-extern const char *mbedtls_test_cli_crt;
-extern const char *mbedtls_test_cli_key;
-extern const char *mbedtls_test_cli_pwd;
-extern const size_t mbedtls_test_cli_crt_len;
-extern const size_t mbedtls_test_cli_key_len;
-extern const size_t mbedtls_test_cli_pwd_len;
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* certs.h */

+ 5 - 18
thirdparty/mbedtls/include/mbedtls/chacha20.h

@@ -19,12 +19,9 @@
 
 #ifndef MBEDTLS_CHACHA20_H
 #define MBEDTLS_CHACHA20_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stdint.h>
 #include <stddef.h>
@@ -32,16 +29,6 @@
 /** Invalid input parameter(s). */
 #define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051
 
-/* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be
- * used. */
-/** Feature not available. For example, s part of the API is not implemented. */
-#define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE    -0x0053
-
-/* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used.
- */
-/** Chacha20 hardware accelerator failed. */
-#define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED        -0x0055
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -49,9 +36,9 @@ extern "C" {
 #if !defined(MBEDTLS_CHACHA20_ALT)
 
 typedef struct mbedtls_chacha20_context {
-    uint32_t state[16];          /*! The state (before round operations). */
-    uint8_t  keystream8[64];     /*! Leftover keystream bytes. */
-    size_t keystream_bytes_used; /*! Number of keystream bytes already used. */
+    uint32_t MBEDTLS_PRIVATE(state)[16];          /*! The state (before round operations). */
+    uint8_t  MBEDTLS_PRIVATE(keystream8)[64];     /*! Leftover keystream bytes. */
+    size_t MBEDTLS_PRIVATE(keystream_bytes_used); /*! Number of keystream bytes already used. */
 }
 mbedtls_chacha20_context;
 

+ 8 - 11
thirdparty/mbedtls/include/mbedtls/chachapoly.h

@@ -19,12 +19,9 @@
 
 #ifndef MBEDTLS_CHACHAPOLY_H
 #define MBEDTLS_CHACHAPOLY_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 /* for shared error codes */
 #include "mbedtls/poly1305.h"
@@ -49,12 +46,12 @@ mbedtls_chachapoly_mode_t;
 #include "mbedtls/chacha20.h"
 
 typedef struct mbedtls_chachapoly_context {
-    mbedtls_chacha20_context chacha20_ctx;  /**< The ChaCha20 context. */
-    mbedtls_poly1305_context poly1305_ctx;  /**< The Poly1305 context. */
-    uint64_t aad_len;                       /**< The length (bytes) of the Additional Authenticated Data. */
-    uint64_t ciphertext_len;                /**< The length (bytes) of the ciphertext. */
-    int state;                              /**< The current state of the context. */
-    mbedtls_chachapoly_mode_t mode;         /**< Cipher mode (encrypt or decrypt). */
+    mbedtls_chacha20_context MBEDTLS_PRIVATE(chacha20_ctx);  /**< The ChaCha20 context. */
+    mbedtls_poly1305_context MBEDTLS_PRIVATE(poly1305_ctx);  /**< The Poly1305 context. */
+    uint64_t MBEDTLS_PRIVATE(aad_len);                       /**< The length (bytes) of the Additional Authenticated Data. */
+    uint64_t MBEDTLS_PRIVATE(ciphertext_len);                /**< The length (bytes) of the ciphertext. */
+    int MBEDTLS_PRIVATE(state);                              /**< The current state of the context. */
+    mbedtls_chachapoly_mode_t MBEDTLS_PRIVATE(mode);         /**< Cipher mode (encrypt or decrypt). */
 }
 mbedtls_chachapoly_context;
 

+ 431 - 231
thirdparty/mbedtls/include/mbedtls/check_config.h

@@ -2,21 +2,30 @@
  * \file check_config.h
  *
  * \brief Consistency checks for configuration options
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * This header is included automatically by all public Mbed TLS headers
+ * (via mbedtls/build_info.h). Do not include it directly in a configuration
+ * file such as mbedtls/mbedtls_config.h or #MBEDTLS_USER_CONFIG_FILE!
+ * It would run at the wrong time due to missing derived symbols.
  */
 /*
  *  Copyright The Mbed TLS Contributors
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
-/*
- * It is recommended to include this file from your config.h
- * in order to catch dependency issues early.
- */
-
 #ifndef MBEDTLS_CHECK_CONFIG_H
 #define MBEDTLS_CHECK_CONFIG_H
 
 /* *INDENT-OFF* */
+
+#if !defined(MBEDTLS_CONFIG_IS_FINALIZED)
+#warning "Do not include mbedtls/check_config.h manually! " \
+         "This may cause spurious errors. " \
+         "It is included automatically at the right point since Mbed TLS 3.0."
+#endif /* !MBEDTLS_CONFIG_IS_FINALIZED */
+
 /*
  * We assume CHAR_BIT is 8 in many places. In practice, this is true on our
  * target platforms, so not an issue, but let's just be extra sure.
@@ -26,23 +35,15 @@
 #error "Mbed TLS requires a platform with 8-bit chars"
 #endif
 
-#if defined(_WIN32)
+#include <stdint.h>
+
+#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
 #if !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_C is required on Windows"
 #endif
-
-/* Fix the config here. Not convenient to put an #ifdef _WIN32 in config.h as
- * it would confuse config.py. */
-#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
-    !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
-#define MBEDTLS_PLATFORM_SNPRINTF_ALT
-#endif
-
-#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
-    !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
-#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
-#endif
-#endif /* _WIN32 */
+/* See auto-enabling SNPRINTF_ALT and VSNPRINTF_ALT
+ * in * config_adjust_legacy_crypto.h */
+#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
 
 #if defined(TARGET_LIKE_MBED) && defined(MBEDTLS_NET_C)
 #error "The NET module is not available for mbed OS - please use the network functions provided by Mbed OS"
@@ -57,7 +58,49 @@
 #error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
 #endif
 
-#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
+/* Limitations on ECC key types acceleration: if we have any of `PUBLIC_KEY`,
+ * `KEY_PAIR_BASIC`, `KEY_PAIR_IMPORT`, `KEY_PAIR_EXPORT` then we must have
+ * all 4 of them.
+ */
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#error "Unsupported partial support for ECC key type acceleration, see docs/driver-only-builds.md"
+#endif /* not all of public, basic, import, export */
+#endif /* one of public, basic, import, export */
+
+/* Limitations on ECC curves acceleration: partial curve acceleration is only
+ * supported with crypto excluding PK, X.509 or TLS.
+ * Note: no need to check X.509 as it depends on PK. */
+#if defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
+    defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
+#if defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#if defined(MBEDTLS_PK_C) || \
+    defined(MBEDTLS_SSL_TLS_C)
+#error "Unsupported partial support for ECC curves acceleration, see docs/driver-only-builds.md"
+#endif /* modules beyond what's supported */
+#endif /* not all curves accelerated */
+#endif /* some curve accelerated */
+
+#if defined(MBEDTLS_CTR_DRBG_C) && !(defined(MBEDTLS_AES_C) || \
+    (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_KEY_TYPE_AES) && \
+    defined(PSA_WANT_ALG_ECB_NO_PADDING)))
 #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
 #endif
 
@@ -65,12 +108,8 @@
 #error "MBEDTLS_DHM_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
-#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_CMAC_C) && \
-    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
+    ( !defined(MBEDTLS_CIPHER_C ) || ( !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) ) )
 #error "MBEDTLS_CMAC_C defined, but not all prerequisites"
 #endif
 
@@ -79,6 +118,36 @@
 #error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) && defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_NO_PADDING cannot be defined simultaneously"
+#endif
+#if defined(PSA_WANT_ALG_CBC_PKCS7)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_PKCS7 cannot be defined simultaneously"
+#endif
+#if defined(PSA_WANT_ALG_ECB_NO_PADDING)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_ECB_NO_PADDING cannot be defined simultaneously"
+#endif
+#if defined(PSA_WANT_KEY_TYPE_DES)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_KEY_TYPE_DES cannot be defined simultaneously"
+#endif
+#endif
+
+#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_CIPHER_MODE_CBC cannot be defined simultaneously"
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_CIPHER_MODE_XTS cannot be defined simultaneously"
+#endif
+#if defined(MBEDTLS_DES_C)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_DES_C cannot be defined simultaneously"
+#endif
+#if defined(MBEDTLS_NIST_KW_C)
+#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_NIST_KW_C cannot be defined simultaneously"
+#endif
+#endif
+
 #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECDH_C defined, but not all prerequisites"
 #endif
@@ -101,31 +170,29 @@
 #error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_ECJPAKE_C) &&           \
-    ( !defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C) )
+#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && !defined(MBEDTLS_ASN1_WRITE_C)
+#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_WRITE_C for ECDSA signature"
+#endif
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_PARSE_C for ECDSA verification"
+#endif
+#endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_ECJPAKE_C) && \
+    !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_ECP_RESTARTABLE)           && \
-    ( defined(MBEDTLS_USE_PSA_CRYPTO)          || \
-      defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
+    ( defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
       defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
       defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
       defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
       defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
       defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
       defined(MBEDTLS_ECP_ALT) )
-#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative or PSA-based ECP implementation"
-#endif
-
-#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
-    ! defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-#error "MBEDTLS_ECP_RESTARTABLE defined, but not MBEDTLS_ECDH_LEGACY_CONTEXT"
-#endif
-
-#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)           && \
-    defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-#error "MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED defined, but MBEDTLS_ECDH_LEGACY_CONTEXT not disabled"
+#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
 #endif
 
 #if defined(MBEDTLS_ECP_RESTARTABLE)           && \
@@ -137,7 +204,7 @@
 #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (    \
+#if defined(MBEDTLS_ECP_LIGHT) && ( !defined(MBEDTLS_BIGNUM_C) || (    \
     !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) &&                  \
     !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) &&                  \
     !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) &&                  \
@@ -151,78 +218,49 @@
     !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
     !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) &&                 \
     !defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
-#error "MBEDTLS_ECP_C defined, but not all prerequisites"
+#error "MBEDTLS_ECP_C defined (or a subset enabled), but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_ECP_C) && !(            \
-    defined(MBEDTLS_ECP_ALT) ||             \
-    defined(MBEDTLS_CTR_DRBG_C) ||          \
-    defined(MBEDTLS_HMAC_DRBG_C) ||         \
-    defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
-#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
-#endif
-
-#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
-#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PKCS5_C) && !defined(MBEDTLS_MD_C)
-#error "MBEDTLS_PKCS5_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) &&      \
-                                    !defined(MBEDTLS_SHA256_C))
+#if defined(MBEDTLS_ENTROPY_C) && \
+    !(defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA256))
 #error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
 #endif
-#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_SHA512_C) &&         \
+#if defined(MBEDTLS_ENTROPY_C) && \
     defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 64)
 #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
 #endif
 #if defined(MBEDTLS_ENTROPY_C) &&                                            \
-    ( !defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_ENTROPY_FORCE_SHA256) ) \
+    (defined(MBEDTLS_ENTROPY_FORCE_SHA256) || !defined(MBEDTLS_MD_CAN_SHA512)) \
     && defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32)
 #error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
 #endif
 #if defined(MBEDTLS_ENTROPY_C) && \
-    defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_SHA256_C)
+    defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_MD_CAN_SHA256)
 #error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
 #endif
 
 #if defined(__has_feature)
 #if __has_feature(memory_sanitizer)
-#define MBEDTLS_HAS_MEMSAN
+#define MBEDTLS_HAS_MEMSAN // #undef at the end of this paragraph
 #endif
 #endif
 #if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) &&  !defined(MBEDTLS_HAS_MEMSAN)
 #error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
 #endif
-#undef MBEDTLS_HAS_MEMSAN
-
-#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
-    ( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
-#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
-#endif
-#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
-     ( defined(MBEDTLS_ENTROPY_NV_SEED) || defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
-    defined(MBEDTLS_HAVEGE_C) )
-#error "MBEDTLS_TEST_NULL_ENTROPY defined, but entropy sources too"
+#if defined(MBEDTLS_HAS_MEMSAN) && defined(MBEDTLS_HAVE_ASM)
+#error "MemorySanitizer does not support assembly implementation"
 #endif
+#undef MBEDTLS_HAS_MEMSAN // temporary macro defined above
 
-#if defined(MBEDTLS_CCM_C) && (                                        \
-    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
+#if defined(MBEDTLS_CCM_C) && \
+    !(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \
+    defined(MBEDTLS_CCM_GCM_CAN_CAMELLIA))
 #error "MBEDTLS_CCM_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_CCM_C) && !defined(MBEDTLS_CIPHER_C)
-#error "MBEDTLS_CCM_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_GCM_C) && (                                        \
-    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
-#error "MBEDTLS_GCM_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CIPHER_C)
+#if defined(MBEDTLS_GCM_C) && \
+    !(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \
+    defined(MBEDTLS_CCM_GCM_CAN_CAMELLIA))
 #error "MBEDTLS_GCM_C defined, but not all prerequisites"
 #endif
 
@@ -270,10 +308,6 @@
 #error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled"
 #endif
 
-#if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C)
-#error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
 #error "MBEDTLS_HKDF_C defined, but not all prerequisites"
 #endif
@@ -283,13 +317,14 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
+    ( !defined(MBEDTLS_CAN_ECDH) ||                                       \
+      !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) ||                                \
       !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
+    ( !defined(MBEDTLS_CAN_ECDH) || !defined(MBEDTLS_RSA_C) ||          \
       !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
 #endif
@@ -299,7 +334,7 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) &&                     \
-    !defined(MBEDTLS_ECDH_C)
+    !defined(MBEDTLS_CAN_ECDH)
 #error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites"
 #endif
 
@@ -310,13 +345,14 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
+    ( !defined(MBEDTLS_CAN_ECDH) || !defined(MBEDTLS_RSA_C) ||          \
       !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                 \
-    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                \
+    ( !defined(MBEDTLS_CAN_ECDH) ||                                       \
+      !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) ||                                \
       !defined(MBEDTLS_X509_CRT_PARSE_C) )
 #error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
 #endif
@@ -333,18 +369,58 @@
 #error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
-    ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) ||      \
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&    \
+    ( !defined(PSA_WANT_ALG_JPAKE) ||                   \
+      !defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+      !defined(PSA_WANT_ECC_SECP_R1_256) )
+#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
+#endif
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&    \
+    ( !defined(MBEDTLS_ECJPAKE_C) ||                    \
       !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+/* Use of EC J-PAKE in TLS requires SHA-256. */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
+    !defined(MBEDTLS_MD_CAN_SHA256)
+#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
+#endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) &&        \
-    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) &&              \
-    ( !defined(MBEDTLS_SHA256_C) &&                             \
-      !defined(MBEDTLS_SHA512_C) &&                             \
-      !defined(MBEDTLS_SHA1_C) )
-#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires MBEDTLS_SHA512_C, MBEDTLS_SHA256_C or MBEDTLS_SHA1_C"
+    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) &&            \
+    !defined(MBEDTLS_MD_CAN_SHA256) &&                        \
+    !defined(MBEDTLS_MD_CAN_SHA512) &&                        \
+    !defined(MBEDTLS_MD_CAN_SHA1)
+#error "!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE requires SHA-512, SHA-256 or SHA-1".
+#endif
+
+#if defined(MBEDTLS_MD_C) && \
+    !defined(MBEDTLS_MD_CAN_MD5) && \
+    !defined(MBEDTLS_MD_CAN_RIPEMD160) && \
+    !defined(MBEDTLS_MD_CAN_SHA1) && \
+    !defined(MBEDTLS_MD_CAN_SHA224) && \
+    !defined(MBEDTLS_MD_CAN_SHA256) && \
+    !defined(MBEDTLS_MD_CAN_SHA384) && \
+    !defined(MBEDTLS_MD_CAN_SHA512) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_224) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_256) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_384) && \
+    !defined(MBEDTLS_MD_CAN_SHA3_512)
+#error "MBEDTLS_MD_C defined, but no hash algorithm"
+#endif
+
+#if defined(MBEDTLS_LMS_C) &&                                          \
+    ! ( defined(MBEDTLS_PSA_CRYPTO_CLIENT) && defined(PSA_WANT_ALG_SHA_256) )
+#error "MBEDTLS_LMS_C requires MBEDTLS_PSA_CRYPTO_C and PSA_WANT_ALG_SHA_256"
+#endif
+
+#if defined(MBEDTLS_LMS_PRIVATE) &&                                    \
+    ( !defined(MBEDTLS_LMS_C) )
+#error "MBEDTLS_LMS_PRIVATE requires MBEDTLS_LMS_C"
 #endif
 
 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) &&                          \
@@ -360,10 +436,6 @@
 #error "MBEDTLS_MEMORY_DEBUG defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM)
-#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_PEM_PARSE_C) && !defined(MBEDTLS_BASE64_C)
 #error "MBEDTLS_PEM_PARSE_C defined, but not all prerequisites"
 #endif
@@ -373,30 +445,24 @@
 #endif
 
 #if defined(MBEDTLS_PK_C) && \
-    ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) )
+    !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_PK_HAVE_ECC_KEYS)
 #error "MBEDTLS_PK_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_PK_C)
+#if defined(MBEDTLS_PK_PARSE_C) && \
+    (!defined(MBEDTLS_ASN1_PARSE_C) || \
+     !defined(MBEDTLS_OID_C)        || \
+     !defined(MBEDTLS_PK_C))
 #error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PK_WRITE_C) && !defined(MBEDTLS_PK_C)
+#if defined(MBEDTLS_PK_WRITE_C) && \
+    (!defined(MBEDTLS_ASN1_WRITE_C) || \
+     !defined(MBEDTLS_OID_C)        || \
+     !defined(MBEDTLS_PK_C))
 #error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
-#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
-#endif
-
-#if defined(MBEDTLS_PKCS11_C)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_PKCS11_C is deprecated and will be removed in a future version of Mbed TLS"
-#endif
-#endif /* MBEDTLS_PKCS11_C */
-
 #if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
 #endif
@@ -411,6 +477,20 @@
 #error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SETBUF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SETBUF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_SETBUF) ||\
+        defined(MBEDTLS_PLATFORM_SETBUF_ALT) )
+#error "MBEDTLS_PLATFORM_SETBUF_MACRO and MBEDTLS_PLATFORM_STD_SETBUF/MBEDTLS_PLATFORM_SETBUF_ALT cannot be defined simultaneously"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_TIME_ALT) &&\
     ( !defined(MBEDTLS_PLATFORM_C) ||\
         !defined(MBEDTLS_HAVE_TIME) )
@@ -423,6 +503,16 @@
 #error "MBEDTLS_PLATFORM_TIME_MACRO defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_MS_TIME_ALT)   && \
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_MS_TIME_ALT defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
     ( !defined(MBEDTLS_PLATFORM_C) ||\
         !defined(MBEDTLS_HAVE_TIME) )
@@ -607,6 +697,11 @@
 #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)"
 #endif
 
+#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_HAVE_SOFT_BLOCK_MODE) && \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER) && !defined(MBEDTLS_CIPHER_C)
+#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C)
 #error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites"
 #endif
@@ -617,6 +712,14 @@
 #error "MBEDTLS_PSA_CRYPTO_SE_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_PSA_CRYPTO_SE_C is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_PSA_CRYPTO_SE_C is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&            \
     ! defined(MBEDTLS_PSA_CRYPTO_C)
 #error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
@@ -638,27 +741,16 @@
 #error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG"
 #endif
 
+#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC) &&           \
+    defined(MBEDTLS_PSA_STATIC_KEY_SLOTS)
+#error "MBEDTLS_PSA_KEY_STORE_DYNAMIC and MBEDTLS_PSA_STATIC_KEY_SLOTS cannot be defined simultaneously"
+#endif
+
 #if defined(MBEDTLS_PSA_ITS_FILE_C) && \
     !defined(MBEDTLS_FS_IO)
 #error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) && \
-    defined(MBEDTLS_USE_PSA_CRYPTO)
-#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined, but it cannot coexist with MBEDTLS_USE_PSA_CRYPTO."
-#endif
-
-#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO) && \
-    !defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_ECDSA_C)
-#error "MBEDTLS_PK_C in configuration with MBEDTLS_USE_PSA_CRYPTO and \
-        MBEDTLS_ECDSA_C requires MBEDTLS_PK_WRITE_C to be defined."
-#endif
-
-#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C) && \
-    !( defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) )
-#error "MBEDTLS_PSA_CRYPTO_C with MBEDTLS_RSA_C requires MBEDTLS_PK_PARSE_C and MBEDTLS_PK_WRITE_C"
-#endif
-
 #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
     !defined(MBEDTLS_OID_C) )
 #error "MBEDTLS_RSA_C defined, but not all prerequisites"
@@ -674,37 +766,82 @@
 #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SHA512_NO_SHA384) && !defined(MBEDTLS_SHA512_C)
-#error "MBEDTLS_SHA512_NO_SHA384 defined without MBEDTLS_SHA512_C"
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && \
+    defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+#error "Must only define one of MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+#endif
+
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
+#if !defined(MBEDTLS_SHA512_C)
+#error "MBEDTLS_SHA512_USE_A64_CRYPTO_* defined without MBEDTLS_SHA512_C"
 #endif
+#if defined(MBEDTLS_SHA512_ALT) || defined(MBEDTLS_SHA512_PROCESS_ALT)
+#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+#endif
+
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
 
-#if defined(MBEDTLS_SSL_PROTO_SSL3) && ( !defined(MBEDTLS_MD5_C) ||     \
-    !defined(MBEDTLS_SHA1_C) )
-#error "MBEDTLS_SSL_PROTO_SSL3 defined, but not all prerequisites"
+#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(__aarch64__)
+#error "MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system"
 #endif
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) ||     \
-    !defined(MBEDTLS_SHA1_C) )
-#error "MBEDTLS_SSL_PROTO_TLS1 defined, but not all prerequisites"
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) && \
+    defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+#error "Must only define one of MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
 #endif
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1) && ( !defined(MBEDTLS_MD5_C) ||     \
-    !defined(MBEDTLS_SHA1_C) )
-#error "MBEDTLS_SSL_PROTO_TLS1_1 defined, but not all prerequisites"
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
+    defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+#if !defined(MBEDTLS_SHA256_C)
+#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA256_C"
+#endif
+#if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT)
+#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
 #endif
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) &&     \
-    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
-#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
-    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
-#error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
+#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8_A)
+#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY defined on non-Armv8-A system"
+#endif
+
+/* TLS 1.3 requires separate HKDF parts from PSA,
+ * and at least one ciphersuite, so at least SHA-256 or SHA-384
+ * from PSA to use with HKDF.
+ *
+ * Note: for dependencies common with TLS 1.2 (running handshake hash),
+ * see MBEDTLS_SSL_TLS_C. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+    !(defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
+      defined(PSA_WANT_ALG_HKDF_EXTRACT) && \
+      defined(PSA_WANT_ALG_HKDF_EXPAND) && \
+      (defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384)))
+#error "MBEDTLS_SSL_PROTO_TLS1_3 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#if !( (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \
+       defined(MBEDTLS_X509_CRT_PARSE_C) && \
+       ( defined(MBEDTLS_PK_CAN_ECDSA_SIGN) || defined(MBEDTLS_PKCS1_V21) ) )
+#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED defined, but not all prerequisites"
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+#if !( defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) )
+#error "MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED defined, but not all prerequisites"
+#endif
+#endif
+
+/*
+ * The current implementation of TLS 1.3 requires MBEDTLS_SSL_KEEP_PEER_CERTIFICATE.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#error "MBEDTLS_SSL_PROTO_TLS1_3 defined without MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
 #endif
 
-#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) ||  \
-     defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) &&                                    \
     !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                          \
       defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                      \
       defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                    \
@@ -720,8 +857,21 @@
         "but no key exchange methods defined with MBEDTLS_KEY_EXCHANGE_xxxx"
 #endif
 
+#if defined(MBEDTLS_SSL_EARLY_DATA) && \
+    ( !defined(MBEDTLS_SSL_SESSION_TICKETS) || \
+      ( !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) && \
+        !defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) ) )
+#error "MBEDTLS_SSL_EARLY_DATA  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_SRV_C) && \
+    defined(MBEDTLS_SSL_MAX_EARLY_DATA_SIZE) &&                      \
+        ((MBEDTLS_SSL_MAX_EARLY_DATA_SIZE < 0) ||                    \
+         (MBEDTLS_SSL_MAX_EARLY_DATA_SIZE > UINT32_MAX))
+#error "MBEDTLS_SSL_MAX_EARLY_DATA_SIZE must be in the range(0..UINT32_MAX)"
+#endif
+
 #if defined(MBEDTLS_SSL_PROTO_DTLS)     && \
-    !defined(MBEDTLS_SSL_PROTO_TLS1_1)  && \
     !defined(MBEDTLS_SSL_PROTO_TLS1_2)
 #error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites"
 #endif
@@ -730,35 +880,36 @@
 #error "MBEDTLS_SSL_CLI_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_TLS_C) && ( !defined(MBEDTLS_CIPHER_C) ||     \
-    !defined(MBEDTLS_MD_C) )
-#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && !defined(MBEDTLS_X509_CRT_PARSE_C)
+#error "MBEDTLS_SSL_ASYNC_PRIVATE defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_TLS_C)
-#error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites"
+#if defined(MBEDTLS_SSL_TLS_C) && !(defined(MBEDTLS_CIPHER_C) || \
+    defined(MBEDTLS_USE_PSA_CRYPTO))
+#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
-    !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
-    !defined(MBEDTLS_SSL_PROTO_TLS1_2))
-#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+/* TLS 1.2 and 1.3 require SHA-256 or SHA-384 (running handshake hash) */
+#if defined(MBEDTLS_SSL_TLS_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if !(defined(PSA_WANT_ALG_SHA_256) || defined(PSA_WANT_ALG_SHA_384))
+#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
 #endif
-
-#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
-    defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1))
-#error "Illegal protocol selection"
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+#if !defined(MBEDTLS_MD_C) || \
+    !(defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA384))
+#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
 #endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#endif /* MBEDTLS_SSL_TLS_C */
 
-#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_TLS1) && \
-    defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_1))
-#error "Illegal protocol selection"
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_TLS_C)
+#error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
-    defined(MBEDTLS_SSL_PROTO_TLS1_2) && (!defined(MBEDTLS_SSL_PROTO_TLS1) || \
-    !defined(MBEDTLS_SSL_PROTO_TLS1_1)))
-#error "Illegal protocol selection"
+#if defined(MBEDTLS_SSL_TLS_C) && \
+    !( defined(MBEDTLS_SSL_PROTO_TLS1_2) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
+#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
 #endif
 
 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && !defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -792,37 +943,48 @@
 #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
 #endif
 
-#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
-    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
-#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT)     &&                 \
+    !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS"
+#endif
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 */
+
 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) &&   \
-    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&      \
-    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&      \
     !defined(MBEDTLS_SSL_PROTO_TLS1_2)
 #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
-    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&          \
-    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&          \
     !defined(MBEDTLS_SSL_PROTO_TLS1_2)
 #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C)
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_RENEGOTIATION defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TICKET_C) && ( !defined(MBEDTLS_CIPHER_C) && \
+                                       !defined(MBEDTLS_USE_PSA_CRYPTO) )
 #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_SSL_TICKET_C) && \
-    !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) )
+    !( defined(MBEDTLS_SSL_HAVE_CCM) || defined(MBEDTLS_SSL_HAVE_GCM) || \
+    defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) )
 #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && \
-    !defined(MBEDTLS_SSL_PROTO_SSL3) && !defined(MBEDTLS_SSL_PROTO_TLS1)
-#error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
+#if defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) && \
+    MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH >= 256
+#error "MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH must be less than 256"
 #endif
 
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
@@ -834,22 +996,20 @@
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
 #endif
-#define MBEDTLS_THREADING_IMPL
+#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph
 #endif
-
 #if defined(MBEDTLS_THREADING_ALT)
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"
 #endif
-#define MBEDTLS_THREADING_IMPL
+#define MBEDTLS_THREADING_IMPL // undef at the end of this paragraph
 #endif
-
 #if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_C defined, single threading implementation required"
 #endif
-#undef MBEDTLS_THREADING_IMPL
+#undef MBEDTLS_THREADING_IMPL // temporary macro defined above
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #error "MBEDTLS_USE_PSA_CRYPTO defined, but not all prerequisites"
 #endif
 
@@ -857,22 +1017,20 @@
 #error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
-    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) ||      \
-    !defined(MBEDTLS_PK_PARSE_C) )
+#if defined(MBEDTLS_X509_USE_C) && \
+    (!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) ||   \
+    !defined(MBEDTLS_PK_PARSE_C) ||                                 \
+    ( !defined(MBEDTLS_MD_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) ) )
 #error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
-    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) ||       \
-    !defined(MBEDTLS_PK_WRITE_C) )
+#if defined(MBEDTLS_X509_CREATE_C) && \
+    (!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) ||      \
+    !defined(MBEDTLS_PK_PARSE_C) ||                                    \
+    ( !defined(MBEDTLS_MD_C) && !defined(MBEDTLS_USE_PSA_CRYPTO) ) )
 #error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_CERTS_C) && !defined(MBEDTLS_X509_USE_C)
-#error "MBEDTLS_CERTS_C defined, but not all prerequisites"
-#endif
-
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
 #error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
 #endif
@@ -893,6 +1051,11 @@
 #error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) && \
+            ( !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
 #error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
 #endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */
@@ -902,30 +1065,6 @@
 #error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
 #endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
 
-#if defined(MBEDTLS_SSL_PROTO_SSL3)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS"
-#endif
-#endif /* MBEDTLS_SSL_PROTO_SSL3 */
-
-#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS"
-#endif
-#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
-
-#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
-#elif defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
-
 #if defined(MBEDTLS_SSL_DTLS_SRTP) && ( !defined(MBEDTLS_SSL_PROTO_DTLS) )
 #error "MBEDTLS_SSL_DTLS_SRTP defined, but not all prerequisites"
 #endif
@@ -934,10 +1073,71 @@
 #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) )
+#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && ( !defined(MBEDTLS_SSL_PROTO_TLS1_3) )
+#error "MBEDTLS_SSL_RECORD_SIZE_LIMIT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && \
+    !( defined(MBEDTLS_SSL_HAVE_CCM) || defined(MBEDTLS_SSL_HAVE_GCM) || \
+    defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) )
 #error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites"
 #endif
 
+/* Reject attempts to enable options that have been removed and that could
+ * cause a build to succeed but with features removed. */
+
+#if defined(MBEDTLS_HAVEGE_C) //no-check-names
+#error "MBEDTLS_HAVEGE_C was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/2599"
+#endif
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) //no-check-names
+#error "MBEDTLS_SSL_HW_RECORD_ACCEL was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4031"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) //no-check-names
+#error "MBEDTLS_SSL_PROTO_SSL3 (SSL v3.0 support) was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4031"
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) //no-check-names
+#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO (SSL v2 ClientHello support) was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4031"
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) //no-check-names
+#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT (compatibility with the buggy implementation of truncated HMAC in Mbed TLS up to 2.7) was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4031"
+#endif
+
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES) //no-check-names
+#error "MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES was removed in Mbed TLS 3.0. See the ChangeLog entry if you really need SHA-1-signed certificates."
+#endif
+
+#if defined(MBEDTLS_ZLIB_SUPPORT) //no-check-names
+#error "MBEDTLS_ZLIB_SUPPORT was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4031"
+#endif
+
+#if defined(MBEDTLS_CHECK_PARAMS) //no-check-names
+#error "MBEDTLS_CHECK_PARAMS was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4313"
+#endif
+
+#if defined(MBEDTLS_SSL_CID_PADDING_GRANULARITY) //no-check-names
+#error "MBEDTLS_SSL_CID_PADDING_GRANULARITY was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4335"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY) //no-check-names
+#error "MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4335"
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) //no-check-names
+#error "MBEDTLS_SSL_TRUNCATED_HMAC was removed in Mbed TLS 3.0. See https://github.com/Mbed-TLS/mbedtls/issues/4341"
+#endif
+
+#if defined(MBEDTLS_PKCS7_C) && ( ( !defined(MBEDTLS_ASN1_PARSE_C) ) || \
+    ( !defined(MBEDTLS_OID_C) ) || ( !defined(MBEDTLS_PK_PARSE_C) ) || \
+    ( !defined(MBEDTLS_X509_CRT_PARSE_C) ) || \
+    ( !defined(MBEDTLS_X509_CRL_PARSE_C) ) || \
+    ( !defined(MBEDTLS_MD_C) ) )
+#error  "MBEDTLS_PKCS7_C is defined, but not all prerequisites"
+#endif
+
 /*
  * Avoid warning from -pedantic. This is a convenient place for this
  * workaround since this is included by every single file before the

+ 274 - 236
thirdparty/mbedtls/include/mbedtls/cipher.h

@@ -14,12 +14,9 @@
 
 #ifndef MBEDTLS_CIPHER_H
 #define MBEDTLS_CIPHER_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include "mbedtls/platform_util.h"
@@ -32,16 +29,11 @@
 #define MBEDTLS_CIPHER_MODE_WITH_PADDING
 #endif
 
-#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
     defined(MBEDTLS_CHACHA20_C)
 #define MBEDTLS_CIPHER_MODE_STREAM
 #endif
 
-#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
-    !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
 /** The selected feature is not available. */
 #define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080
 /** Bad input parameters. */
@@ -57,10 +49,6 @@
 /** The context is invalid. For example, because it was freed. */
 #define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380
 
-/* MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** Cipher hardware accelerator failed. */
-#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED      -0x6400
-
 #define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
 #define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
 
@@ -71,7 +59,7 @@ extern "C" {
 /**
  * \brief     Supported cipher types.
  *
- * \warning   RC4 and DES/3DES are considered weak ciphers and their use
+ * \warning   DES/3DES are considered weak ciphers and their use
  *            constitutes a security risk. We recommend considering stronger
  *            ciphers instead.
  */
@@ -82,8 +70,6 @@ typedef enum {
     MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. \warning DES is considered weak. */
     MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. \warning 3DES is considered weak. */
     MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
-    MBEDTLS_CIPHER_ID_BLOWFISH,  /**< The Blowfish cipher. */
-    MBEDTLS_CIPHER_ID_ARC4,      /**< The RC4 cipher. */
     MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
     MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
 } mbedtls_cipher_id_t;
@@ -91,7 +77,7 @@ typedef enum {
 /**
  * \brief     Supported {cipher type, cipher mode} pairs.
  *
- * \warning   RC4 and DES/3DES are considered weak ciphers and their use
+ * \warning   DES/3DES are considered weak ciphers and their use
  *            constitutes a security risk. We recommend considering stronger
  *            ciphers instead.
  */
@@ -134,17 +120,18 @@ typedef enum {
     MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. \warning 3DES is considered weak. */
     MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. \warning 3DES is considered weak. */
     MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. \warning 3DES is considered weak. */
-    MBEDTLS_CIPHER_BLOWFISH_ECB,         /**< Blowfish cipher with ECB mode. */
-    MBEDTLS_CIPHER_BLOWFISH_CBC,         /**< Blowfish cipher with CBC mode. */
-    MBEDTLS_CIPHER_BLOWFISH_CFB64,       /**< Blowfish cipher with CFB64 mode. */
-    MBEDTLS_CIPHER_BLOWFISH_CTR,         /**< Blowfish cipher with CTR mode. */
-    MBEDTLS_CIPHER_ARC4_128,             /**< RC4 cipher with 128-bit mode. */
     MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
     MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
     MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, /**< AES cipher with 128-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, /**< AES cipher with 192-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, /**< AES cipher with 256-bit CCM_STAR_NO_TAG mode. */
     MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
     MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
     MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, /**< Camellia cipher with 128-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, /**< Camellia cipher with 192-bit CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, /**< Camellia cipher with 256-bit CCM_STAR_NO_TAG mode. */
     MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
     MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
     MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
@@ -163,6 +150,9 @@ typedef enum {
     MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
     MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
     MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, /**< Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, /**< Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode. */
+    MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, /**< Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode. */
     MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
     MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
     MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
@@ -189,6 +179,7 @@ typedef enum {
     MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode.         */
     MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode.      */
     MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode.         */
+    MBEDTLS_MODE_CCM_STAR_NO_TAG,        /**< The CCM*-no-tag cipher mode. */
     MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode.         */
     MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
     MBEDTLS_MODE_KW,                     /**< The SP800-38F KW mode */
@@ -225,13 +216,13 @@ enum {
 /** Maximum length of any IV, in Bytes. */
 /* This should ideally be derived automatically from list of ciphers.
  * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
- * in ssl_internal.h. */
+ * in library/ssl_misc.h. */
 #define MBEDTLS_MAX_IV_LENGTH      16
 
 /** Maximum block size of any cipher, in Bytes. */
 /* This should ideally be derived automatically from list of ciphers.
  * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
- * in ssl_internal.h. */
+ * in library/ssl_misc.h. */
 #define MBEDTLS_MAX_BLOCK_LENGTH   16
 
 /** Maximum key length, in Bytes. */
@@ -239,7 +230,7 @@ enum {
  * For now, only check whether XTS is enabled which uses 64 Byte keys,
  * and use 32 Bytes as an upper bound for the maximum key length otherwise.
  * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
- * in ssl_internal.h, which however deliberately ignores the case of XTS
+ * in library/ssl_misc.h, which however deliberately ignores the case of XTS
  * since the latter isn't used in SSL/TLS. */
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 #define MBEDTLS_MAX_KEY_LENGTH     64
@@ -260,90 +251,110 @@ typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
 /**
  * Cipher information. Allows calling cipher functions
  * in a generic way.
+ *
+ * \note        The library does not support custom cipher info structures,
+ *              only built-in structures returned by the functions
+ *              mbedtls_cipher_info_from_string(),
+ *              mbedtls_cipher_info_from_type(),
+ *              mbedtls_cipher_info_from_values(),
+ *              mbedtls_cipher_info_from_psa().
+ *
+ * \note        Some fields store a value that has been right-shifted to save
+ *              code-size, so should not be used directly. The accessor
+ *              functions adjust for this and return the "natural" value.
  */
 typedef struct mbedtls_cipher_info_t {
-    /** Full cipher identifier. For example,
-     * MBEDTLS_CIPHER_AES_256_CBC.
-     */
-    mbedtls_cipher_type_t type;
+    /** Name of the cipher. */
+    const char *MBEDTLS_PRIVATE(name);
 
-    /** The cipher mode. For example, MBEDTLS_MODE_CBC. */
-    mbedtls_cipher_mode_t mode;
+    /** The block size, in bytes. */
+    unsigned int MBEDTLS_PRIVATE(block_size) : 5;
 
-    /** The cipher key length, in bits. This is the
-     * default length for variable sized ciphers.
+    /** IV or nonce size, in bytes (right shifted by #MBEDTLS_IV_SIZE_SHIFT).
+     * For ciphers that accept variable IV sizes,
+     * this is the recommended size.
+     */
+    unsigned int MBEDTLS_PRIVATE(iv_size) : 3;
+
+    /** The cipher key length, in bits (right shifted by #MBEDTLS_KEY_BITLEN_SHIFT).
+     * This is the default length for variable sized ciphers.
      * Includes parity bits for ciphers like DES.
      */
-    unsigned int key_bitlen;
+    unsigned int MBEDTLS_PRIVATE(key_bitlen) : 4;
 
-    /** Name of the cipher. */
-    const char *name;
+    /** The cipher mode (as per mbedtls_cipher_mode_t).
+     * For example, MBEDTLS_MODE_CBC.
+     */
+    unsigned int MBEDTLS_PRIVATE(mode) : 4;
 
-    /** IV or nonce size, in Bytes.
-     * For ciphers that accept variable IV sizes,
-     * this is the recommended size.
+    /** Full cipher identifier (as per mbedtls_cipher_type_t).
+     * For example, MBEDTLS_CIPHER_AES_256_CBC.
+     *
+     * This could be 7 bits, but 8 bits retains byte alignment for the
+     * next field, which reduces code size to access that field.
      */
-    unsigned int iv_size;
+    unsigned int MBEDTLS_PRIVATE(type) : 8;
 
     /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
      *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
      *  cipher supports variable IV or variable key sizes, respectively.
      */
-    int flags;
-
-    /** The block size, in Bytes. */
-    unsigned int block_size;
+    unsigned int MBEDTLS_PRIVATE(flags) : 2;
 
-    /** Struct for base cipher information and functions. */
-    const mbedtls_cipher_base_t *base;
+    /** Index to LUT for base cipher information and functions. */
+    unsigned int MBEDTLS_PRIVATE(base_idx) : 5;
 
 } mbedtls_cipher_info_t;
 
+/* For internal use only.
+ * These are used to more compactly represent the fields above. */
+#define MBEDTLS_KEY_BITLEN_SHIFT  6
+#define MBEDTLS_IV_SIZE_SHIFT     2
 /**
  * Generic cipher context.
  */
 typedef struct mbedtls_cipher_context_t {
     /** Information about the associated cipher. */
-    const mbedtls_cipher_info_t *cipher_info;
+    const mbedtls_cipher_info_t *MBEDTLS_PRIVATE(cipher_info);
 
     /** Key length to use. */
-    int key_bitlen;
+    int MBEDTLS_PRIVATE(key_bitlen);
 
     /** Operation that the key of the context has been
      * initialized for.
      */
-    mbedtls_operation_t operation;
+    mbedtls_operation_t MBEDTLS_PRIVATE(operation);
 
 #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
     /** Padding functions to use, if relevant for
      * the specific cipher mode.
      */
-    void (*add_padding)(unsigned char *output, size_t olen, size_t data_len);
-    int (*get_padding)(unsigned char *input, size_t ilen, size_t *data_len);
+    void(*MBEDTLS_PRIVATE(add_padding))(unsigned char *output, size_t olen, size_t data_len);
+    int(*MBEDTLS_PRIVATE(get_padding))(unsigned char *input, size_t ilen, size_t *data_len);
 #endif
 
     /** Buffer for input that has not been processed yet. */
-    unsigned char unprocessed_data[MBEDTLS_MAX_BLOCK_LENGTH];
+    unsigned char MBEDTLS_PRIVATE(unprocessed_data)[MBEDTLS_MAX_BLOCK_LENGTH];
 
     /** Number of Bytes that have not been processed yet. */
-    size_t unprocessed_len;
+    size_t MBEDTLS_PRIVATE(unprocessed_len);
 
     /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
      * for XTS-mode. */
-    unsigned char iv[MBEDTLS_MAX_IV_LENGTH];
+    unsigned char MBEDTLS_PRIVATE(iv)[MBEDTLS_MAX_IV_LENGTH];
 
     /** IV size in Bytes, for ciphers with variable-length IVs. */
-    size_t iv_size;
+    size_t MBEDTLS_PRIVATE(iv_size);
 
     /** The cipher-specific context. */
-    void *cipher_ctx;
+    void *MBEDTLS_PRIVATE(cipher_ctx);
 
 #if defined(MBEDTLS_CMAC_C)
     /** CMAC-specific context. */
-    mbedtls_cmac_context_t *cmac_ctx;
+    mbedtls_cmac_context_t *MBEDTLS_PRIVATE(cmac_ctx);
 #endif
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
     /** Indicates whether the cipher operations should be performed
      *  by Mbed TLS' own crypto library or an external implementation
      *  of the PSA Crypto API.
@@ -351,8 +362,8 @@ typedef struct mbedtls_cipher_context_t {
      *  mbedtls_cipher_setup(), and set if it was established through
      *  mbedtls_cipher_setup_psa().
      */
-    unsigned char psa_enabled;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    unsigned char MBEDTLS_PRIVATE(psa_enabled);
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
 
 } mbedtls_cipher_context_t;
 
@@ -414,6 +425,164 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(const mbedtls_ciphe
                                                              int key_bitlen,
                                                              const mbedtls_cipher_mode_t mode);
 
+/**
+ * \brief               Retrieve the identifier for a cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The full cipher identifier (\c MBEDTLS_CIPHER_xxx).
+ * \return              #MBEDTLS_CIPHER_NONE if \p info is \c NULL.
+ */
+static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return MBEDTLS_CIPHER_NONE;
+    } else {
+        return (mbedtls_cipher_type_t) info->MBEDTLS_PRIVATE(type);
+    }
+}
+
+/**
+ * \brief               Retrieve the operation mode for a cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The cipher mode (\c MBEDTLS_MODE_xxx).
+ * \return              #MBEDTLS_MODE_NONE if \p info is \c NULL.
+ */
+static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return MBEDTLS_MODE_NONE;
+    } else {
+        return (mbedtls_cipher_mode_t) info->MBEDTLS_PRIVATE(mode);
+    }
+}
+
+/**
+ * \brief               Retrieve the key size for a cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The key length in bits.
+ *                      For variable-sized ciphers, this is the default length.
+ *                      For DES, this includes the parity bits.
+ * \return              \c 0 if \p info is \c NULL.
+ */
+static inline size_t mbedtls_cipher_info_get_key_bitlen(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    } else {
+        return ((size_t) info->MBEDTLS_PRIVATE(key_bitlen)) << MBEDTLS_KEY_BITLEN_SHIFT;
+    }
+}
+
+/**
+ * \brief               Retrieve the human-readable name for a
+ *                      cipher info structure.
+ *
+ * \param[in] info      The cipher info structure to query.
+ *                      This may be \c NULL.
+ *
+ * \return              The cipher name, which is a human readable string,
+ *                      with static storage duration.
+ * \return              \c NULL if \p info is \c NULL.
+ */
+static inline const char *mbedtls_cipher_info_get_name(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return NULL;
+    } else {
+        return info->MBEDTLS_PRIVATE(name);
+    }
+}
+
+/**
+ * \brief       This function returns the size of the IV or nonce
+ *              for the cipher info structure, in bytes.
+ *
+ * \param info  The cipher info structure. This may be \c NULL.
+ *
+ * \return      The recommended IV size.
+ * \return      \c 0 for ciphers not using an IV or a nonce.
+ * \return      \c 0 if \p info is \c NULL.
+ */
+static inline size_t mbedtls_cipher_info_get_iv_size(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return ((size_t) info->MBEDTLS_PRIVATE(iv_size)) << MBEDTLS_IV_SIZE_SHIFT;
+}
+
+/**
+ * \brief        This function returns the block size of the given
+ *               cipher info structure in bytes.
+ *
+ * \param info   The cipher info structure. This may be \c NULL.
+ *
+ * \return       The block size of the cipher.
+ * \return       \c 1 if the cipher is a stream cipher.
+ * \return       \c 0 if \p info is \c NULL.
+ */
+static inline size_t mbedtls_cipher_info_get_block_size(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return (size_t) (info->MBEDTLS_PRIVATE(block_size));
+}
+
+/**
+ * \brief        This function returns a non-zero value if the key length for
+ *               the given cipher is variable.
+ *
+ * \param info   The cipher info structure. This may be \c NULL.
+ *
+ * \return       Non-zero if the key length is variable, \c 0 otherwise.
+ * \return       \c 0 if the given pointer is \c NULL.
+ */
+static inline int mbedtls_cipher_info_has_variable_key_bitlen(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
+}
+
+/**
+ * \brief        This function returns a non-zero value if the IV size for
+ *               the given cipher is variable.
+ *
+ * \param info   The cipher info structure. This may be \c NULL.
+ *
+ * \return       Non-zero if the IV size is variable, \c 0 otherwise.
+ * \return       \c 0 if the given pointer is \c NULL.
+ */
+static inline int mbedtls_cipher_info_has_variable_iv_size(
+    const mbedtls_cipher_info_t *info)
+{
+    if (info == NULL) {
+        return 0;
+    }
+
+    return info->MBEDTLS_PRIVATE(flags) & MBEDTLS_CIPHER_VARIABLE_IV_LEN;
+}
+
 /**
  * \brief               This function initializes a \p ctx as NONE.
  *
@@ -437,12 +606,6 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
  * \brief               This function prepares a cipher context for
  *                      use with the given cipher primitive.
  *
- * \warning             In CBC mode, if mbedtls_cipher_set_padding_mode() is not called:
- *                      - If MBEDTLS_CIPHER_PADDING_PKCS7 is enabled, the
- *                      context will use PKCS7 padding.
- *                      - Otherwise the context uses no padding and the input
- *                      must be a whole number of blocks.
- *
  * \note                After calling this function, you should call
  *                      mbedtls_cipher_setkey() and, if the mode uses padding,
  *                      mbedtls_cipher_set_padding_mode(), then for each
@@ -464,27 +627,29 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx);
  *                      parameter-verification failure.
  * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
  *                      cipher-specific context fails.
- *
- * \internal Currently, the function also clears the structure.
- * In future versions, the caller will be required to call
- * mbedtls_cipher_init() on the structure first.
  */
 int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
                          const mbedtls_cipher_info_t *cipher_info);
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief               This function initializes a cipher context for
  *                      PSA-based use with the given cipher primitive.
  *
+ * \deprecated          This function is deprecated and will be removed in a
+ *                      future version of the library.
+ *                      Please use psa_aead_xxx() / psa_cipher_xxx() directly
+ *                      instead.
+ *
  * \note                See #MBEDTLS_USE_PSA_CRYPTO for information on PSA.
  *
  * \param ctx           The context to initialize. May not be \c NULL.
  * \param cipher_info   The cipher to use.
  * \param taglen        For AEAD ciphers, the length in bytes of the
  *                      authentication tag to use. Subsequent uses of
- *                      mbedtls_cipher_auth_encrypt() or
- *                      mbedtls_cipher_auth_decrypt() must provide
+ *                      mbedtls_cipher_auth_encrypt_ext() or
+ *                      mbedtls_cipher_auth_decrypt_ext() must provide
  *                      the same tag length.
  *                      For non-AEAD ciphers, the value must be \c 0.
  *
@@ -494,28 +659,30 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
  * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
  *                      cipher-specific context fails.
  */
-int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
-                             const mbedtls_cipher_info_t *cipher_info,
-                             size_t taglen);
+int MBEDTLS_DEPRECATED mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
+                                                const mbedtls_cipher_info_t *cipher_info,
+                                                size_t taglen);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 /**
- * \brief        This function returns the block size of the given cipher.
+ * \brief        This function returns the block size of the given cipher
+ *               in bytes.
  *
- * \param ctx    The context of the cipher. This must be initialized.
+ * \param ctx    The context of the cipher.
  *
  * \return       The block size of the underlying cipher.
+ * \return       \c 1 if the cipher is a stream cipher.
  * \return       \c 0 if \p ctx has not been initialized.
  */
 static inline unsigned int mbedtls_cipher_get_block_size(
     const mbedtls_cipher_context_t *ctx)
 {
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
-    if (ctx->cipher_info == NULL) {
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
         return 0;
     }
 
-    return ctx->cipher_info->block_size;
+    return (unsigned int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(block_size);
 }
 
 /**
@@ -530,12 +697,11 @@ static inline unsigned int mbedtls_cipher_get_block_size(
 static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
     const mbedtls_cipher_context_t *ctx)
 {
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, MBEDTLS_MODE_NONE);
-    if (ctx->cipher_info == NULL) {
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
         return MBEDTLS_MODE_NONE;
     }
 
-    return ctx->cipher_info->mode;
+    return (mbedtls_cipher_mode_t) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(mode);
 }
 
 /**
@@ -551,16 +717,16 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
 static inline int mbedtls_cipher_get_iv_size(
     const mbedtls_cipher_context_t *ctx)
 {
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
-    if (ctx->cipher_info == NULL) {
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
         return 0;
     }
 
-    if (ctx->iv_size != 0) {
-        return (int) ctx->iv_size;
+    if (ctx->MBEDTLS_PRIVATE(iv_size) != 0) {
+        return (int) ctx->MBEDTLS_PRIVATE(iv_size);
     }
 
-    return (int) ctx->cipher_info->iv_size;
+    return (int) (((int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size)) <<
+                  MBEDTLS_IV_SIZE_SHIFT);
 }
 
 /**
@@ -574,13 +740,11 @@ static inline int mbedtls_cipher_get_iv_size(
 static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
     const mbedtls_cipher_context_t *ctx)
 {
-    MBEDTLS_INTERNAL_VALIDATE_RET(
-        ctx != NULL, MBEDTLS_CIPHER_NONE);
-    if (ctx->cipher_info == NULL) {
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
         return MBEDTLS_CIPHER_NONE;
     }
 
-    return ctx->cipher_info->type;
+    return (mbedtls_cipher_type_t) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(type);
 }
 
 /**
@@ -595,12 +759,11 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
 static inline const char *mbedtls_cipher_get_name(
     const mbedtls_cipher_context_t *ctx)
 {
-    MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
-    if (ctx->cipher_info == NULL) {
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
         return 0;
     }
 
-    return ctx->cipher_info->name;
+    return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(name);
 }
 
 /**
@@ -615,13 +778,12 @@ static inline const char *mbedtls_cipher_get_name(
 static inline int mbedtls_cipher_get_key_bitlen(
     const mbedtls_cipher_context_t *ctx)
 {
-    MBEDTLS_INTERNAL_VALIDATE_RET(
-        ctx != NULL, MBEDTLS_KEY_LENGTH_NONE);
-    if (ctx->cipher_info == NULL) {
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
         return MBEDTLS_KEY_LENGTH_NONE;
     }
 
-    return (int) ctx->cipher_info->key_bitlen;
+    return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(key_bitlen) <<
+           MBEDTLS_KEY_BITLEN_SHIFT;
 }
 
 /**
@@ -635,13 +797,11 @@ static inline int mbedtls_cipher_get_key_bitlen(
 static inline mbedtls_operation_t mbedtls_cipher_get_operation(
     const mbedtls_cipher_context_t *ctx)
 {
-    MBEDTLS_INTERNAL_VALIDATE_RET(
-        ctx != NULL, MBEDTLS_OPERATION_NONE);
-    if (ctx->cipher_info == NULL) {
+    if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
         return MBEDTLS_OPERATION_NONE;
     }
 
-    return ctx->operation;
+    return ctx->MBEDTLS_PRIVATE(operation);
 }
 
 /**
@@ -670,6 +830,7 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
  * \brief               This function sets the padding mode, for cipher modes
  *                      that use padding.
  *
+ *
  * \param ctx           The generic cipher context. This must be initialized and
  *                      bound to a cipher information structure.
  * \param mode          The padding mode.
@@ -691,6 +852,12 @@ int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
  * \note            Some ciphers do not use IVs nor nonce. For these
  *                  ciphers, this function has no effect.
  *
+ * \note            For #MBEDTLS_CIPHER_CHACHA20, the nonce length must
+ *                  be 12, and the initial counter value is 0.
+ *
+ * \note            For #MBEDTLS_CIPHER_CHACHA20_POLY1305, the nonce length
+ *                  must be 12.
+ *
  * \param ctx       The generic cipher context. This must be initialized and
  *                  bound to a cipher information structure.
  * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
@@ -725,7 +892,8 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
  *                2. mbedtls_cipher_reset()
  *                3. mbedtls_cipher_update_ad()
  *                4. mbedtls_cipher_update() one or more times
- *                5. mbedtls_cipher_check_tag() (for decryption) or
+ *                5. mbedtls_cipher_finish()
+ *                6. mbedtls_cipher_check_tag() (for decryption) or
  *                mbedtls_cipher_write_tag() (for encryption).
  *                .
  *                This sequence can be repeated to encrypt or decrypt multiple
@@ -743,8 +911,6 @@ int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx);
 /**
  * \brief               This function adds additional data for AEAD ciphers.
  *                      Currently supported with GCM and ChaCha20+Poly1305.
- *                      This must be called exactly once, after
- *                      mbedtls_cipher_reset().
  *
  * \param ctx           The generic cipher context. This must be initialized.
  * \param ad            The additional data to use. This must be a readable
@@ -768,11 +934,6 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
  *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
  *                      in size. For example, 16 Bytes for AES.
  *
- * \note                If the underlying cipher is used in GCM mode, all calls
- *                      to this function, except for the last one before
- *                      mbedtls_cipher_finish(), must have \p ilen as a
- *                      multiple of the block size of the cipher.
- *
  * \param ctx           The generic cipher context. This must be initialized and
  *                      bound to a key.
  * \param input         The buffer holding the input data. This must be a
@@ -897,129 +1058,6 @@ int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
                          const unsigned char *input, size_t ilen,
                          unsigned char *output, size_t *olen);
 
-#if defined(MBEDTLS_CIPHER_MODE_AEAD)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_WARNING */
-/**
- * \brief               The generic authenticated encryption (AEAD) function.
- *
- * \deprecated          Superseded by mbedtls_cipher_auth_encrypt_ext().
- *
- * \note                This function only supports AEAD algorithms, not key
- *                      wrapping algorithms such as NIST_KW; for this, see
- *                      mbedtls_cipher_auth_encrypt_ext().
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key associated with an AEAD algorithm.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and must not be \c NULL.
- * \param iv_len        The length of the nonce. This must satisfy the
- *                      constraints imposed by the AEAD cipher used.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p ilen Bytes, and must
- *                      not be \c NULL.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag           The buffer for the authentication tag. This must be a
- *                      writable buffer of at least \p tag_len Bytes. See note
- *                      below regarding restrictions with PSA-based contexts.
- * \param tag_len       The desired length of the authentication tag. This
- *                      must match the constraints imposed by the AEAD cipher
- *                      used, and in particular must not be \c 0.
- *
- * \note                If the context is based on PSA (that is, it was set up
- *                      with mbedtls_cipher_setup_psa()), then it is required
- *                      that \c tag == output + ilen. That is, the tag must be
- *                      appended to the ciphertext as recommended by RFC 5116.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              A cipher-specific error code on failure.
- */
-int MBEDTLS_DEPRECATED mbedtls_cipher_auth_encrypt(
-    mbedtls_cipher_context_t *ctx,
-    const unsigned char *iv, size_t iv_len,
-    const unsigned char *ad, size_t ad_len,
-    const unsigned char *input, size_t ilen,
-    unsigned char *output, size_t *olen,
-    unsigned char *tag, size_t tag_len);
-
-/**
- * \brief               The generic authenticated decryption (AEAD) function.
- *
- * \deprecated          Superseded by mbedtls_cipher_auth_decrypt_ext().
- *
- * \note                This function only supports AEAD algorithms, not key
- *                      wrapping algorithms such as NIST_KW; for this, see
- *                      mbedtls_cipher_auth_decrypt_ext().
- *
- * \note                If the data is not authentic, then the output buffer
- *                      is zeroed out to prevent the unauthentic plaintext being
- *                      used, making this interface safer.
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key associated with an AEAD algorithm.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and must not be \c NULL.
- * \param iv_len        The length of the nonce. This must satisfy the
- *                      constraints imposed by the AEAD cipher used.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p ilen Bytes, and must
- *                      not be \c NULL.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag           The buffer for the authentication tag. This must be a
- *                      readable buffer of at least \p tag_len Bytes. See note
- *                      below regarding restrictions with PSA-based contexts.
- * \param tag_len       The length of the authentication tag. This must match
- *                      the constraints imposed by the AEAD cipher used, and in
- *                      particular must not be \c 0.
- *
- * \note                If the context is based on PSA (that is, it was set up
- *                      with mbedtls_cipher_setup_psa()), then it is required
- *                      that \c tag == input + len. That is, the tag must be
- *                      appended to the ciphertext as recommended by RFC 5116.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
- * \return              A cipher-specific error code on failure.
- */
-int MBEDTLS_DEPRECATED mbedtls_cipher_auth_decrypt(
-    mbedtls_cipher_context_t *ctx,
-    const unsigned char *iv, size_t iv_len,
-    const unsigned char *ad, size_t ad_len,
-    const unsigned char *input, size_t ilen,
-    unsigned char *output, size_t *olen,
-    const unsigned char *tag, size_t tag_len);
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_CIPHER_MODE_AEAD */
-
 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
 /**
  * \brief               The authenticated encryption (AEAD/NIST_KW) function.

+ 27 - 19
thirdparty/mbedtls/include/mbedtls/cmac.h

@@ -5,6 +5,7 @@
  *
  * The Cipher-based Message Authentication Code (CMAC) Mode for
  * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
+ * It is supported with AES and DES.
  */
 /*
  *  Copyright The Mbed TLS Contributors
@@ -13,12 +14,9 @@
 
 #ifndef MBEDTLS_CMAC_H
 #define MBEDTLS_CMAC_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/cipher.h"
 
@@ -26,23 +24,33 @@
 extern "C" {
 #endif
 
-/* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** CMAC hardware accelerator failed. */
-#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A
-
 #define MBEDTLS_AES_BLOCK_SIZE          16
 #define MBEDTLS_DES3_BLOCK_SIZE         8
 
-
-/* Although the CMAC module does not support ARIA or CAMELLIA, we adjust the value of
- * MBEDTLS_CIPHER_BLKSIZE_MAX to reflect these ciphers.
- * This is done to avoid confusion, given the general-purpose name of the macro. */
-#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)
-#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /**< The longest block used by CMAC is that of AES. */
+/* We don't support Camellia or ARIA in this module */
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_CMAC_MAX_BLOCK_SIZE      16  /**< The longest block used by CMAC is that of AES. */
 #else
-#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /**< The longest block used by CMAC is that of 3DES. */
+#define MBEDTLS_CMAC_MAX_BLOCK_SIZE      8   /**< The longest block used by CMAC is that of 3DES. */
 #endif
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/** The longest block supported by the cipher module.
+ *
+ * \deprecated
+ * For the maximum block size of a cipher supported by the CMAC module,
+ * use #MBEDTLS_CMAC_MAX_BLOCK_SIZE.
+ * For the maximum block size of a cipher supported by the cipher module,
+ * use #MBEDTLS_MAX_BLOCK_LENGTH.
+ */
+/* Before Mbed TLS 3.5, this was the maximum block size supported by the CMAC
+ * module, so it didn't take Camellia or ARIA into account. Since the name
+ * of the macro doesn't even convey "CMAC", this was misleading. Now the size
+ * is sufficient for any cipher, but the name is defined in cmac.h for
+ * backward compatibility. */
+#define MBEDTLS_CIPHER_BLKSIZE_MAX MBEDTLS_MAX_BLOCK_LENGTH
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
 #if !defined(MBEDTLS_CMAC_ALT)
 
 /**
@@ -50,14 +58,14 @@ extern "C" {
  */
 struct mbedtls_cmac_context_t {
     /** The internal state of the CMAC algorithm.  */
-    unsigned char       state[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char       MBEDTLS_PRIVATE(state)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
 
     /** Unprocessed data - either data that was not block aligned and is still
      *  pending processing, or the final block. */
-    unsigned char       unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char       MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
 
     /** The length of data pending processing. */
-    size_t              unprocessed_len;
+    size_t              MBEDTLS_PRIVATE(unprocessed_len);
 };
 
 #else  /* !MBEDTLS_CMAC_ALT */

+ 0 - 2533
thirdparty/mbedtls/include/mbedtls/compat-1.3.h

@@ -1,2533 +0,0 @@
-/**
- * \file compat-1.3.h
- *
- * \brief Compatibility definitions for using Mbed TLS with client code written
- *  for the PolarSSL naming conventions.
- *
- * \deprecated Use the new names directly instead
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "Including compat-1.3.h is deprecated"
-#endif
-
-#ifndef MBEDTLS_COMPAT13_H
-#define MBEDTLS_COMPAT13_H
-
-/*
- * config.h options
- */
-#if defined MBEDTLS_AESNI_C
-#define POLARSSL_AESNI_C MBEDTLS_AESNI_C
-#endif
-#if defined MBEDTLS_AES_ALT
-#define POLARSSL_AES_ALT MBEDTLS_AES_ALT
-#endif
-#if defined MBEDTLS_AES_C
-#define POLARSSL_AES_C MBEDTLS_AES_C
-#endif
-#if defined MBEDTLS_AES_ROM_TABLES
-#define POLARSSL_AES_ROM_TABLES MBEDTLS_AES_ROM_TABLES
-#endif
-#if defined MBEDTLS_ARC4_ALT
-#define POLARSSL_ARC4_ALT MBEDTLS_ARC4_ALT
-#endif
-#if defined MBEDTLS_ARC4_C
-#define POLARSSL_ARC4_C MBEDTLS_ARC4_C
-#endif
-#if defined MBEDTLS_ASN1_PARSE_C
-#define POLARSSL_ASN1_PARSE_C MBEDTLS_ASN1_PARSE_C
-#endif
-#if defined MBEDTLS_ASN1_WRITE_C
-#define POLARSSL_ASN1_WRITE_C MBEDTLS_ASN1_WRITE_C
-#endif
-#if defined MBEDTLS_BASE64_C
-#define POLARSSL_BASE64_C MBEDTLS_BASE64_C
-#endif
-#if defined MBEDTLS_BIGNUM_C
-#define POLARSSL_BIGNUM_C MBEDTLS_BIGNUM_C
-#endif
-#if defined MBEDTLS_BLOWFISH_ALT
-#define POLARSSL_BLOWFISH_ALT MBEDTLS_BLOWFISH_ALT
-#endif
-#if defined MBEDTLS_BLOWFISH_C
-#define POLARSSL_BLOWFISH_C MBEDTLS_BLOWFISH_C
-#endif
-#if defined MBEDTLS_CAMELLIA_ALT
-#define POLARSSL_CAMELLIA_ALT MBEDTLS_CAMELLIA_ALT
-#endif
-#if defined MBEDTLS_CAMELLIA_C
-#define POLARSSL_CAMELLIA_C MBEDTLS_CAMELLIA_C
-#endif
-#if defined MBEDTLS_CAMELLIA_SMALL_MEMORY
-#define POLARSSL_CAMELLIA_SMALL_MEMORY MBEDTLS_CAMELLIA_SMALL_MEMORY
-#endif
-#if defined MBEDTLS_CCM_C
-#define POLARSSL_CCM_C MBEDTLS_CCM_C
-#endif
-#if defined MBEDTLS_CERTS_C
-#define POLARSSL_CERTS_C MBEDTLS_CERTS_C
-#endif
-#if defined MBEDTLS_CIPHER_C
-#define POLARSSL_CIPHER_C MBEDTLS_CIPHER_C
-#endif
-#if defined MBEDTLS_CIPHER_MODE_CBC
-#define POLARSSL_CIPHER_MODE_CBC MBEDTLS_CIPHER_MODE_CBC
-#endif
-#if defined MBEDTLS_CIPHER_MODE_CFB
-#define POLARSSL_CIPHER_MODE_CFB MBEDTLS_CIPHER_MODE_CFB
-#endif
-#if defined MBEDTLS_CIPHER_MODE_CTR
-#define POLARSSL_CIPHER_MODE_CTR MBEDTLS_CIPHER_MODE_CTR
-#endif
-#if defined MBEDTLS_CIPHER_NULL_CIPHER
-#define POLARSSL_CIPHER_NULL_CIPHER MBEDTLS_CIPHER_NULL_CIPHER
-#endif
-#if defined MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-#define POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
-#endif
-#if defined MBEDTLS_CIPHER_PADDING_PKCS7
-#define POLARSSL_CIPHER_PADDING_PKCS7 MBEDTLS_CIPHER_PADDING_PKCS7
-#endif
-#if defined MBEDTLS_CIPHER_PADDING_ZEROS
-#define POLARSSL_CIPHER_PADDING_ZEROS MBEDTLS_CIPHER_PADDING_ZEROS
-#endif
-#if defined MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-#define POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
-#endif
-#if defined MBEDTLS_CTR_DRBG_C
-#define POLARSSL_CTR_DRBG_C MBEDTLS_CTR_DRBG_C
-#endif
-#if defined MBEDTLS_DEBUG_C
-#define POLARSSL_DEBUG_C MBEDTLS_DEBUG_C
-#endif
-#if defined MBEDTLS_DEPRECATED_REMOVED
-#define POLARSSL_DEPRECATED_REMOVED MBEDTLS_DEPRECATED_REMOVED
-#endif
-#if defined MBEDTLS_DEPRECATED_WARNING
-#define POLARSSL_DEPRECATED_WARNING MBEDTLS_DEPRECATED_WARNING
-#endif
-#if defined MBEDTLS_DES_ALT
-#define POLARSSL_DES_ALT MBEDTLS_DES_ALT
-#endif
-#if defined MBEDTLS_DES_C
-#define POLARSSL_DES_C MBEDTLS_DES_C
-#endif
-#if defined MBEDTLS_DHM_C
-#define POLARSSL_DHM_C MBEDTLS_DHM_C
-#endif
-#if defined MBEDTLS_ECDH_C
-#define POLARSSL_ECDH_C MBEDTLS_ECDH_C
-#endif
-#if defined MBEDTLS_ECDSA_C
-#define POLARSSL_ECDSA_C MBEDTLS_ECDSA_C
-#endif
-#if defined MBEDTLS_ECDSA_DETERMINISTIC
-#define POLARSSL_ECDSA_DETERMINISTIC MBEDTLS_ECDSA_DETERMINISTIC
-#endif
-#if defined MBEDTLS_ECP_C
-#define POLARSSL_ECP_C MBEDTLS_ECP_C
-#endif
-#if defined MBEDTLS_ECP_DP_BP256R1_ENABLED
-#define POLARSSL_ECP_DP_BP256R1_ENABLED MBEDTLS_ECP_DP_BP256R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_BP384R1_ENABLED
-#define POLARSSL_ECP_DP_BP384R1_ENABLED MBEDTLS_ECP_DP_BP384R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_BP512R1_ENABLED
-#define POLARSSL_ECP_DP_BP512R1_ENABLED MBEDTLS_ECP_DP_BP512R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#define POLARSSL_ECP_DP_M255_ENABLED MBEDTLS_ECP_DP_CURVE25519_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#define POLARSSL_ECP_DP_SECP192K1_ENABLED MBEDTLS_ECP_DP_SECP192K1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#define POLARSSL_ECP_DP_SECP192R1_ENABLED MBEDTLS_ECP_DP_SECP192R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP224K1_ENABLED
-#define POLARSSL_ECP_DP_SECP224K1_ENABLED MBEDTLS_ECP_DP_SECP224K1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP224R1_ENABLED
-#define POLARSSL_ECP_DP_SECP224R1_ENABLED MBEDTLS_ECP_DP_SECP224R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#define POLARSSL_ECP_DP_SECP256K1_ENABLED MBEDTLS_ECP_DP_SECP256K1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define POLARSSL_ECP_DP_SECP256R1_ENABLED MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#define POLARSSL_ECP_DP_SECP384R1_ENABLED MBEDTLS_ECP_DP_SECP384R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#define POLARSSL_ECP_DP_SECP521R1_ENABLED MBEDTLS_ECP_DP_SECP521R1_ENABLED
-#endif
-#if defined MBEDTLS_ECP_FIXED_POINT_OPTIM
-#define POLARSSL_ECP_FIXED_POINT_OPTIM MBEDTLS_ECP_FIXED_POINT_OPTIM
-#endif
-#if defined MBEDTLS_ECP_MAX_BITS
-#define POLARSSL_ECP_MAX_BITS MBEDTLS_ECP_MAX_BITS
-#endif
-#if defined MBEDTLS_ECP_NIST_OPTIM
-#define POLARSSL_ECP_NIST_OPTIM MBEDTLS_ECP_NIST_OPTIM
-#endif
-#if defined MBEDTLS_ECP_WINDOW_SIZE
-#define POLARSSL_ECP_WINDOW_SIZE MBEDTLS_ECP_WINDOW_SIZE
-#endif
-#if defined MBEDTLS_ENABLE_WEAK_CIPHERSUITES
-#define POLARSSL_ENABLE_WEAK_CIPHERSUITES MBEDTLS_ENABLE_WEAK_CIPHERSUITES
-#endif
-#if defined MBEDTLS_ENTROPY_C
-#define POLARSSL_ENTROPY_C MBEDTLS_ENTROPY_C
-#endif
-#if defined MBEDTLS_ENTROPY_FORCE_SHA256
-#define POLARSSL_ENTROPY_FORCE_SHA256 MBEDTLS_ENTROPY_FORCE_SHA256
-#endif
-#if defined MBEDTLS_ERROR_C
-#define POLARSSL_ERROR_C MBEDTLS_ERROR_C
-#endif
-#if defined MBEDTLS_ERROR_STRERROR_DUMMY
-#define POLARSSL_ERROR_STRERROR_DUMMY MBEDTLS_ERROR_STRERROR_DUMMY
-#endif
-#if defined MBEDTLS_FS_IO
-#define POLARSSL_FS_IO MBEDTLS_FS_IO
-#endif
-#if defined MBEDTLS_GCM_C
-#define POLARSSL_GCM_C MBEDTLS_GCM_C
-#endif
-#if defined MBEDTLS_GENPRIME
-#define POLARSSL_GENPRIME MBEDTLS_GENPRIME
-#endif
-#if defined MBEDTLS_HAVEGE_C
-#define POLARSSL_HAVEGE_C MBEDTLS_HAVEGE_C
-#endif
-#if defined MBEDTLS_HAVE_ASM
-#define POLARSSL_HAVE_ASM MBEDTLS_HAVE_ASM
-#endif
-#if defined MBEDTLS_HAVE_SSE2
-#define POLARSSL_HAVE_SSE2 MBEDTLS_HAVE_SSE2
-#endif
-#if defined MBEDTLS_HAVE_TIME
-#define POLARSSL_HAVE_TIME MBEDTLS_HAVE_TIME
-#endif
-#if defined MBEDTLS_HMAC_DRBG_C
-#define POLARSSL_HMAC_DRBG_C MBEDTLS_HMAC_DRBG_C
-#endif
-#if defined MBEDTLS_HMAC_DRBG_MAX_INPUT
-#define POLARSSL_HMAC_DRBG_MAX_INPUT MBEDTLS_HMAC_DRBG_MAX_INPUT
-#endif
-#if defined MBEDTLS_HMAC_DRBG_MAX_REQUEST
-#define POLARSSL_HMAC_DRBG_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
-#endif
-#if defined MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
-#define POLARSSL_HMAC_DRBG_MAX_SEED_INPUT MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
-#endif
-#if defined MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
-#define POLARSSL_HMAC_DRBG_RESEED_INTERVAL MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
-#define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
-#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-#define POLARSSL_KEY_EXCHANGE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-#endif
-#if defined MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-#define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-#endif
-#if defined MBEDTLS_MD2_ALT
-#define POLARSSL_MD2_ALT MBEDTLS_MD2_ALT
-#endif
-#if defined MBEDTLS_MD2_C
-#define POLARSSL_MD2_C MBEDTLS_MD2_C
-#endif
-#if defined MBEDTLS_MD2_PROCESS_ALT
-#define POLARSSL_MD2_PROCESS_ALT MBEDTLS_MD2_PROCESS_ALT
-#endif
-#if defined MBEDTLS_MD4_ALT
-#define POLARSSL_MD4_ALT MBEDTLS_MD4_ALT
-#endif
-#if defined MBEDTLS_MD4_C
-#define POLARSSL_MD4_C MBEDTLS_MD4_C
-#endif
-#if defined MBEDTLS_MD4_PROCESS_ALT
-#define POLARSSL_MD4_PROCESS_ALT MBEDTLS_MD4_PROCESS_ALT
-#endif
-#if defined MBEDTLS_MD5_ALT
-#define POLARSSL_MD5_ALT MBEDTLS_MD5_ALT
-#endif
-#if defined MBEDTLS_MD5_C
-#define POLARSSL_MD5_C MBEDTLS_MD5_C
-#endif
-#if defined MBEDTLS_MD5_PROCESS_ALT
-#define POLARSSL_MD5_PROCESS_ALT MBEDTLS_MD5_PROCESS_ALT
-#endif
-#if defined MBEDTLS_MD_C
-#define POLARSSL_MD_C MBEDTLS_MD_C
-#endif
-#if defined MBEDTLS_MEMORY_ALIGN_MULTIPLE
-#define POLARSSL_MEMORY_ALIGN_MULTIPLE MBEDTLS_MEMORY_ALIGN_MULTIPLE
-#endif
-#if defined MBEDTLS_MEMORY_BACKTRACE
-#define POLARSSL_MEMORY_BACKTRACE MBEDTLS_MEMORY_BACKTRACE
-#endif
-#if defined MBEDTLS_MEMORY_BUFFER_ALLOC_C
-#define POLARSSL_MEMORY_BUFFER_ALLOC_C MBEDTLS_MEMORY_BUFFER_ALLOC_C
-#endif
-#if defined MBEDTLS_MEMORY_DEBUG
-#define POLARSSL_MEMORY_DEBUG MBEDTLS_MEMORY_DEBUG
-#endif
-#if defined MBEDTLS_MPI_MAX_SIZE
-#define POLARSSL_MPI_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
-#endif
-#if defined MBEDTLS_MPI_WINDOW_SIZE
-#define POLARSSL_MPI_WINDOW_SIZE MBEDTLS_MPI_WINDOW_SIZE
-#endif
-#if defined MBEDTLS_NET_C
-#define POLARSSL_NET_C MBEDTLS_NET_C
-#endif
-#if defined MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-#define POLARSSL_NO_DEFAULT_ENTROPY_SOURCES MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-#endif
-#if defined MBEDTLS_NO_PLATFORM_ENTROPY
-#define POLARSSL_NO_PLATFORM_ENTROPY MBEDTLS_NO_PLATFORM_ENTROPY
-#endif
-#if defined MBEDTLS_OID_C
-#define POLARSSL_OID_C MBEDTLS_OID_C
-#endif
-#if defined MBEDTLS_PADLOCK_C
-#define POLARSSL_PADLOCK_C MBEDTLS_PADLOCK_C
-#endif
-#if defined MBEDTLS_PEM_PARSE_C
-#define POLARSSL_PEM_PARSE_C MBEDTLS_PEM_PARSE_C
-#endif
-#if defined MBEDTLS_PEM_WRITE_C
-#define POLARSSL_PEM_WRITE_C MBEDTLS_PEM_WRITE_C
-#endif
-#if defined MBEDTLS_PKCS11_C
-#define POLARSSL_PKCS11_C MBEDTLS_PKCS11_C
-#endif
-#if defined MBEDTLS_PKCS12_C
-#define POLARSSL_PKCS12_C MBEDTLS_PKCS12_C
-#endif
-#if defined MBEDTLS_PKCS1_V15
-#define POLARSSL_PKCS1_V15 MBEDTLS_PKCS1_V15
-#endif
-#if defined MBEDTLS_PKCS1_V21
-#define POLARSSL_PKCS1_V21 MBEDTLS_PKCS1_V21
-#endif
-#if defined MBEDTLS_PKCS5_C
-#define POLARSSL_PKCS5_C MBEDTLS_PKCS5_C
-#endif
-#if defined MBEDTLS_PK_C
-#define POLARSSL_PK_C MBEDTLS_PK_C
-#endif
-#if defined MBEDTLS_PK_PARSE_C
-#define POLARSSL_PK_PARSE_C MBEDTLS_PK_PARSE_C
-#endif
-#if defined MBEDTLS_PK_PARSE_EC_EXTENDED
-#define POLARSSL_PK_PARSE_EC_EXTENDED MBEDTLS_PK_PARSE_EC_EXTENDED
-#endif
-#if defined MBEDTLS_PK_RSA_ALT_SUPPORT
-#define POLARSSL_PK_RSA_ALT_SUPPORT MBEDTLS_PK_RSA_ALT_SUPPORT
-#endif
-#if defined MBEDTLS_PK_WRITE_C
-#define POLARSSL_PK_WRITE_C MBEDTLS_PK_WRITE_C
-#endif
-#if defined MBEDTLS_PLATFORM_C
-#define POLARSSL_PLATFORM_C MBEDTLS_PLATFORM_C
-#endif
-#if defined MBEDTLS_PLATFORM_EXIT_ALT
-#define POLARSSL_PLATFORM_EXIT_ALT MBEDTLS_PLATFORM_EXIT_ALT
-#endif
-#if defined MBEDTLS_PLATFORM_EXIT_MACRO
-#define POLARSSL_PLATFORM_EXIT_MACRO MBEDTLS_PLATFORM_EXIT_MACRO
-#endif
-#if defined MBEDTLS_PLATFORM_FPRINTF_ALT
-#define POLARSSL_PLATFORM_FPRINTF_ALT MBEDTLS_PLATFORM_FPRINTF_ALT
-#endif
-#if defined MBEDTLS_PLATFORM_FPRINTF_MACRO
-#define POLARSSL_PLATFORM_FPRINTF_MACRO MBEDTLS_PLATFORM_FPRINTF_MACRO
-#endif
-#if defined MBEDTLS_PLATFORM_FREE_MACRO
-#define POLARSSL_PLATFORM_FREE_MACRO MBEDTLS_PLATFORM_FREE_MACRO
-#endif
-#if defined MBEDTLS_PLATFORM_MEMORY
-#define POLARSSL_PLATFORM_MEMORY MBEDTLS_PLATFORM_MEMORY
-#endif
-#if defined MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-#define POLARSSL_PLATFORM_NO_STD_FUNCTIONS MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-#endif
-#if defined MBEDTLS_PLATFORM_PRINTF_ALT
-#define POLARSSL_PLATFORM_PRINTF_ALT MBEDTLS_PLATFORM_PRINTF_ALT
-#endif
-#if defined MBEDTLS_PLATFORM_PRINTF_MACRO
-#define POLARSSL_PLATFORM_PRINTF_MACRO MBEDTLS_PLATFORM_PRINTF_MACRO
-#endif
-#if defined MBEDTLS_PLATFORM_SNPRINTF_ALT
-#define POLARSSL_PLATFORM_SNPRINTF_ALT MBEDTLS_PLATFORM_SNPRINTF_ALT
-#endif
-#if defined MBEDTLS_PLATFORM_SNPRINTF_MACRO
-#define POLARSSL_PLATFORM_SNPRINTF_MACRO MBEDTLS_PLATFORM_SNPRINTF_MACRO
-#endif
-#if defined MBEDTLS_PLATFORM_STD_EXIT
-#define POLARSSL_PLATFORM_STD_EXIT MBEDTLS_PLATFORM_STD_EXIT
-#endif
-#if defined MBEDTLS_PLATFORM_STD_FPRINTF
-#define POLARSSL_PLATFORM_STD_FPRINTF MBEDTLS_PLATFORM_STD_FPRINTF
-#endif
-#if defined MBEDTLS_PLATFORM_STD_FREE
-#define POLARSSL_PLATFORM_STD_FREE MBEDTLS_PLATFORM_STD_FREE
-#endif
-#if defined MBEDTLS_PLATFORM_STD_MEM_HDR
-#define POLARSSL_PLATFORM_STD_MEM_HDR MBEDTLS_PLATFORM_STD_MEM_HDR
-#endif
-#if defined MBEDTLS_PLATFORM_STD_PRINTF
-#define POLARSSL_PLATFORM_STD_PRINTF MBEDTLS_PLATFORM_STD_PRINTF
-#endif
-#if defined MBEDTLS_PLATFORM_STD_SNPRINTF
-#define POLARSSL_PLATFORM_STD_SNPRINTF MBEDTLS_PLATFORM_STD_SNPRINTF
-#endif
-#if defined MBEDTLS_PSK_MAX_LEN
-#define POLARSSL_PSK_MAX_LEN MBEDTLS_PSK_MAX_LEN
-#endif
-#if defined MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#define POLARSSL_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#endif
-#if defined MBEDTLS_RIPEMD160_ALT
-#define POLARSSL_RIPEMD160_ALT MBEDTLS_RIPEMD160_ALT
-#endif
-#if defined MBEDTLS_RIPEMD160_C
-#define POLARSSL_RIPEMD160_C MBEDTLS_RIPEMD160_C
-#endif
-#if defined MBEDTLS_RIPEMD160_PROCESS_ALT
-#define POLARSSL_RIPEMD160_PROCESS_ALT MBEDTLS_RIPEMD160_PROCESS_ALT
-#endif
-#if defined MBEDTLS_RSA_C
-#define POLARSSL_RSA_C MBEDTLS_RSA_C
-#endif
-#if defined MBEDTLS_RSA_NO_CRT
-#define POLARSSL_RSA_NO_CRT MBEDTLS_RSA_NO_CRT
-#endif
-#if defined MBEDTLS_SELF_TEST
-#define POLARSSL_SELF_TEST MBEDTLS_SELF_TEST
-#endif
-#if defined MBEDTLS_SHA1_ALT
-#define POLARSSL_SHA1_ALT MBEDTLS_SHA1_ALT
-#endif
-#if defined MBEDTLS_SHA1_C
-#define POLARSSL_SHA1_C MBEDTLS_SHA1_C
-#endif
-#if defined MBEDTLS_SHA1_PROCESS_ALT
-#define POLARSSL_SHA1_PROCESS_ALT MBEDTLS_SHA1_PROCESS_ALT
-#endif
-#if defined MBEDTLS_SHA256_ALT
-#define POLARSSL_SHA256_ALT MBEDTLS_SHA256_ALT
-#endif
-#if defined MBEDTLS_SHA256_C
-#define POLARSSL_SHA256_C MBEDTLS_SHA256_C
-#endif
-#if defined MBEDTLS_SHA256_PROCESS_ALT
-#define POLARSSL_SHA256_PROCESS_ALT MBEDTLS_SHA256_PROCESS_ALT
-#endif
-#if defined MBEDTLS_SHA512_ALT
-#define POLARSSL_SHA512_ALT MBEDTLS_SHA512_ALT
-#endif
-#if defined MBEDTLS_SHA512_C
-#define POLARSSL_SHA512_C MBEDTLS_SHA512_C
-#endif
-#if defined MBEDTLS_SHA512_PROCESS_ALT
-#define POLARSSL_SHA512_PROCESS_ALT MBEDTLS_SHA512_PROCESS_ALT
-#endif
-#if defined MBEDTLS_SSL_ALL_ALERT_MESSAGES
-#define POLARSSL_SSL_ALL_ALERT_MESSAGES MBEDTLS_SSL_ALL_ALERT_MESSAGES
-#endif
-#if defined MBEDTLS_SSL_ALPN
-#define POLARSSL_SSL_ALPN MBEDTLS_SSL_ALPN
-#endif
-#if defined MBEDTLS_SSL_CACHE_C
-#define POLARSSL_SSL_CACHE_C MBEDTLS_SSL_CACHE_C
-#endif
-#if defined MBEDTLS_SSL_CBC_RECORD_SPLITTING
-#define POLARSSL_SSL_CBC_RECORD_SPLITTING MBEDTLS_SSL_CBC_RECORD_SPLITTING
-#endif
-#if defined MBEDTLS_SSL_CLI_C
-#define POLARSSL_SSL_CLI_C MBEDTLS_SSL_CLI_C
-#endif
-#if defined MBEDTLS_SSL_COOKIE_C
-#define POLARSSL_SSL_COOKIE_C MBEDTLS_SSL_COOKIE_C
-#endif
-#if defined MBEDTLS_SSL_COOKIE_TIMEOUT
-#define POLARSSL_SSL_COOKIE_TIMEOUT MBEDTLS_SSL_COOKIE_TIMEOUT
-#endif
-#if defined MBEDTLS_SSL_DEBUG_ALL
-#define POLARSSL_SSL_DEBUG_ALL MBEDTLS_SSL_DEBUG_ALL
-#endif
-#if defined MBEDTLS_SSL_DTLS_ANTI_REPLAY
-#define POLARSSL_SSL_DTLS_ANTI_REPLAY MBEDTLS_SSL_DTLS_ANTI_REPLAY
-#endif
-#if defined MBEDTLS_SSL_DTLS_BADMAC_LIMIT
-#define POLARSSL_SSL_DTLS_BADMAC_LIMIT MBEDTLS_SSL_DTLS_BADMAC_LIMIT
-#endif
-#if defined MBEDTLS_SSL_DTLS_HELLO_VERIFY
-#define POLARSSL_SSL_DTLS_HELLO_VERIFY MBEDTLS_SSL_DTLS_HELLO_VERIFY
-#endif
-#if defined MBEDTLS_SSL_ENCRYPT_THEN_MAC
-#define POLARSSL_SSL_ENCRYPT_THEN_MAC MBEDTLS_SSL_ENCRYPT_THEN_MAC
-#endif
-#if defined MBEDTLS_SSL_EXTENDED_MASTER_SECRET
-#define POLARSSL_SSL_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MASTER_SECRET
-#endif
-#if defined MBEDTLS_SSL_FALLBACK_SCSV
-#define POLARSSL_SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
-#endif
-#if defined MBEDTLS_SSL_HW_RECORD_ACCEL
-#define POLARSSL_SSL_HW_RECORD_ACCEL MBEDTLS_SSL_HW_RECORD_ACCEL
-#endif
-#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-#define POLARSSL_SSL_MAX_FRAGMENT_LENGTH MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-#endif
-#if defined MBEDTLS_SSL_PROTO_DTLS
-#define POLARSSL_SSL_PROTO_DTLS MBEDTLS_SSL_PROTO_DTLS
-#endif
-#if defined MBEDTLS_SSL_PROTO_SSL3
-#define POLARSSL_SSL_PROTO_SSL3 MBEDTLS_SSL_PROTO_SSL3
-#endif
-#if defined MBEDTLS_SSL_PROTO_TLS1
-#define POLARSSL_SSL_PROTO_TLS1 MBEDTLS_SSL_PROTO_TLS1
-#endif
-#if defined MBEDTLS_SSL_PROTO_TLS1_1
-#define POLARSSL_SSL_PROTO_TLS1_1 MBEDTLS_SSL_PROTO_TLS1_1
-#endif
-#if defined MBEDTLS_SSL_PROTO_TLS1_2
-#define POLARSSL_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_2
-#endif
-#if defined MBEDTLS_SSL_RENEGOTIATION
-#define POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
-#endif
-#if defined MBEDTLS_SSL_SERVER_NAME_INDICATION
-#define POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION
-#endif
-#if defined MBEDTLS_SSL_SESSION_TICKETS
-#define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
-#endif
-#if defined MBEDTLS_SSL_SRV_C
-#define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
-#endif
-#if defined MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
-#define POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
-#endif
-#if defined MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-#endif
-#if defined MBEDTLS_SSL_TLS_C
-#define POLARSSL_SSL_TLS_C MBEDTLS_SSL_TLS_C
-#endif
-#if defined MBEDTLS_SSL_TRUNCATED_HMAC
-#define POLARSSL_SSL_TRUNCATED_HMAC MBEDTLS_SSL_TRUNCATED_HMAC
-#endif
-#if defined MBEDTLS_THREADING_ALT
-#define POLARSSL_THREADING_ALT MBEDTLS_THREADING_ALT
-#endif
-#if defined MBEDTLS_THREADING_C
-#define POLARSSL_THREADING_C MBEDTLS_THREADING_C
-#endif
-#if defined MBEDTLS_THREADING_PTHREAD
-#define POLARSSL_THREADING_PTHREAD MBEDTLS_THREADING_PTHREAD
-#endif
-#if defined MBEDTLS_TIMING_ALT
-#define POLARSSL_TIMING_ALT MBEDTLS_TIMING_ALT
-#endif
-#if defined MBEDTLS_TIMING_C
-#define POLARSSL_TIMING_C MBEDTLS_TIMING_C
-#endif
-#if defined MBEDTLS_VERSION_C
-#define POLARSSL_VERSION_C MBEDTLS_VERSION_C
-#endif
-#if defined MBEDTLS_VERSION_FEATURES
-#define POLARSSL_VERSION_FEATURES MBEDTLS_VERSION_FEATURES
-#endif
-#if defined MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-#define POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-#endif
-#if defined MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION \
-    MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#endif
-#if defined MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-#endif
-#if defined MBEDTLS_X509_CHECK_KEY_USAGE
-#define POLARSSL_X509_CHECK_KEY_USAGE MBEDTLS_X509_CHECK_KEY_USAGE
-#endif
-#if defined MBEDTLS_X509_CREATE_C
-#define POLARSSL_X509_CREATE_C MBEDTLS_X509_CREATE_C
-#endif
-#if defined MBEDTLS_X509_CRL_PARSE_C
-#define POLARSSL_X509_CRL_PARSE_C MBEDTLS_X509_CRL_PARSE_C
-#endif
-#if defined MBEDTLS_X509_CRT_PARSE_C
-#define POLARSSL_X509_CRT_PARSE_C MBEDTLS_X509_CRT_PARSE_C
-#endif
-#if defined MBEDTLS_X509_CRT_WRITE_C
-#define POLARSSL_X509_CRT_WRITE_C MBEDTLS_X509_CRT_WRITE_C
-#endif
-#if defined MBEDTLS_X509_CSR_PARSE_C
-#define POLARSSL_X509_CSR_PARSE_C MBEDTLS_X509_CSR_PARSE_C
-#endif
-#if defined MBEDTLS_X509_CSR_WRITE_C
-#define POLARSSL_X509_CSR_WRITE_C MBEDTLS_X509_CSR_WRITE_C
-#endif
-#if defined MBEDTLS_X509_MAX_INTERMEDIATE_CA
-#define POLARSSL_X509_MAX_INTERMEDIATE_CA MBEDTLS_X509_MAX_INTERMEDIATE_CA
-#endif
-#if defined MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#define POLARSSL_X509_RSASSA_PSS_SUPPORT MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#endif
-#if defined MBEDTLS_X509_USE_C
-#define POLARSSL_X509_USE_C MBEDTLS_X509_USE_C
-#endif
-#if defined MBEDTLS_XTEA_ALT
-#define POLARSSL_XTEA_ALT MBEDTLS_XTEA_ALT
-#endif
-#if defined MBEDTLS_XTEA_C
-#define POLARSSL_XTEA_C MBEDTLS_XTEA_C
-#endif
-#if defined MBEDTLS_ZLIB_SUPPORT
-#define POLARSSL_ZLIB_SUPPORT MBEDTLS_ZLIB_SUPPORT
-#endif
-
-/*
- * Misc names (macros, types, functions, enum constants...)
- */
-#define AES_DECRYPT MBEDTLS_AES_DECRYPT
-#define AES_ENCRYPT MBEDTLS_AES_ENCRYPT
-#define ASN1_BIT_STRING MBEDTLS_ASN1_BIT_STRING
-#define ASN1_BMP_STRING MBEDTLS_ASN1_BMP_STRING
-#define ASN1_BOOLEAN MBEDTLS_ASN1_BOOLEAN
-#define ASN1_CHK_ADD MBEDTLS_ASN1_CHK_ADD
-#define ASN1_CONSTRUCTED MBEDTLS_ASN1_CONSTRUCTED
-#define ASN1_CONTEXT_SPECIFIC MBEDTLS_ASN1_CONTEXT_SPECIFIC
-#define ASN1_GENERALIZED_TIME MBEDTLS_ASN1_GENERALIZED_TIME
-#define ASN1_IA5_STRING MBEDTLS_ASN1_IA5_STRING
-#define ASN1_INTEGER MBEDTLS_ASN1_INTEGER
-#define ASN1_NULL MBEDTLS_ASN1_NULL
-#define ASN1_OCTET_STRING MBEDTLS_ASN1_OCTET_STRING
-#define ASN1_OID MBEDTLS_ASN1_OID
-#define ASN1_PRIMITIVE MBEDTLS_ASN1_PRIMITIVE
-#define ASN1_PRINTABLE_STRING MBEDTLS_ASN1_PRINTABLE_STRING
-#define ASN1_SEQUENCE MBEDTLS_ASN1_SEQUENCE
-#define ASN1_SET MBEDTLS_ASN1_SET
-#define ASN1_T61_STRING MBEDTLS_ASN1_T61_STRING
-#define ASN1_UNIVERSAL_STRING MBEDTLS_ASN1_UNIVERSAL_STRING
-#define ASN1_UTC_TIME MBEDTLS_ASN1_UTC_TIME
-#define ASN1_UTF8_STRING MBEDTLS_ASN1_UTF8_STRING
-#define BADCERT_CN_MISMATCH MBEDTLS_X509_BADCERT_CN_MISMATCH
-#define BADCERT_EXPIRED MBEDTLS_X509_BADCERT_EXPIRED
-#define BADCERT_FUTURE MBEDTLS_X509_BADCERT_FUTURE
-#define BADCERT_MISSING MBEDTLS_X509_BADCERT_MISSING
-#define BADCERT_NOT_TRUSTED MBEDTLS_X509_BADCERT_NOT_TRUSTED
-#define BADCERT_OTHER MBEDTLS_X509_BADCERT_OTHER
-#define BADCERT_REVOKED MBEDTLS_X509_BADCERT_REVOKED
-#define BADCERT_SKIP_VERIFY MBEDTLS_X509_BADCERT_SKIP_VERIFY
-#define BADCRL_EXPIRED MBEDTLS_X509_BADCRL_EXPIRED
-#define BADCRL_FUTURE MBEDTLS_X509_BADCRL_FUTURE
-#define BADCRL_NOT_TRUSTED MBEDTLS_X509_BADCRL_NOT_TRUSTED
-#define BLOWFISH_BLOCKSIZE MBEDTLS_BLOWFISH_BLOCKSIZE
-#define BLOWFISH_DECRYPT MBEDTLS_BLOWFISH_DECRYPT
-#define BLOWFISH_ENCRYPT MBEDTLS_BLOWFISH_ENCRYPT
-#define BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
-#define BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
-#define BLOWFISH_ROUNDS MBEDTLS_BLOWFISH_ROUNDS
-#define CAMELLIA_DECRYPT MBEDTLS_CAMELLIA_DECRYPT
-#define CAMELLIA_ENCRYPT MBEDTLS_CAMELLIA_ENCRYPT
-#define COLLECT_SIZE MBEDTLS_HAVEGE_COLLECT_SIZE
-#define CTR_DRBG_BLOCKSIZE MBEDTLS_CTR_DRBG_BLOCKSIZE
-#define CTR_DRBG_ENTROPY_LEN MBEDTLS_CTR_DRBG_ENTROPY_LEN
-#define CTR_DRBG_KEYBITS MBEDTLS_CTR_DRBG_KEYBITS
-#define CTR_DRBG_KEYSIZE MBEDTLS_CTR_DRBG_KEYSIZE
-#define CTR_DRBG_MAX_INPUT MBEDTLS_CTR_DRBG_MAX_INPUT
-#define CTR_DRBG_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
-#define CTR_DRBG_MAX_SEED_INPUT MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
-#define CTR_DRBG_PR_OFF MBEDTLS_CTR_DRBG_PR_OFF
-#define CTR_DRBG_PR_ON MBEDTLS_CTR_DRBG_PR_ON
-#define CTR_DRBG_RESEED_INTERVAL MBEDTLS_CTR_DRBG_RESEED_INTERVAL
-#define CTR_DRBG_SEEDLEN MBEDTLS_CTR_DRBG_SEEDLEN
-#define DEPRECATED MBEDTLS_DEPRECATED
-#define DES_DECRYPT MBEDTLS_DES_DECRYPT
-#define DES_ENCRYPT MBEDTLS_DES_ENCRYPT
-#define DES_KEY_SIZE MBEDTLS_DES_KEY_SIZE
-#define ENTROPY_BLOCK_SIZE MBEDTLS_ENTROPY_BLOCK_SIZE
-#define ENTROPY_MAX_GATHER MBEDTLS_ENTROPY_MAX_GATHER
-#define ENTROPY_MAX_SEED_SIZE MBEDTLS_ENTROPY_MAX_SEED_SIZE
-#define ENTROPY_MAX_SOURCES MBEDTLS_ENTROPY_MAX_SOURCES
-#define ENTROPY_MIN_HARDCLOCK MBEDTLS_ENTROPY_MIN_HARDCLOCK
-#define ENTROPY_MIN_HAVEGE MBEDTLS_ENTROPY_MIN_HAVEGE
-#define ENTROPY_MIN_PLATFORM MBEDTLS_ENTROPY_MIN_PLATFORM
-#define ENTROPY_SOURCE_MANUAL MBEDTLS_ENTROPY_SOURCE_MANUAL
-#define EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER
-#define EXT_BASIC_CONSTRAINTS MBEDTLS_X509_EXT_BASIC_CONSTRAINTS
-#define EXT_CERTIFICATE_POLICIES MBEDTLS_X509_EXT_CERTIFICATE_POLICIES
-#define EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS
-#define EXT_EXTENDED_KEY_USAGE MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE
-#define EXT_FRESHEST_CRL MBEDTLS_X509_EXT_FRESHEST_CRL
-#define EXT_INIHIBIT_ANYPOLICY MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY
-#define EXT_ISSUER_ALT_NAME MBEDTLS_X509_EXT_ISSUER_ALT_NAME
-#define EXT_KEY_USAGE MBEDTLS_X509_EXT_KEY_USAGE
-#define EXT_NAME_CONSTRAINTS MBEDTLS_X509_EXT_NAME_CONSTRAINTS
-#define EXT_NS_CERT_TYPE MBEDTLS_X509_EXT_NS_CERT_TYPE
-#define EXT_POLICY_CONSTRAINTS MBEDTLS_X509_EXT_POLICY_CONSTRAINTS
-#define EXT_POLICY_MAPPINGS MBEDTLS_X509_EXT_POLICY_MAPPINGS
-#define EXT_SUBJECT_ALT_NAME MBEDTLS_X509_EXT_SUBJECT_ALT_NAME
-#define EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS
-#define EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER
-#define GCM_DECRYPT MBEDTLS_GCM_DECRYPT
-#define GCM_ENCRYPT MBEDTLS_GCM_ENCRYPT
-#define KU_CRL_SIGN MBEDTLS_X509_KU_CRL_SIGN
-#define KU_DATA_ENCIPHERMENT MBEDTLS_X509_KU_DATA_ENCIPHERMENT
-#define KU_DIGITAL_SIGNATURE MBEDTLS_X509_KU_DIGITAL_SIGNATURE
-#define KU_KEY_AGREEMENT MBEDTLS_X509_KU_KEY_AGREEMENT
-#define KU_KEY_CERT_SIGN MBEDTLS_X509_KU_KEY_CERT_SIGN
-#define KU_KEY_ENCIPHERMENT MBEDTLS_X509_KU_KEY_ENCIPHERMENT
-#define KU_NON_REPUDIATION MBEDTLS_X509_KU_NON_REPUDIATION
-#define LN_2_DIV_LN_10_SCALE100 MBEDTLS_LN_2_DIV_LN_10_SCALE100
-#define MEMORY_VERIFY_ALLOC MBEDTLS_MEMORY_VERIFY_ALLOC
-#define MEMORY_VERIFY_ALWAYS MBEDTLS_MEMORY_VERIFY_ALWAYS
-#define MEMORY_VERIFY_FREE MBEDTLS_MEMORY_VERIFY_FREE
-#define MEMORY_VERIFY_NONE MBEDTLS_MEMORY_VERIFY_NONE
-#define MPI_CHK MBEDTLS_MPI_CHK
-#define NET_PROTO_TCP MBEDTLS_NET_PROTO_TCP
-#define NET_PROTO_UDP MBEDTLS_NET_PROTO_UDP
-#define NS_CERT_TYPE_EMAIL MBEDTLS_X509_NS_CERT_TYPE_EMAIL
-#define NS_CERT_TYPE_EMAIL_CA MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA
-#define NS_CERT_TYPE_OBJECT_SIGNING MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING
-#define NS_CERT_TYPE_OBJECT_SIGNING_CA MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA
-#define NS_CERT_TYPE_RESERVED MBEDTLS_X509_NS_CERT_TYPE_RESERVED
-#define NS_CERT_TYPE_SSL_CA MBEDTLS_X509_NS_CERT_TYPE_SSL_CA
-#define NS_CERT_TYPE_SSL_CLIENT MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT
-#define NS_CERT_TYPE_SSL_SERVER MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
-#define OID_ANSI_X9_62 MBEDTLS_OID_ANSI_X9_62
-#define OID_ANSI_X9_62_FIELD_TYPE MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE
-#define OID_ANSI_X9_62_PRIME_FIELD MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD
-#define OID_ANSI_X9_62_SIG MBEDTLS_OID_ANSI_X9_62_SIG
-#define OID_ANSI_X9_62_SIG_SHA2 MBEDTLS_OID_ANSI_X9_62_SIG_SHA2
-#define OID_ANY_EXTENDED_KEY_USAGE MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE
-#define OID_AT MBEDTLS_OID_AT
-#define OID_AT_CN MBEDTLS_OID_AT_CN
-#define OID_AT_COUNTRY MBEDTLS_OID_AT_COUNTRY
-#define OID_AT_DN_QUALIFIER MBEDTLS_OID_AT_DN_QUALIFIER
-#define OID_AT_GENERATION_QUALIFIER MBEDTLS_OID_AT_GENERATION_QUALIFIER
-#define OID_AT_GIVEN_NAME MBEDTLS_OID_AT_GIVEN_NAME
-#define OID_AT_INITIALS MBEDTLS_OID_AT_INITIALS
-#define OID_AT_LOCALITY MBEDTLS_OID_AT_LOCALITY
-#define OID_AT_ORGANIZATION MBEDTLS_OID_AT_ORGANIZATION
-#define OID_AT_ORG_UNIT MBEDTLS_OID_AT_ORG_UNIT
-#define OID_AT_POSTAL_ADDRESS MBEDTLS_OID_AT_POSTAL_ADDRESS
-#define OID_AT_POSTAL_CODE MBEDTLS_OID_AT_POSTAL_CODE
-#define OID_AT_PSEUDONYM MBEDTLS_OID_AT_PSEUDONYM
-#define OID_AT_SERIAL_NUMBER MBEDTLS_OID_AT_SERIAL_NUMBER
-#define OID_AT_STATE MBEDTLS_OID_AT_STATE
-#define OID_AT_SUR_NAME MBEDTLS_OID_AT_SUR_NAME
-#define OID_AT_TITLE MBEDTLS_OID_AT_TITLE
-#define OID_AT_UNIQUE_IDENTIFIER MBEDTLS_OID_AT_UNIQUE_IDENTIFIER
-#define OID_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER
-#define OID_BASIC_CONSTRAINTS MBEDTLS_OID_BASIC_CONSTRAINTS
-#define OID_CERTICOM MBEDTLS_OID_CERTICOM
-#define OID_CERTIFICATE_POLICIES MBEDTLS_OID_CERTIFICATE_POLICIES
-#define OID_CLIENT_AUTH MBEDTLS_OID_CLIENT_AUTH
-#define OID_CMP MBEDTLS_OID_CMP
-#define OID_CODE_SIGNING MBEDTLS_OID_CODE_SIGNING
-#define OID_COUNTRY_US MBEDTLS_OID_COUNTRY_US
-#define OID_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_CRL_DISTRIBUTION_POINTS
-#define OID_CRL_NUMBER MBEDTLS_OID_CRL_NUMBER
-#define OID_DES_CBC MBEDTLS_OID_DES_CBC
-#define OID_DES_EDE3_CBC MBEDTLS_OID_DES_EDE3_CBC
-#define OID_DIGEST_ALG_MD2 MBEDTLS_OID_DIGEST_ALG_MD2
-#define OID_DIGEST_ALG_MD4 MBEDTLS_OID_DIGEST_ALG_MD4
-#define OID_DIGEST_ALG_MD5 MBEDTLS_OID_DIGEST_ALG_MD5
-#define OID_DIGEST_ALG_SHA1 MBEDTLS_OID_DIGEST_ALG_SHA1
-#define OID_DIGEST_ALG_SHA224 MBEDTLS_OID_DIGEST_ALG_SHA224
-#define OID_DIGEST_ALG_SHA256 MBEDTLS_OID_DIGEST_ALG_SHA256
-#define OID_DIGEST_ALG_SHA384 MBEDTLS_OID_DIGEST_ALG_SHA384
-#define OID_DIGEST_ALG_SHA512 MBEDTLS_OID_DIGEST_ALG_SHA512
-#define OID_DOMAIN_COMPONENT MBEDTLS_OID_DOMAIN_COMPONENT
-#define OID_ECDSA_SHA1 MBEDTLS_OID_ECDSA_SHA1
-#define OID_ECDSA_SHA224 MBEDTLS_OID_ECDSA_SHA224
-#define OID_ECDSA_SHA256 MBEDTLS_OID_ECDSA_SHA256
-#define OID_ECDSA_SHA384 MBEDTLS_OID_ECDSA_SHA384
-#define OID_ECDSA_SHA512 MBEDTLS_OID_ECDSA_SHA512
-#define OID_EC_ALG_ECDH MBEDTLS_OID_EC_ALG_ECDH
-#define OID_EC_ALG_UNRESTRICTED MBEDTLS_OID_EC_ALG_UNRESTRICTED
-#define OID_EC_BRAINPOOL_V1 MBEDTLS_OID_EC_BRAINPOOL_V1
-#define OID_EC_GRP_BP256R1 MBEDTLS_OID_EC_GRP_BP256R1
-#define OID_EC_GRP_BP384R1 MBEDTLS_OID_EC_GRP_BP384R1
-#define OID_EC_GRP_BP512R1 MBEDTLS_OID_EC_GRP_BP512R1
-#define OID_EC_GRP_SECP192K1 MBEDTLS_OID_EC_GRP_SECP192K1
-#define OID_EC_GRP_SECP192R1 MBEDTLS_OID_EC_GRP_SECP192R1
-#define OID_EC_GRP_SECP224K1 MBEDTLS_OID_EC_GRP_SECP224K1
-#define OID_EC_GRP_SECP224R1 MBEDTLS_OID_EC_GRP_SECP224R1
-#define OID_EC_GRP_SECP256K1 MBEDTLS_OID_EC_GRP_SECP256K1
-#define OID_EC_GRP_SECP256R1 MBEDTLS_OID_EC_GRP_SECP256R1
-#define OID_EC_GRP_SECP384R1 MBEDTLS_OID_EC_GRP_SECP384R1
-#define OID_EC_GRP_SECP521R1 MBEDTLS_OID_EC_GRP_SECP521R1
-#define OID_EMAIL_PROTECTION MBEDTLS_OID_EMAIL_PROTECTION
-#define OID_EXTENDED_KEY_USAGE MBEDTLS_OID_EXTENDED_KEY_USAGE
-#define OID_FRESHEST_CRL MBEDTLS_OID_FRESHEST_CRL
-#define OID_GOV MBEDTLS_OID_GOV
-#define OID_HMAC_SHA1 MBEDTLS_OID_HMAC_SHA1
-#define OID_ID_CE MBEDTLS_OID_ID_CE
-#define OID_INIHIBIT_ANYPOLICY MBEDTLS_OID_INIHIBIT_ANYPOLICY
-#define OID_ISO_CCITT_DS MBEDTLS_OID_ISO_CCITT_DS
-#define OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ISO_IDENTIFIED_ORG
-#define OID_ISO_ITU_COUNTRY MBEDTLS_OID_ISO_ITU_COUNTRY
-#define OID_ISO_ITU_US_ORG MBEDTLS_OID_ISO_ITU_US_ORG
-#define OID_ISO_MEMBER_BODIES MBEDTLS_OID_ISO_MEMBER_BODIES
-#define OID_ISSUER_ALT_NAME MBEDTLS_OID_ISSUER_ALT_NAME
-#define OID_KEY_USAGE MBEDTLS_OID_KEY_USAGE
-#define OID_KP MBEDTLS_OID_KP
-#define OID_MGF1 MBEDTLS_OID_MGF1
-#define OID_NAME_CONSTRAINTS MBEDTLS_OID_NAME_CONSTRAINTS
-#define OID_NETSCAPE MBEDTLS_OID_NETSCAPE
-#define OID_NS_BASE_URL MBEDTLS_OID_NS_BASE_URL
-#define OID_NS_CA_POLICY_URL MBEDTLS_OID_NS_CA_POLICY_URL
-#define OID_NS_CA_REVOCATION_URL MBEDTLS_OID_NS_CA_REVOCATION_URL
-#define OID_NS_CERT MBEDTLS_OID_NS_CERT
-#define OID_NS_CERT_SEQUENCE MBEDTLS_OID_NS_CERT_SEQUENCE
-#define OID_NS_CERT_TYPE MBEDTLS_OID_NS_CERT_TYPE
-#define OID_NS_COMMENT MBEDTLS_OID_NS_COMMENT
-#define OID_NS_DATA_TYPE MBEDTLS_OID_NS_DATA_TYPE
-#define OID_NS_RENEWAL_URL MBEDTLS_OID_NS_RENEWAL_URL
-#define OID_NS_REVOCATION_URL MBEDTLS_OID_NS_REVOCATION_URL
-#define OID_NS_SSL_SERVER_NAME MBEDTLS_OID_NS_SSL_SERVER_NAME
-#define OID_OCSP_SIGNING MBEDTLS_OID_OCSP_SIGNING
-#define OID_OIW_SECSIG MBEDTLS_OID_OIW_SECSIG
-#define OID_OIW_SECSIG_ALG MBEDTLS_OID_OIW_SECSIG_ALG
-#define OID_OIW_SECSIG_SHA1 MBEDTLS_OID_OIW_SECSIG_SHA1
-#define OID_ORGANIZATION MBEDTLS_OID_ORGANIZATION
-#define OID_ORG_ANSI_X9_62 MBEDTLS_OID_ORG_ANSI_X9_62
-#define OID_ORG_CERTICOM MBEDTLS_OID_ORG_CERTICOM
-#define OID_ORG_DOD MBEDTLS_OID_ORG_DOD
-#define OID_ORG_GOV MBEDTLS_OID_ORG_GOV
-#define OID_ORG_NETSCAPE MBEDTLS_OID_ORG_NETSCAPE
-#define OID_ORG_OIW MBEDTLS_OID_ORG_OIW
-#define OID_ORG_RSA_DATA_SECURITY MBEDTLS_OID_ORG_RSA_DATA_SECURITY
-#define OID_ORG_TELETRUST MBEDTLS_OID_ORG_TELETRUST
-#define OID_PKCS MBEDTLS_OID_PKCS
-#define OID_PKCS1 MBEDTLS_OID_PKCS1
-#define OID_PKCS12 MBEDTLS_OID_PKCS12
-#define OID_PKCS12_PBE MBEDTLS_OID_PKCS12_PBE
-#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC
-#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC
-#define OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC
-#define OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC
-#define OID_PKCS12_PBE_SHA1_RC4_128 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128
-#define OID_PKCS12_PBE_SHA1_RC4_40 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40
-#define OID_PKCS1_MD2 MBEDTLS_OID_PKCS1_MD2
-#define OID_PKCS1_MD4 MBEDTLS_OID_PKCS1_MD4
-#define OID_PKCS1_MD5 MBEDTLS_OID_PKCS1_MD5
-#define OID_PKCS1_RSA MBEDTLS_OID_PKCS1_RSA
-#define OID_PKCS1_SHA1 MBEDTLS_OID_PKCS1_SHA1
-#define OID_PKCS1_SHA224 MBEDTLS_OID_PKCS1_SHA224
-#define OID_PKCS1_SHA256 MBEDTLS_OID_PKCS1_SHA256
-#define OID_PKCS1_SHA384 MBEDTLS_OID_PKCS1_SHA384
-#define OID_PKCS1_SHA512 MBEDTLS_OID_PKCS1_SHA512
-#define OID_PKCS5 MBEDTLS_OID_PKCS5
-#define OID_PKCS5_PBES2 MBEDTLS_OID_PKCS5_PBES2
-#define OID_PKCS5_PBE_MD2_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC
-#define OID_PKCS5_PBE_MD2_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC
-#define OID_PKCS5_PBE_MD5_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC
-#define OID_PKCS5_PBE_MD5_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC
-#define OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC
-#define OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC
-#define OID_PKCS5_PBKDF2 MBEDTLS_OID_PKCS5_PBKDF2
-#define OID_PKCS5_PBMAC1 MBEDTLS_OID_PKCS5_PBMAC1
-#define OID_PKCS9 MBEDTLS_OID_PKCS9
-#define OID_PKCS9_CSR_EXT_REQ MBEDTLS_OID_PKCS9_CSR_EXT_REQ
-#define OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9_EMAIL
-#define OID_PKIX MBEDTLS_OID_PKIX
-#define OID_POLICY_CONSTRAINTS MBEDTLS_OID_POLICY_CONSTRAINTS
-#define OID_POLICY_MAPPINGS MBEDTLS_OID_POLICY_MAPPINGS
-#define OID_PRIVATE_KEY_USAGE_PERIOD MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD
-#define OID_RSASSA_PSS MBEDTLS_OID_RSASSA_PSS
-#define OID_RSA_COMPANY MBEDTLS_OID_RSA_COMPANY
-#define OID_RSA_SHA_OBS MBEDTLS_OID_RSA_SHA_OBS
-#define OID_SERVER_AUTH MBEDTLS_OID_SERVER_AUTH
-#define OID_SIZE MBEDTLS_OID_SIZE
-#define OID_SUBJECT_ALT_NAME MBEDTLS_OID_SUBJECT_ALT_NAME
-#define OID_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS
-#define OID_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER
-#define OID_TELETRUST MBEDTLS_OID_TELETRUST
-#define OID_TIME_STAMPING MBEDTLS_OID_TIME_STAMPING
-#define PADLOCK_ACE MBEDTLS_PADLOCK_ACE
-#define PADLOCK_ALIGN16 MBEDTLS_PADLOCK_ALIGN16
-#define PADLOCK_PHE MBEDTLS_PADLOCK_PHE
-#define PADLOCK_PMM MBEDTLS_PADLOCK_PMM
-#define PADLOCK_RNG MBEDTLS_PADLOCK_RNG
-#define PKCS12_DERIVE_IV MBEDTLS_PKCS12_DERIVE_IV
-#define PKCS12_DERIVE_KEY MBEDTLS_PKCS12_DERIVE_KEY
-#define PKCS12_DERIVE_MAC_KEY MBEDTLS_PKCS12_DERIVE_MAC_KEY
-#define PKCS12_PBE_DECRYPT MBEDTLS_PKCS12_PBE_DECRYPT
-#define PKCS12_PBE_ENCRYPT MBEDTLS_PKCS12_PBE_ENCRYPT
-#define PKCS5_DECRYPT MBEDTLS_PKCS5_DECRYPT
-#define PKCS5_ENCRYPT MBEDTLS_PKCS5_ENCRYPT
-#define POLARSSL_AESNI_AES MBEDTLS_AESNI_AES
-#define POLARSSL_AESNI_CLMUL MBEDTLS_AESNI_CLMUL
-#define POLARSSL_AESNI_H MBEDTLS_AESNI_H
-#define POLARSSL_AES_H MBEDTLS_AES_H
-#define POLARSSL_ARC4_H MBEDTLS_ARC4_H
-#define POLARSSL_ASN1_H MBEDTLS_ASN1_H
-#define POLARSSL_ASN1_WRITE_H MBEDTLS_ASN1_WRITE_H
-#define POLARSSL_BASE64_H MBEDTLS_BASE64_H
-#define POLARSSL_BIGNUM_H MBEDTLS_BIGNUM_H
-#define POLARSSL_BLOWFISH_H MBEDTLS_BLOWFISH_H
-#define POLARSSL_BN_MUL_H MBEDTLS_BN_MUL_H
-#define POLARSSL_CAMELLIA_H MBEDTLS_CAMELLIA_H
-#define POLARSSL_CCM_H MBEDTLS_CCM_H
-#define POLARSSL_CERTS_H MBEDTLS_CERTS_H
-#define POLARSSL_CHECK_CONFIG_H MBEDTLS_CHECK_CONFIG_H
-#define POLARSSL_CIPHERSUITE_NODTLS MBEDTLS_CIPHERSUITE_NODTLS
-#define POLARSSL_CIPHERSUITE_SHORT_TAG MBEDTLS_CIPHERSUITE_SHORT_TAG
-#define POLARSSL_CIPHERSUITE_WEAK MBEDTLS_CIPHERSUITE_WEAK
-#define POLARSSL_CIPHER_AES_128_CBC MBEDTLS_CIPHER_AES_128_CBC
-#define POLARSSL_CIPHER_AES_128_CCM MBEDTLS_CIPHER_AES_128_CCM
-#define POLARSSL_CIPHER_AES_128_CFB128 MBEDTLS_CIPHER_AES_128_CFB128
-#define POLARSSL_CIPHER_AES_128_CTR MBEDTLS_CIPHER_AES_128_CTR
-#define POLARSSL_CIPHER_AES_128_ECB MBEDTLS_CIPHER_AES_128_ECB
-#define POLARSSL_CIPHER_AES_128_GCM MBEDTLS_CIPHER_AES_128_GCM
-#define POLARSSL_CIPHER_AES_192_CBC MBEDTLS_CIPHER_AES_192_CBC
-#define POLARSSL_CIPHER_AES_192_CCM MBEDTLS_CIPHER_AES_192_CCM
-#define POLARSSL_CIPHER_AES_192_CFB128 MBEDTLS_CIPHER_AES_192_CFB128
-#define POLARSSL_CIPHER_AES_192_CTR MBEDTLS_CIPHER_AES_192_CTR
-#define POLARSSL_CIPHER_AES_192_ECB MBEDTLS_CIPHER_AES_192_ECB
-#define POLARSSL_CIPHER_AES_192_GCM MBEDTLS_CIPHER_AES_192_GCM
-#define POLARSSL_CIPHER_AES_256_CBC MBEDTLS_CIPHER_AES_256_CBC
-#define POLARSSL_CIPHER_AES_256_CCM MBEDTLS_CIPHER_AES_256_CCM
-#define POLARSSL_CIPHER_AES_256_CFB128 MBEDTLS_CIPHER_AES_256_CFB128
-#define POLARSSL_CIPHER_AES_256_CTR MBEDTLS_CIPHER_AES_256_CTR
-#define POLARSSL_CIPHER_AES_256_ECB MBEDTLS_CIPHER_AES_256_ECB
-#define POLARSSL_CIPHER_AES_256_GCM MBEDTLS_CIPHER_AES_256_GCM
-#define POLARSSL_CIPHER_ARC4_128 MBEDTLS_CIPHER_ARC4_128
-#define POLARSSL_CIPHER_BLOWFISH_CBC MBEDTLS_CIPHER_BLOWFISH_CBC
-#define POLARSSL_CIPHER_BLOWFISH_CFB64 MBEDTLS_CIPHER_BLOWFISH_CFB64
-#define POLARSSL_CIPHER_BLOWFISH_CTR MBEDTLS_CIPHER_BLOWFISH_CTR
-#define POLARSSL_CIPHER_BLOWFISH_ECB MBEDTLS_CIPHER_BLOWFISH_ECB
-#define POLARSSL_CIPHER_CAMELLIA_128_CBC MBEDTLS_CIPHER_CAMELLIA_128_CBC
-#define POLARSSL_CIPHER_CAMELLIA_128_CCM MBEDTLS_CIPHER_CAMELLIA_128_CCM
-#define POLARSSL_CIPHER_CAMELLIA_128_CFB128 MBEDTLS_CIPHER_CAMELLIA_128_CFB128
-#define POLARSSL_CIPHER_CAMELLIA_128_CTR MBEDTLS_CIPHER_CAMELLIA_128_CTR
-#define POLARSSL_CIPHER_CAMELLIA_128_ECB MBEDTLS_CIPHER_CAMELLIA_128_ECB
-#define POLARSSL_CIPHER_CAMELLIA_128_GCM MBEDTLS_CIPHER_CAMELLIA_128_GCM
-#define POLARSSL_CIPHER_CAMELLIA_192_CBC MBEDTLS_CIPHER_CAMELLIA_192_CBC
-#define POLARSSL_CIPHER_CAMELLIA_192_CCM MBEDTLS_CIPHER_CAMELLIA_192_CCM
-#define POLARSSL_CIPHER_CAMELLIA_192_CFB128 MBEDTLS_CIPHER_CAMELLIA_192_CFB128
-#define POLARSSL_CIPHER_CAMELLIA_192_CTR MBEDTLS_CIPHER_CAMELLIA_192_CTR
-#define POLARSSL_CIPHER_CAMELLIA_192_ECB MBEDTLS_CIPHER_CAMELLIA_192_ECB
-#define POLARSSL_CIPHER_CAMELLIA_192_GCM MBEDTLS_CIPHER_CAMELLIA_192_GCM
-#define POLARSSL_CIPHER_CAMELLIA_256_CBC MBEDTLS_CIPHER_CAMELLIA_256_CBC
-#define POLARSSL_CIPHER_CAMELLIA_256_CCM MBEDTLS_CIPHER_CAMELLIA_256_CCM
-#define POLARSSL_CIPHER_CAMELLIA_256_CFB128 MBEDTLS_CIPHER_CAMELLIA_256_CFB128
-#define POLARSSL_CIPHER_CAMELLIA_256_CTR MBEDTLS_CIPHER_CAMELLIA_256_CTR
-#define POLARSSL_CIPHER_CAMELLIA_256_ECB MBEDTLS_CIPHER_CAMELLIA_256_ECB
-#define POLARSSL_CIPHER_CAMELLIA_256_GCM MBEDTLS_CIPHER_CAMELLIA_256_GCM
-#define POLARSSL_CIPHER_DES_CBC MBEDTLS_CIPHER_DES_CBC
-#define POLARSSL_CIPHER_DES_ECB MBEDTLS_CIPHER_DES_ECB
-#define POLARSSL_CIPHER_DES_EDE3_CBC MBEDTLS_CIPHER_DES_EDE3_CBC
-#define POLARSSL_CIPHER_DES_EDE3_ECB MBEDTLS_CIPHER_DES_EDE3_ECB
-#define POLARSSL_CIPHER_DES_EDE_CBC MBEDTLS_CIPHER_DES_EDE_CBC
-#define POLARSSL_CIPHER_DES_EDE_ECB MBEDTLS_CIPHER_DES_EDE_ECB
-#define POLARSSL_CIPHER_H MBEDTLS_CIPHER_H
-#define POLARSSL_CIPHER_ID_3DES MBEDTLS_CIPHER_ID_3DES
-#define POLARSSL_CIPHER_ID_AES MBEDTLS_CIPHER_ID_AES
-#define POLARSSL_CIPHER_ID_ARC4 MBEDTLS_CIPHER_ID_ARC4
-#define POLARSSL_CIPHER_ID_BLOWFISH MBEDTLS_CIPHER_ID_BLOWFISH
-#define POLARSSL_CIPHER_ID_CAMELLIA MBEDTLS_CIPHER_ID_CAMELLIA
-#define POLARSSL_CIPHER_ID_DES MBEDTLS_CIPHER_ID_DES
-#define POLARSSL_CIPHER_ID_NONE MBEDTLS_CIPHER_ID_NONE
-#define POLARSSL_CIPHER_ID_NULL MBEDTLS_CIPHER_ID_NULL
-#define POLARSSL_CIPHER_MODE_AEAD MBEDTLS_CIPHER_MODE_AEAD
-#define POLARSSL_CIPHER_MODE_STREAM MBEDTLS_CIPHER_MODE_STREAM
-#define POLARSSL_CIPHER_MODE_WITH_PADDING MBEDTLS_CIPHER_MODE_WITH_PADDING
-#define POLARSSL_CIPHER_NONE MBEDTLS_CIPHER_NONE
-#define POLARSSL_CIPHER_NULL MBEDTLS_CIPHER_NULL
-#define POLARSSL_CIPHER_VARIABLE_IV_LEN MBEDTLS_CIPHER_VARIABLE_IV_LEN
-#define POLARSSL_CIPHER_VARIABLE_KEY_LEN MBEDTLS_CIPHER_VARIABLE_KEY_LEN
-#define POLARSSL_CIPHER_WRAP_H MBEDTLS_CIPHER_WRAP_H
-#define POLARSSL_CONFIG_H MBEDTLS_CONFIG_H
-#define POLARSSL_CTR_DRBG_H MBEDTLS_CTR_DRBG_H
-#define POLARSSL_DEBUG_H MBEDTLS_DEBUG_H
-#define POLARSSL_DECRYPT MBEDTLS_DECRYPT
-#define POLARSSL_DES_H MBEDTLS_DES_H
-#define POLARSSL_DHM_H MBEDTLS_DHM_H
-#define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
-#define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
-#define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
-#define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
-#define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
-#define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
-#define POLARSSL_ECDH_H MBEDTLS_ECDH_H
-#define POLARSSL_ECDH_OURS MBEDTLS_ECDH_OURS
-#define POLARSSL_ECDH_THEIRS MBEDTLS_ECDH_THEIRS
-#define POLARSSL_ECDSA_H MBEDTLS_ECDSA_H
-#define POLARSSL_ECP_DP_BP256R1 MBEDTLS_ECP_DP_BP256R1
-#define POLARSSL_ECP_DP_BP384R1 MBEDTLS_ECP_DP_BP384R1
-#define POLARSSL_ECP_DP_BP512R1 MBEDTLS_ECP_DP_BP512R1
-#define POLARSSL_ECP_DP_M255 MBEDTLS_ECP_DP_CURVE25519
-#define POLARSSL_ECP_DP_MAX MBEDTLS_ECP_DP_MAX
-#define POLARSSL_ECP_DP_NONE MBEDTLS_ECP_DP_NONE
-#define POLARSSL_ECP_DP_SECP192K1 MBEDTLS_ECP_DP_SECP192K1
-#define POLARSSL_ECP_DP_SECP192R1 MBEDTLS_ECP_DP_SECP192R1
-#define POLARSSL_ECP_DP_SECP224K1 MBEDTLS_ECP_DP_SECP224K1
-#define POLARSSL_ECP_DP_SECP224R1 MBEDTLS_ECP_DP_SECP224R1
-#define POLARSSL_ECP_DP_SECP256K1 MBEDTLS_ECP_DP_SECP256K1
-#define POLARSSL_ECP_DP_SECP256R1 MBEDTLS_ECP_DP_SECP256R1
-#define POLARSSL_ECP_DP_SECP384R1 MBEDTLS_ECP_DP_SECP384R1
-#define POLARSSL_ECP_DP_SECP521R1 MBEDTLS_ECP_DP_SECP521R1
-#define POLARSSL_ECP_H MBEDTLS_ECP_H
-#define POLARSSL_ECP_MAX_BYTES MBEDTLS_ECP_MAX_BYTES
-#define POLARSSL_ECP_MAX_PT_LEN MBEDTLS_ECP_MAX_PT_LEN
-#define POLARSSL_ECP_PF_COMPRESSED MBEDTLS_ECP_PF_COMPRESSED
-#define POLARSSL_ECP_PF_UNCOMPRESSED MBEDTLS_ECP_PF_UNCOMPRESSED
-#define POLARSSL_ECP_TLS_NAMED_CURVE MBEDTLS_ECP_TLS_NAMED_CURVE
-#define POLARSSL_ENCRYPT MBEDTLS_ENCRYPT
-#define POLARSSL_ENTROPY_H MBEDTLS_ENTROPY_H
-#define POLARSSL_ENTROPY_POLL_H MBEDTLS_ENTROPY_POLL_H
-#define POLARSSL_ENTROPY_SHA256_ACCUMULATOR MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
-#define POLARSSL_ENTROPY_SHA512_ACCUMULATOR MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
-#define POLARSSL_ERROR_H MBEDTLS_ERROR_H
-#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
-#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
-#define POLARSSL_ERR_ASN1_BUF_TOO_SMALL MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
-#define POLARSSL_ERR_ASN1_INVALID_DATA MBEDTLS_ERR_ASN1_INVALID_DATA
-#define POLARSSL_ERR_ASN1_INVALID_LENGTH MBEDTLS_ERR_ASN1_INVALID_LENGTH
-#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
-#define POLARSSL_ERR_ASN1_MALLOC_FAILED MBEDTLS_ERR_ASN1_ALLOC_FAILED
-#define POLARSSL_ERR_ASN1_OUT_OF_DATA MBEDTLS_ERR_ASN1_OUT_OF_DATA
-#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
-#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL
-#define POLARSSL_ERR_BASE64_INVALID_CHARACTER MBEDTLS_ERR_BASE64_INVALID_CHARACTER
-#define POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
-#define POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
-#define POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
-#define POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
-#define POLARSSL_ERR_CCM_AUTH_FAILED MBEDTLS_ERR_CCM_AUTH_FAILED
-#define POLARSSL_ERR_CCM_BAD_INPUT MBEDTLS_ERR_CCM_BAD_INPUT
-#define POLARSSL_ERR_CIPHER_ALLOC_FAILED MBEDTLS_ERR_CIPHER_ALLOC_FAILED
-#define POLARSSL_ERR_CIPHER_AUTH_FAILED MBEDTLS_ERR_CIPHER_AUTH_FAILED
-#define POLARSSL_ERR_CIPHER_BAD_INPUT_DATA MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
-#define POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
-#define POLARSSL_ERR_CIPHER_INVALID_PADDING MBEDTLS_ERR_CIPHER_INVALID_PADDING
-#define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
-#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
-#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG
-#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG
-#define POLARSSL_ERR_DES_INVALID_INPUT_LENGTH MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
-#define POLARSSL_ERR_DHM_BAD_INPUT_DATA MBEDTLS_ERR_DHM_BAD_INPUT_DATA
-#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED MBEDTLS_ERR_DHM_CALC_SECRET_FAILED
-#define POLARSSL_ERR_DHM_FILE_IO_ERROR MBEDTLS_ERR_DHM_FILE_IO_ERROR
-#define POLARSSL_ERR_DHM_INVALID_FORMAT MBEDTLS_ERR_DHM_INVALID_FORMAT
-#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
-#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED
-#define POLARSSL_ERR_DHM_MALLOC_FAILED MBEDTLS_ERR_DHM_ALLOC_FAILED
-#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED MBEDTLS_ERR_DHM_READ_PARAMS_FAILED
-#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED
-#define POLARSSL_ERR_ECP_BAD_INPUT_DATA MBEDTLS_ERR_ECP_BAD_INPUT_DATA
-#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
-#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_ECP_INVALID_KEY MBEDTLS_ERR_ECP_INVALID_KEY
-#define POLARSSL_ERR_ECP_MALLOC_FAILED MBEDTLS_ERR_ECP_ALLOC_FAILED
-#define POLARSSL_ERR_ECP_RANDOM_FAILED MBEDTLS_ERR_ECP_RANDOM_FAILED
-#define POLARSSL_ERR_ECP_SIG_LEN_MISMATCH MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH
-#define POLARSSL_ERR_ECP_VERIFY_FAILED MBEDTLS_ERR_ECP_VERIFY_FAILED
-#define POLARSSL_ERR_ENTROPY_FILE_IO_ERROR MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR
-#define POLARSSL_ERR_ENTROPY_MAX_SOURCES MBEDTLS_ERR_ENTROPY_MAX_SOURCES
-#define POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED
-#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
-#define POLARSSL_ERR_GCM_AUTH_FAILED MBEDTLS_ERR_GCM_AUTH_FAILED
-#define POLARSSL_ERR_GCM_BAD_INPUT MBEDTLS_ERR_GCM_BAD_INPUT
-#define POLARSSL_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
-#define POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
-#define POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG
-#define POLARSSL_ERR_HMAC_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG
-#define POLARSSL_ERR_MD_ALLOC_FAILED MBEDTLS_ERR_MD_ALLOC_FAILED
-#define POLARSSL_ERR_MD_BAD_INPUT_DATA MBEDTLS_ERR_MD_BAD_INPUT_DATA
-#define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_MD_FILE_IO_ERROR MBEDTLS_ERR_MD_FILE_IO_ERROR
-#define POLARSSL_ERR_MPI_BAD_INPUT_DATA MBEDTLS_ERR_MPI_BAD_INPUT_DATA
-#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
-#define POLARSSL_ERR_MPI_DIVISION_BY_ZERO MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
-#define POLARSSL_ERR_MPI_FILE_IO_ERROR MBEDTLS_ERR_MPI_FILE_IO_ERROR
-#define POLARSSL_ERR_MPI_INVALID_CHARACTER MBEDTLS_ERR_MPI_INVALID_CHARACTER
-#define POLARSSL_ERR_MPI_MALLOC_FAILED MBEDTLS_ERR_MPI_ALLOC_FAILED
-#define POLARSSL_ERR_MPI_NEGATIVE_VALUE MBEDTLS_ERR_MPI_NEGATIVE_VALUE
-#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
-#define POLARSSL_ERR_NET_ACCEPT_FAILED MBEDTLS_ERR_NET_ACCEPT_FAILED
-#define POLARSSL_ERR_NET_BIND_FAILED MBEDTLS_ERR_NET_BIND_FAILED
-#define POLARSSL_ERR_NET_CONNECT_FAILED MBEDTLS_ERR_NET_CONNECT_FAILED
-#define POLARSSL_ERR_NET_CONN_RESET MBEDTLS_ERR_NET_CONN_RESET
-#define POLARSSL_ERR_NET_LISTEN_FAILED MBEDTLS_ERR_NET_LISTEN_FAILED
-#define POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED
-#define POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED
-#define POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED
-#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT
-#define POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST
-#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ
-#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
-#define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
-#define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
-#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
-#define POLARSSL_ERR_PEM_BAD_INPUT_DATA MBEDTLS_ERR_PEM_BAD_INPUT_DATA
-#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_PEM_INVALID_DATA MBEDTLS_ERR_PEM_INVALID_DATA
-#define POLARSSL_ERR_PEM_INVALID_ENC_IV MBEDTLS_ERR_PEM_INVALID_ENC_IV
-#define POLARSSL_ERR_PEM_MALLOC_FAILED MBEDTLS_ERR_PEM_ALLOC_FAILED
-#define POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
-#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH MBEDTLS_ERR_PEM_PASSWORD_MISMATCH
-#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED MBEDTLS_ERR_PEM_PASSWORD_REQUIRED
-#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
-#define POLARSSL_ERR_PKCS12_BAD_INPUT_DATA MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA
-#define POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH
-#define POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT
-#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA
-#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_PKCS5_INVALID_FORMAT MBEDTLS_ERR_PKCS5_INVALID_FORMAT
-#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH
-#define POLARSSL_ERR_PK_BAD_INPUT_DATA MBEDTLS_ERR_PK_BAD_INPUT_DATA
-#define POLARSSL_ERR_PK_FEATURE_UNAVAILABLE MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_PK_FILE_IO_ERROR MBEDTLS_ERR_PK_FILE_IO_ERROR
-#define POLARSSL_ERR_PK_INVALID_ALG MBEDTLS_ERR_PK_INVALID_ALG
-#define POLARSSL_ERR_PK_INVALID_PUBKEY MBEDTLS_ERR_PK_INVALID_PUBKEY
-#define POLARSSL_ERR_PK_KEY_INVALID_FORMAT MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
-#define POLARSSL_ERR_PK_KEY_INVALID_VERSION MBEDTLS_ERR_PK_KEY_INVALID_VERSION
-#define POLARSSL_ERR_PK_MALLOC_FAILED MBEDTLS_ERR_PK_ALLOC_FAILED
-#define POLARSSL_ERR_PK_PASSWORD_MISMATCH MBEDTLS_ERR_PK_PASSWORD_MISMATCH
-#define POLARSSL_ERR_PK_PASSWORD_REQUIRED MBEDTLS_ERR_PK_PASSWORD_REQUIRED
-#define POLARSSL_ERR_PK_SIG_LEN_MISMATCH MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
-#define POLARSSL_ERR_PK_TYPE_MISMATCH MBEDTLS_ERR_PK_TYPE_MISMATCH
-#define POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE
-#define POLARSSL_ERR_PK_UNKNOWN_PK_ALG MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
-#define POLARSSL_ERR_RSA_BAD_INPUT_DATA MBEDTLS_ERR_RSA_BAD_INPUT_DATA
-#define POLARSSL_ERR_RSA_INVALID_PADDING MBEDTLS_ERR_RSA_INVALID_PADDING
-#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
-#define POLARSSL_ERR_RSA_KEY_GEN_FAILED MBEDTLS_ERR_RSA_KEY_GEN_FAILED
-#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
-#define POLARSSL_ERR_RSA_PRIVATE_FAILED MBEDTLS_ERR_RSA_PRIVATE_FAILED
-#define POLARSSL_ERR_RSA_PUBLIC_FAILED MBEDTLS_ERR_RSA_PUBLIC_FAILED
-#define POLARSSL_ERR_RSA_RNG_FAILED MBEDTLS_ERR_RSA_RNG_FAILED
-#define POLARSSL_ERR_RSA_VERIFY_FAILED MBEDTLS_ERR_RSA_VERIFY_FAILED
-#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
-#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
-#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
-#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
-#define POLARSSL_ERR_SSL_BAD_HS_FINISHED MBEDTLS_ERR_SSL_BAD_HS_FINISHED
-#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
-#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
-#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
-#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
-#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
-#define POLARSSL_ERR_SSL_BAD_INPUT_DATA MBEDTLS_ERR_SSL_BAD_INPUT_DATA
-#define POLARSSL_ERR_SSL_BUFFER_TOO_SMALL MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
-#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
-#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
-#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
-#define POLARSSL_ERR_SSL_COMPRESSION_FAILED MBEDTLS_ERR_SSL_COMPRESSION_FAILED
-#define POLARSSL_ERR_SSL_CONN_EOF MBEDTLS_ERR_SSL_CONN_EOF
-#define POLARSSL_ERR_SSL_COUNTER_WRAPPING MBEDTLS_ERR_SSL_COUNTER_WRAPPING
-#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
-#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
-#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
-#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
-#define POLARSSL_ERR_SSL_INTERNAL_ERROR MBEDTLS_ERR_SSL_INTERNAL_ERROR
-#define POLARSSL_ERR_SSL_INVALID_MAC MBEDTLS_ERR_SSL_INVALID_MAC
-#define POLARSSL_ERR_SSL_INVALID_RECORD MBEDTLS_ERR_SSL_INVALID_RECORD
-#define POLARSSL_ERR_SSL_MALLOC_FAILED MBEDTLS_ERR_SSL_ALLOC_FAILED
-#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
-#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
-#define POLARSSL_ERR_SSL_NO_RNG MBEDTLS_ERR_SSL_NO_RNG
-#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
-#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
-#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED
-#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
-#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
-#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
-#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
-#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER MBEDTLS_ERR_SSL_UNKNOWN_CIPHER
-#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
-#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
-#define POLARSSL_ERR_THREADING_BAD_INPUT_DATA MBEDTLS_ERR_THREADING_BAD_INPUT_DATA
-#define POLARSSL_ERR_THREADING_FEATURE_UNAVAILABLE MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_THREADING_MUTEX_ERROR MBEDTLS_ERR_THREADING_MUTEX_ERROR
-#define POLARSSL_ERR_X509_BAD_INPUT_DATA MBEDTLS_ERR_X509_BAD_INPUT_DATA
-#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT
-#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
-#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
-#define POLARSSL_ERR_X509_FILE_IO_ERROR MBEDTLS_ERR_X509_FILE_IO_ERROR
-#define POLARSSL_ERR_X509_INVALID_ALG MBEDTLS_ERR_X509_INVALID_ALG
-#define POLARSSL_ERR_X509_INVALID_DATE MBEDTLS_ERR_X509_INVALID_DATE
-#define POLARSSL_ERR_X509_INVALID_EXTENSIONS MBEDTLS_ERR_X509_INVALID_EXTENSIONS
-#define POLARSSL_ERR_X509_INVALID_FORMAT MBEDTLS_ERR_X509_INVALID_FORMAT
-#define POLARSSL_ERR_X509_INVALID_NAME MBEDTLS_ERR_X509_INVALID_NAME
-#define POLARSSL_ERR_X509_INVALID_SERIAL MBEDTLS_ERR_X509_INVALID_SERIAL
-#define POLARSSL_ERR_X509_INVALID_SIGNATURE MBEDTLS_ERR_X509_INVALID_SIGNATURE
-#define POLARSSL_ERR_X509_INVALID_VERSION MBEDTLS_ERR_X509_INVALID_VERSION
-#define POLARSSL_ERR_X509_MALLOC_FAILED MBEDTLS_ERR_X509_ALLOC_FAILED
-#define POLARSSL_ERR_X509_SIG_MISMATCH MBEDTLS_ERR_X509_SIG_MISMATCH
-#define POLARSSL_ERR_X509_UNKNOWN_OID MBEDTLS_ERR_X509_UNKNOWN_OID
-#define POLARSSL_ERR_X509_UNKNOWN_SIG_ALG MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
-#define POLARSSL_ERR_X509_UNKNOWN_VERSION MBEDTLS_ERR_X509_UNKNOWN_VERSION
-#define POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH
-#define POLARSSL_GCM_H MBEDTLS_GCM_H
-#define POLARSSL_HAVEGE_H MBEDTLS_HAVEGE_H
-#define POLARSSL_HAVE_INT32 MBEDTLS_HAVE_INT32
-#define POLARSSL_HAVE_INT64 MBEDTLS_HAVE_INT64
-#define POLARSSL_HAVE_UDBL MBEDTLS_HAVE_UDBL
-#define POLARSSL_HAVE_X86 MBEDTLS_HAVE_X86
-#define POLARSSL_HAVE_X86_64 MBEDTLS_HAVE_X86_64
-#define POLARSSL_HMAC_DRBG_H MBEDTLS_HMAC_DRBG_H
-#define POLARSSL_HMAC_DRBG_PR_OFF MBEDTLS_HMAC_DRBG_PR_OFF
-#define POLARSSL_HMAC_DRBG_PR_ON MBEDTLS_HMAC_DRBG_PR_ON
-#define POLARSSL_KEY_EXCHANGE_DHE_PSK MBEDTLS_KEY_EXCHANGE_DHE_PSK
-#define POLARSSL_KEY_EXCHANGE_DHE_RSA MBEDTLS_KEY_EXCHANGE_DHE_RSA
-#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
-#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
-#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
-#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
-#define POLARSSL_KEY_EXCHANGE_ECDH_RSA MBEDTLS_KEY_EXCHANGE_ECDH_RSA
-#define POLARSSL_KEY_EXCHANGE_NONE MBEDTLS_KEY_EXCHANGE_NONE
-#define POLARSSL_KEY_EXCHANGE_PSK MBEDTLS_KEY_EXCHANGE_PSK
-#define POLARSSL_KEY_EXCHANGE_RSA MBEDTLS_KEY_EXCHANGE_RSA
-#define POLARSSL_KEY_EXCHANGE_RSA_PSK MBEDTLS_KEY_EXCHANGE_RSA_PSK
-#define POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED
-#define POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
-#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
-#define POLARSSL_KEY_LENGTH_DES MBEDTLS_KEY_LENGTH_DES
-#define POLARSSL_KEY_LENGTH_DES_EDE MBEDTLS_KEY_LENGTH_DES_EDE
-#define POLARSSL_KEY_LENGTH_DES_EDE3 MBEDTLS_KEY_LENGTH_DES_EDE3
-#define POLARSSL_KEY_LENGTH_NONE MBEDTLS_KEY_LENGTH_NONE
-#define POLARSSL_MAX_BLOCK_LENGTH MBEDTLS_MAX_BLOCK_LENGTH
-#define POLARSSL_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
-#define POLARSSL_MD2_H MBEDTLS_MD2_H
-#define POLARSSL_MD4_H MBEDTLS_MD4_H
-#define POLARSSL_MD5_H MBEDTLS_MD5_H
-#define POLARSSL_MD_H MBEDTLS_MD_H
-#define POLARSSL_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
-#define POLARSSL_MD_MD2 MBEDTLS_MD_MD2
-#define POLARSSL_MD_MD4 MBEDTLS_MD_MD4
-#define POLARSSL_MD_MD5 MBEDTLS_MD_MD5
-#define POLARSSL_MD_NONE MBEDTLS_MD_NONE
-#define POLARSSL_MD_RIPEMD160 MBEDTLS_MD_RIPEMD160
-#define POLARSSL_MD_SHA1 MBEDTLS_MD_SHA1
-#define POLARSSL_MD_SHA224 MBEDTLS_MD_SHA224
-#define POLARSSL_MD_SHA256 MBEDTLS_MD_SHA256
-#define POLARSSL_MD_SHA384 MBEDTLS_MD_SHA384
-#define POLARSSL_MD_SHA512 MBEDTLS_MD_SHA512
-#define POLARSSL_MD_WRAP_H MBEDTLS_MD_WRAP_H
-#define POLARSSL_MEMORY_BUFFER_ALLOC_H MBEDTLS_MEMORY_BUFFER_ALLOC_H
-#define POLARSSL_MODE_CBC MBEDTLS_MODE_CBC
-#define POLARSSL_MODE_CCM MBEDTLS_MODE_CCM
-#define POLARSSL_MODE_CFB MBEDTLS_MODE_CFB
-#define POLARSSL_MODE_CTR MBEDTLS_MODE_CTR
-#define POLARSSL_MODE_ECB MBEDTLS_MODE_ECB
-#define POLARSSL_MODE_GCM MBEDTLS_MODE_GCM
-#define POLARSSL_MODE_NONE MBEDTLS_MODE_NONE
-#define POLARSSL_MODE_OFB MBEDTLS_MODE_OFB
-#define POLARSSL_MODE_STREAM MBEDTLS_MODE_STREAM
-#define POLARSSL_MPI_MAX_BITS MBEDTLS_MPI_MAX_BITS
-#define POLARSSL_MPI_MAX_BITS_SCALE100 MBEDTLS_MPI_MAX_BITS_SCALE100
-#define POLARSSL_MPI_MAX_LIMBS MBEDTLS_MPI_MAX_LIMBS
-#define POLARSSL_MPI_RW_BUFFER_SIZE MBEDTLS_MPI_RW_BUFFER_SIZE
-#define POLARSSL_NET_H MBEDTLS_NET_SOCKETS_H
-#define POLARSSL_NET_LISTEN_BACKLOG MBEDTLS_NET_LISTEN_BACKLOG
-#define POLARSSL_OID_H MBEDTLS_OID_H
-#define POLARSSL_OPERATION_NONE MBEDTLS_OPERATION_NONE
-#define POLARSSL_PADDING_NONE MBEDTLS_PADDING_NONE
-#define POLARSSL_PADDING_ONE_AND_ZEROS MBEDTLS_PADDING_ONE_AND_ZEROS
-#define POLARSSL_PADDING_PKCS7 MBEDTLS_PADDING_PKCS7
-#define POLARSSL_PADDING_ZEROS MBEDTLS_PADDING_ZEROS
-#define POLARSSL_PADDING_ZEROS_AND_LEN MBEDTLS_PADDING_ZEROS_AND_LEN
-#define POLARSSL_PADLOCK_H MBEDTLS_PADLOCK_H
-#define POLARSSL_PEM_H MBEDTLS_PEM_H
-#define POLARSSL_PKCS11_H MBEDTLS_PKCS11_H
-#define POLARSSL_PKCS12_H MBEDTLS_PKCS12_H
-#define POLARSSL_PKCS5_H MBEDTLS_PKCS5_H
-#define POLARSSL_PK_DEBUG_ECP MBEDTLS_PK_DEBUG_ECP
-#define POLARSSL_PK_DEBUG_MAX_ITEMS MBEDTLS_PK_DEBUG_MAX_ITEMS
-#define POLARSSL_PK_DEBUG_MPI MBEDTLS_PK_DEBUG_MPI
-#define POLARSSL_PK_DEBUG_NONE MBEDTLS_PK_DEBUG_NONE
-#define POLARSSL_PK_ECDSA MBEDTLS_PK_ECDSA
-#define POLARSSL_PK_ECKEY MBEDTLS_PK_ECKEY
-#define POLARSSL_PK_ECKEY_DH MBEDTLS_PK_ECKEY_DH
-#define POLARSSL_PK_H MBEDTLS_PK_H
-#define POLARSSL_PK_NONE MBEDTLS_PK_NONE
-#define POLARSSL_PK_RSA MBEDTLS_PK_RSA
-#define POLARSSL_PK_RSASSA_PSS MBEDTLS_PK_RSASSA_PSS
-#define POLARSSL_PK_RSA_ALT MBEDTLS_PK_RSA_ALT
-#define POLARSSL_PK_WRAP_H MBEDTLS_PK_WRAP_H
-#define POLARSSL_PLATFORM_H MBEDTLS_PLATFORM_H
-#define POLARSSL_PREMASTER_SIZE MBEDTLS_PREMASTER_SIZE
-#define POLARSSL_RIPEMD160_H MBEDTLS_RIPEMD160_H
-#define POLARSSL_RSA_H MBEDTLS_RSA_H
-#define POLARSSL_SHA1_H MBEDTLS_SHA1_H
-#define POLARSSL_SHA256_H MBEDTLS_SHA256_H
-#define POLARSSL_SHA512_H MBEDTLS_SHA512_H
-#define POLARSSL_SSL_CACHE_H MBEDTLS_SSL_CACHE_H
-#define POLARSSL_SSL_CIPHERSUITES_H MBEDTLS_SSL_CIPHERSUITES_H
-#define POLARSSL_SSL_COOKIE_H MBEDTLS_SSL_COOKIE_H
-#define POLARSSL_SSL_H MBEDTLS_SSL_H
-#define POLARSSL_THREADING_H MBEDTLS_THREADING_H
-#define POLARSSL_THREADING_IMPL MBEDTLS_THREADING_IMPL
-#define POLARSSL_TIMING_H MBEDTLS_TIMING_H
-#define POLARSSL_VERSION_H MBEDTLS_VERSION_H
-#define POLARSSL_VERSION_MAJOR MBEDTLS_VERSION_MAJOR
-#define POLARSSL_VERSION_MINOR MBEDTLS_VERSION_MINOR
-#define POLARSSL_VERSION_NUMBER MBEDTLS_VERSION_NUMBER
-#define POLARSSL_VERSION_PATCH MBEDTLS_VERSION_PATCH
-#define POLARSSL_VERSION_STRING MBEDTLS_VERSION_STRING
-#define POLARSSL_VERSION_STRING_FULL MBEDTLS_VERSION_STRING_FULL
-#define POLARSSL_X509_CRL_H MBEDTLS_X509_CRL_H
-#define POLARSSL_X509_CRT_H MBEDTLS_X509_CRT_H
-#define POLARSSL_X509_CSR_H MBEDTLS_X509_CSR_H
-#define POLARSSL_X509_H MBEDTLS_X509_H
-#define POLARSSL_XTEA_H MBEDTLS_XTEA_H
-#define RSA_CRYPT MBEDTLS_RSA_CRYPT
-#define RSA_PKCS_V15 MBEDTLS_RSA_PKCS_V15
-#define RSA_PKCS_V21 MBEDTLS_RSA_PKCS_V21
-#define RSA_PRIVATE MBEDTLS_RSA_PRIVATE
-#define RSA_PUBLIC MBEDTLS_RSA_PUBLIC
-#define RSA_SALT_LEN_ANY MBEDTLS_RSA_SALT_LEN_ANY
-#define RSA_SIGN MBEDTLS_RSA_SIGN
-#define SSL_ALERT_LEVEL_FATAL MBEDTLS_SSL_ALERT_LEVEL_FATAL
-#define SSL_ALERT_LEVEL_WARNING MBEDTLS_SSL_ALERT_LEVEL_WARNING
-#define SSL_ALERT_MSG_ACCESS_DENIED MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED
-#define SSL_ALERT_MSG_BAD_CERT MBEDTLS_SSL_ALERT_MSG_BAD_CERT
-#define SSL_ALERT_MSG_BAD_RECORD_MAC MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
-#define SSL_ALERT_MSG_CERT_EXPIRED MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED
-#define SSL_ALERT_MSG_CERT_REVOKED MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
-#define SSL_ALERT_MSG_CERT_UNKNOWN MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN
-#define SSL_ALERT_MSG_CLOSE_NOTIFY MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
-#define SSL_ALERT_MSG_DECODE_ERROR MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
-#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE
-#define SSL_ALERT_MSG_DECRYPTION_FAILED MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED
-#define SSL_ALERT_MSG_DECRYPT_ERROR MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
-#define SSL_ALERT_MSG_EXPORT_RESTRICTION MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION
-#define SSL_ALERT_MSG_HANDSHAKE_FAILURE MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
-#define SSL_ALERT_MSG_ILLEGAL_PARAMETER MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
-#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
-#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY
-#define SSL_ALERT_MSG_INTERNAL_ERROR MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
-#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
-#define SSL_ALERT_MSG_NO_CERT MBEDTLS_SSL_ALERT_MSG_NO_CERT
-#define SSL_ALERT_MSG_NO_RENEGOTIATION MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
-#define SSL_ALERT_MSG_PROTOCOL_VERSION MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
-#define SSL_ALERT_MSG_RECORD_OVERFLOW MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW
-#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
-#define SSL_ALERT_MSG_UNKNOWN_CA MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
-#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
-#define SSL_ALERT_MSG_UNRECOGNIZED_NAME MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
-#define SSL_ALERT_MSG_UNSUPPORTED_CERT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
-#define SSL_ALERT_MSG_UNSUPPORTED_EXT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT
-#define SSL_ALERT_MSG_USER_CANCELED MBEDTLS_SSL_ALERT_MSG_USER_CANCELED
-#define SSL_ANTI_REPLAY_DISABLED MBEDTLS_SSL_ANTI_REPLAY_DISABLED
-#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
-#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
-#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
-#define SSL_BUFFER_LEN (((MBEDTLS_SSL_IN_BUFFER_LEN) < (MBEDTLS_SSL_OUT_BUFFER_LEN)) \
-                         ? (MBEDTLS_SSL_IN_BUFFER_LEN) : (MBEDTLS_SSL_OUT_BUFFER_LEN))
-#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
-#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
-#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
-#define SSL_CBC_RECORD_SPLITTING_ENABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
-#define SSL_CERTIFICATE_REQUEST MBEDTLS_SSL_CERTIFICATE_REQUEST
-#define SSL_CERTIFICATE_VERIFY MBEDTLS_SSL_CERTIFICATE_VERIFY
-#define SSL_CERT_TYPE_ECDSA_SIGN MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
-#define SSL_CERT_TYPE_RSA_SIGN MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
-#define SSL_CHANNEL_INBOUND MBEDTLS_SSL_CHANNEL_INBOUND
-#define SSL_CHANNEL_OUTBOUND MBEDTLS_SSL_CHANNEL_OUTBOUND
-#define SSL_CIPHERSUITES MBEDTLS_SSL_CIPHERSUITES
-#define SSL_CLIENT_CERTIFICATE MBEDTLS_SSL_CLIENT_CERTIFICATE
-#define SSL_CLIENT_CHANGE_CIPHER_SPEC MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
-#define SSL_CLIENT_FINISHED MBEDTLS_SSL_CLIENT_FINISHED
-#define SSL_CLIENT_HELLO MBEDTLS_SSL_CLIENT_HELLO
-#define SSL_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
-#define SSL_COMPRESSION_ADD MBEDTLS_SSL_COMPRESSION_ADD
-#define SSL_COMPRESS_DEFLATE MBEDTLS_SSL_COMPRESS_DEFLATE
-#define SSL_COMPRESS_NULL MBEDTLS_SSL_COMPRESS_NULL
-#define SSL_DEBUG_BUF MBEDTLS_SSL_DEBUG_BUF
-#define SSL_DEBUG_CRT MBEDTLS_SSL_DEBUG_CRT
-#define SSL_DEBUG_ECP MBEDTLS_SSL_DEBUG_ECP
-#define SSL_DEBUG_MPI MBEDTLS_SSL_DEBUG_MPI
-#define SSL_DEBUG_MSG MBEDTLS_SSL_DEBUG_MSG
-#define SSL_DEBUG_RET MBEDTLS_SSL_DEBUG_RET
-#define SSL_DEFAULT_TICKET_LIFETIME MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME
-#define SSL_DTLS_TIMEOUT_DFL_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
-#define SSL_DTLS_TIMEOUT_DFL_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
-#define SSL_EMPTY_RENEGOTIATION_INFO MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
-#define SSL_ETM_DISABLED MBEDTLS_SSL_ETM_DISABLED
-#define SSL_ETM_ENABLED MBEDTLS_SSL_ETM_ENABLED
-#define SSL_EXTENDED_MS_DISABLED MBEDTLS_SSL_EXTENDED_MS_DISABLED
-#define SSL_EXTENDED_MS_ENABLED MBEDTLS_SSL_EXTENDED_MS_ENABLED
-#define SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
-#define SSL_FLUSH_BUFFERS MBEDTLS_SSL_FLUSH_BUFFERS
-#define SSL_HANDSHAKE_OVER MBEDTLS_SSL_HANDSHAKE_OVER
-#define SSL_HANDSHAKE_WRAPUP MBEDTLS_SSL_HANDSHAKE_WRAPUP
-#define SSL_HASH_MD5 MBEDTLS_SSL_HASH_MD5
-#define SSL_HASH_NONE MBEDTLS_SSL_HASH_NONE
-#define SSL_HASH_SHA1 MBEDTLS_SSL_HASH_SHA1
-#define SSL_HASH_SHA224 MBEDTLS_SSL_HASH_SHA224
-#define SSL_HASH_SHA256 MBEDTLS_SSL_HASH_SHA256
-#define SSL_HASH_SHA384 MBEDTLS_SSL_HASH_SHA384
-#define SSL_HASH_SHA512 MBEDTLS_SSL_HASH_SHA512
-#define SSL_HELLO_REQUEST MBEDTLS_SSL_HELLO_REQUEST
-#define SSL_HS_CERTIFICATE MBEDTLS_SSL_HS_CERTIFICATE
-#define SSL_HS_CERTIFICATE_REQUEST MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
-#define SSL_HS_CERTIFICATE_VERIFY MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
-#define SSL_HS_CLIENT_HELLO MBEDTLS_SSL_HS_CLIENT_HELLO
-#define SSL_HS_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
-#define SSL_HS_FINISHED MBEDTLS_SSL_HS_FINISHED
-#define SSL_HS_HELLO_REQUEST MBEDTLS_SSL_HS_HELLO_REQUEST
-#define SSL_HS_HELLO_VERIFY_REQUEST MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
-#define SSL_HS_NEW_SESSION_TICKET MBEDTLS_SSL_HS_NEW_SESSION_TICKET
-#define SSL_HS_SERVER_HELLO MBEDTLS_SSL_HS_SERVER_HELLO
-#define SSL_HS_SERVER_HELLO_DONE MBEDTLS_SSL_HS_SERVER_HELLO_DONE
-#define SSL_HS_SERVER_KEY_EXCHANGE MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
-#define SSL_INITIAL_HANDSHAKE MBEDTLS_SSL_INITIAL_HANDSHAKE
-#define SSL_IS_CLIENT MBEDTLS_SSL_IS_CLIENT
-#define SSL_IS_FALLBACK MBEDTLS_SSL_IS_FALLBACK
-#define SSL_IS_NOT_FALLBACK MBEDTLS_SSL_IS_NOT_FALLBACK
-#define SSL_IS_SERVER MBEDTLS_SSL_IS_SERVER
-#define SSL_LEGACY_ALLOW_RENEGOTIATION MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
-#define SSL_LEGACY_BREAK_HANDSHAKE MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
-#define SSL_LEGACY_NO_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
-#define SSL_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_RENEGOTIATION
-#define SSL_MAC_ADD MBEDTLS_SSL_MAC_ADD
-#define SSL_MAJOR_VERSION_3 MBEDTLS_SSL_MAJOR_VERSION_3
-#define SSL_MAX_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
-#define SSL_MAX_FRAG_LEN_1024 MBEDTLS_SSL_MAX_FRAG_LEN_1024
-#define SSL_MAX_FRAG_LEN_2048 MBEDTLS_SSL_MAX_FRAG_LEN_2048
-#define SSL_MAX_FRAG_LEN_4096 MBEDTLS_SSL_MAX_FRAG_LEN_4096
-#define SSL_MAX_FRAG_LEN_512 MBEDTLS_SSL_MAX_FRAG_LEN_512
-#define SSL_MAX_FRAG_LEN_INVALID MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
-#define SSL_MAX_FRAG_LEN_NONE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
-#define SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAX_MAJOR_VERSION
-#define SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MAX_MINOR_VERSION
-#define SSL_MINOR_VERSION_0 MBEDTLS_SSL_MINOR_VERSION_0
-#define SSL_MINOR_VERSION_1 MBEDTLS_SSL_MINOR_VERSION_1
-#define SSL_MINOR_VERSION_2 MBEDTLS_SSL_MINOR_VERSION_2
-#define SSL_MINOR_VERSION_3 MBEDTLS_SSL_MINOR_VERSION_3
-#define SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MIN_MAJOR_VERSION
-#define SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MIN_MINOR_VERSION
-#define SSL_MSG_ALERT MBEDTLS_SSL_MSG_ALERT
-#define SSL_MSG_APPLICATION_DATA MBEDTLS_SSL_MSG_APPLICATION_DATA
-#define SSL_MSG_CHANGE_CIPHER_SPEC MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
-#define SSL_MSG_HANDSHAKE MBEDTLS_SSL_MSG_HANDSHAKE
-#define SSL_PADDING_ADD MBEDTLS_SSL_PADDING_ADD
-#define SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
-#define SSL_RENEGOTIATION_DISABLED MBEDTLS_SSL_RENEGOTIATION_DISABLED
-#define SSL_RENEGOTIATION_DONE MBEDTLS_SSL_RENEGOTIATION_DONE
-#define SSL_RENEGOTIATION_ENABLED MBEDTLS_SSL_RENEGOTIATION_ENABLED
-#define SSL_RENEGOTIATION_NOT_ENFORCED MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED
-#define SSL_RENEGOTIATION_PENDING MBEDTLS_SSL_RENEGOTIATION_PENDING
-#define SSL_RENEGO_MAX_RECORDS_DEFAULT MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
-#define SSL_RETRANS_FINISHED MBEDTLS_SSL_RETRANS_FINISHED
-#define SSL_RETRANS_PREPARING MBEDTLS_SSL_RETRANS_PREPARING
-#define SSL_RETRANS_SENDING MBEDTLS_SSL_RETRANS_SENDING
-#define SSL_RETRANS_WAITING MBEDTLS_SSL_RETRANS_WAITING
-#define SSL_SECURE_RENEGOTIATION MBEDTLS_SSL_SECURE_RENEGOTIATION
-#define SSL_SERVER_CERTIFICATE MBEDTLS_SSL_SERVER_CERTIFICATE
-#define SSL_SERVER_CHANGE_CIPHER_SPEC MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
-#define SSL_SERVER_FINISHED MBEDTLS_SSL_SERVER_FINISHED
-#define SSL_SERVER_HELLO MBEDTLS_SSL_SERVER_HELLO
-#define SSL_SERVER_HELLO_DONE MBEDTLS_SSL_SERVER_HELLO_DONE
-#define SSL_SERVER_HELLO_VERIFY_REQUEST_SENT MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
-#define SSL_SERVER_KEY_EXCHANGE MBEDTLS_SSL_SERVER_KEY_EXCHANGE
-#define SSL_SERVER_NEW_SESSION_TICKET MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
-#define SSL_SESSION_TICKETS_DISABLED MBEDTLS_SSL_SESSION_TICKETS_DISABLED
-#define SSL_SESSION_TICKETS_ENABLED MBEDTLS_SSL_SESSION_TICKETS_ENABLED
-#define SSL_SIG_ANON MBEDTLS_SSL_SIG_ANON
-#define SSL_SIG_ECDSA MBEDTLS_SSL_SIG_ECDSA
-#define SSL_SIG_RSA MBEDTLS_SSL_SIG_RSA
-#define SSL_TRANSPORT_DATAGRAM MBEDTLS_SSL_TRANSPORT_DATAGRAM
-#define SSL_TRANSPORT_STREAM MBEDTLS_SSL_TRANSPORT_STREAM
-#define SSL_TRUNCATED_HMAC_LEN MBEDTLS_SSL_TRUNCATED_HMAC_LEN
-#define SSL_TRUNC_HMAC_DISABLED MBEDTLS_SSL_TRUNC_HMAC_DISABLED
-#define SSL_TRUNC_HMAC_ENABLED MBEDTLS_SSL_TRUNC_HMAC_ENABLED
-#define SSL_VERIFY_DATA_MAX_LEN MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
-#define SSL_VERIFY_NONE MBEDTLS_SSL_VERIFY_NONE
-#define SSL_VERIFY_OPTIONAL MBEDTLS_SSL_VERIFY_OPTIONAL
-#define SSL_VERIFY_REQUIRED MBEDTLS_SSL_VERIFY_REQUIRED
-#define TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
-#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
-#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
-#define TLS_DHE_PSK_WITH_AES_128_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM
-#define TLS_DHE_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8
-#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
-#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
-#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
-#define TLS_DHE_PSK_WITH_AES_256_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM
-#define TLS_DHE_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8
-#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
-#define TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_DHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
-#define TLS_DHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
-#define TLS_DHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
-#define TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
-#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
-#define TLS_DHE_RSA_WITH_AES_128_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM
-#define TLS_DHE_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8
-#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
-#define TLS_DHE_RSA_WITH_AES_256_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM
-#define TLS_DHE_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8
-#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
-#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
-#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
-#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
-#define TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_DHE_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
-#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
-#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
-#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
-#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
-#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
-#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
-#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
-    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
-    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
-    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
-    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_ECDHE_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
-#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-#define TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
-#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
-#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
-#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
-#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
-#define TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 \
-    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 \
-    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_ECDHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
-#define TLS_ECDHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
-#define TLS_ECDHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
-#define TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
-#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
-#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 \
-    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 \
-    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 \
-    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 \
-    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
-#define TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
-#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
-#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
-#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
-#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
-#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
-#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
-#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
-    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
-    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
-    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
-    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_ECDH_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
-#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
-#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
-#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
-#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
-#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
-#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
-#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
-#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
-#define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_ECDH_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
-#define TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
-#define TLS_EXT_ALPN MBEDTLS_TLS_EXT_ALPN
-#define TLS_EXT_ENCRYPT_THEN_MAC MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
-#define TLS_EXT_EXTENDED_MASTER_SECRET MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
-#define TLS_EXT_MAX_FRAGMENT_LENGTH MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
-#define TLS_EXT_RENEGOTIATION_INFO MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
-#define TLS_EXT_SERVERNAME MBEDTLS_TLS_EXT_SERVERNAME
-#define TLS_EXT_SERVERNAME_HOSTNAME MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
-#define TLS_EXT_SESSION_TICKET MBEDTLS_TLS_EXT_SESSION_TICKET
-#define TLS_EXT_SIG_ALG MBEDTLS_TLS_EXT_SIG_ALG
-#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
-#define TLS_EXT_SUPPORTED_POINT_FORMATS MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
-#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
-#define TLS_EXT_TRUNCATED_HMAC MBEDTLS_TLS_EXT_TRUNCATED_HMAC
-#define TLS_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
-#define TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
-#define TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
-#define TLS_PSK_WITH_AES_128_CCM MBEDTLS_TLS_PSK_WITH_AES_128_CCM
-#define TLS_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8
-#define TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
-#define TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
-#define TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
-#define TLS_PSK_WITH_AES_256_CCM MBEDTLS_TLS_PSK_WITH_AES_256_CCM
-#define TLS_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8
-#define TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
-#define TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_PSK_WITH_NULL_SHA MBEDTLS_TLS_PSK_WITH_NULL_SHA
-#define TLS_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_PSK_WITH_NULL_SHA256
-#define TLS_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_PSK_WITH_NULL_SHA384
-#define TLS_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
-#define TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
-#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
-#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
-#define TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
-#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
-#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
-#define TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
-#define TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
-#define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_RSA_PSK_WITH_NULL_SHA MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
-#define TLS_RSA_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
-#define TLS_RSA_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
-#define TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
-#define TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
-#define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
-#define TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
-#define TLS_RSA_WITH_AES_128_CCM MBEDTLS_TLS_RSA_WITH_AES_128_CCM
-#define TLS_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8
-#define TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
-#define TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
-#define TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
-#define TLS_RSA_WITH_AES_256_CCM MBEDTLS_TLS_RSA_WITH_AES_256_CCM
-#define TLS_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8
-#define TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
-#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
-#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
-#define TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
-#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
-#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
-#define TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
-#define TLS_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
-#define TLS_RSA_WITH_NULL_MD5 MBEDTLS_TLS_RSA_WITH_NULL_MD5
-#define TLS_RSA_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_SHA
-#define TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA256
-#define TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
-#define TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
-#define X509_CRT_VERSION_1 MBEDTLS_X509_CRT_VERSION_1
-#define X509_CRT_VERSION_2 MBEDTLS_X509_CRT_VERSION_2
-#define X509_CRT_VERSION_3 MBEDTLS_X509_CRT_VERSION_3
-#define X509_FORMAT_DER MBEDTLS_X509_FORMAT_DER
-#define X509_FORMAT_PEM MBEDTLS_X509_FORMAT_PEM
-#define X509_MAX_DN_NAME_SIZE MBEDTLS_X509_MAX_DN_NAME_SIZE
-#define X509_RFC5280_MAX_SERIAL_LEN MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
-#define X509_RFC5280_UTC_TIME_LEN MBEDTLS_X509_RFC5280_UTC_TIME_LEN
-#define XTEA_DECRYPT MBEDTLS_XTEA_DECRYPT
-#define XTEA_ENCRYPT MBEDTLS_XTEA_ENCRYPT
-#define _asn1_bitstring mbedtls_asn1_bitstring
-#define _asn1_buf mbedtls_asn1_buf
-#define _asn1_named_data mbedtls_asn1_named_data
-#define _asn1_sequence mbedtls_asn1_sequence
-#define _ssl_cache_context mbedtls_ssl_cache_context
-#define _ssl_cache_entry mbedtls_ssl_cache_entry
-#define _ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
-#define _ssl_context mbedtls_ssl_context
-#define _ssl_flight_item mbedtls_ssl_flight_item
-#define _ssl_handshake_params mbedtls_ssl_handshake_params
-#define _ssl_key_cert mbedtls_ssl_key_cert
-#define _ssl_premaster_secret mbedtls_ssl_premaster_secret
-#define _ssl_session mbedtls_ssl_session
-#define _ssl_transform mbedtls_ssl_transform
-#define _x509_crl mbedtls_x509_crl
-#define _x509_crl_entry mbedtls_x509_crl_entry
-#define _x509_crt mbedtls_x509_crt
-#define _x509_csr mbedtls_x509_csr
-#define _x509_time mbedtls_x509_time
-#define _x509write_cert mbedtls_x509write_cert
-#define _x509write_csr mbedtls_x509write_csr
-#define aes_context mbedtls_aes_context
-#define aes_crypt_cbc mbedtls_aes_crypt_cbc
-#define aes_crypt_cfb128 mbedtls_aes_crypt_cfb128
-#define aes_crypt_cfb8 mbedtls_aes_crypt_cfb8
-#define aes_crypt_ctr mbedtls_aes_crypt_ctr
-#define aes_crypt_ecb mbedtls_aes_crypt_ecb
-#define aes_free mbedtls_aes_free
-#define aes_init mbedtls_aes_init
-#define aes_self_test mbedtls_aes_self_test
-#define aes_setkey_dec mbedtls_aes_setkey_dec
-#define aes_setkey_enc mbedtls_aes_setkey_enc
-#define aesni_crypt_ecb mbedtls_aesni_crypt_ecb
-#define aesni_gcm_mult mbedtls_aesni_gcm_mult
-#define aesni_inverse_key mbedtls_aesni_inverse_key
-#define aesni_setkey_enc mbedtls_aesni_setkey_enc
-#define aesni_supports mbedtls_aesni_has_support
-#define alarmed mbedtls_timing_alarmed
-#define arc4_context mbedtls_arc4_context
-#define arc4_crypt mbedtls_arc4_crypt
-#define arc4_free mbedtls_arc4_free
-#define arc4_init mbedtls_arc4_init
-#define arc4_self_test mbedtls_arc4_self_test
-#define arc4_setup mbedtls_arc4_setup
-#define asn1_bitstring mbedtls_asn1_bitstring
-#define asn1_buf mbedtls_asn1_buf
-#define asn1_find_named_data mbedtls_asn1_find_named_data
-#define asn1_free_named_data mbedtls_asn1_free_named_data
-#define asn1_free_named_data_list mbedtls_asn1_free_named_data_list
-#define asn1_get_alg mbedtls_asn1_get_alg
-#define asn1_get_alg_null mbedtls_asn1_get_alg_null
-#define asn1_get_bitstring mbedtls_asn1_get_bitstring
-#define asn1_get_bitstring_null mbedtls_asn1_get_bitstring_null
-#define asn1_get_bool mbedtls_asn1_get_bool
-#define asn1_get_int mbedtls_asn1_get_int
-#define asn1_get_len mbedtls_asn1_get_len
-#define asn1_get_mpi mbedtls_asn1_get_mpi
-#define asn1_get_sequence_of mbedtls_asn1_get_sequence_of
-#define asn1_get_tag mbedtls_asn1_get_tag
-#define asn1_named_data mbedtls_asn1_named_data
-#define asn1_sequence mbedtls_asn1_sequence
-#define asn1_store_named_data mbedtls_asn1_store_named_data
-#define asn1_write_algorithm_identifier mbedtls_asn1_write_algorithm_identifier
-#define asn1_write_bitstring mbedtls_asn1_write_bitstring
-#define asn1_write_bool mbedtls_asn1_write_bool
-#define asn1_write_ia5_string mbedtls_asn1_write_ia5_string
-#define asn1_write_int mbedtls_asn1_write_int
-#define asn1_write_len mbedtls_asn1_write_len
-#define asn1_write_mpi mbedtls_asn1_write_mpi
-#define asn1_write_null mbedtls_asn1_write_null
-#define asn1_write_octet_string mbedtls_asn1_write_octet_string
-#define asn1_write_oid mbedtls_asn1_write_oid
-#define asn1_write_printable_string mbedtls_asn1_write_printable_string
-#define asn1_write_raw_buffer mbedtls_asn1_write_raw_buffer
-#define asn1_write_tag mbedtls_asn1_write_tag
-#define base64_decode mbedtls_base64_decode
-#define base64_encode mbedtls_base64_encode
-#define base64_self_test mbedtls_base64_self_test
-#define blowfish_context mbedtls_blowfish_context
-#define blowfish_crypt_cbc mbedtls_blowfish_crypt_cbc
-#define blowfish_crypt_cfb64 mbedtls_blowfish_crypt_cfb64
-#define blowfish_crypt_ctr mbedtls_blowfish_crypt_ctr
-#define blowfish_crypt_ecb mbedtls_blowfish_crypt_ecb
-#define blowfish_free mbedtls_blowfish_free
-#define blowfish_init mbedtls_blowfish_init
-#define blowfish_setkey mbedtls_blowfish_setkey
-#define camellia_context mbedtls_camellia_context
-#define camellia_crypt_cbc mbedtls_camellia_crypt_cbc
-#define camellia_crypt_cfb128 mbedtls_camellia_crypt_cfb128
-#define camellia_crypt_ctr mbedtls_camellia_crypt_ctr
-#define camellia_crypt_ecb mbedtls_camellia_crypt_ecb
-#define camellia_free mbedtls_camellia_free
-#define camellia_init mbedtls_camellia_init
-#define camellia_self_test mbedtls_camellia_self_test
-#define camellia_setkey_dec mbedtls_camellia_setkey_dec
-#define camellia_setkey_enc mbedtls_camellia_setkey_enc
-#define ccm_auth_decrypt mbedtls_ccm_auth_decrypt
-#define ccm_context mbedtls_ccm_context
-#define ccm_encrypt_and_tag mbedtls_ccm_encrypt_and_tag
-#define ccm_free mbedtls_ccm_free
-#define ccm_init mbedtls_ccm_init
-#define ccm_self_test mbedtls_ccm_self_test
-#define cipher_auth_decrypt mbedtls_cipher_auth_decrypt
-#define cipher_auth_encrypt mbedtls_cipher_auth_encrypt
-#define cipher_base_t mbedtls_cipher_base_t
-#define cipher_check_tag mbedtls_cipher_check_tag
-#define cipher_context_t mbedtls_cipher_context_t
-#define cipher_crypt mbedtls_cipher_crypt
-#define cipher_definition_t mbedtls_cipher_definition_t
-#define cipher_definitions mbedtls_cipher_definitions
-#define cipher_finish mbedtls_cipher_finish
-#define cipher_free mbedtls_cipher_free
-#define cipher_get_block_size mbedtls_cipher_get_block_size
-#define cipher_get_cipher_mode mbedtls_cipher_get_cipher_mode
-#define cipher_get_iv_size mbedtls_cipher_get_iv_size
-#define cipher_get_key_size mbedtls_cipher_get_key_bitlen
-#define cipher_get_name mbedtls_cipher_get_name
-#define cipher_get_operation mbedtls_cipher_get_operation
-#define cipher_get_type mbedtls_cipher_get_type
-#define cipher_id_t mbedtls_cipher_id_t
-#define cipher_info_from_string mbedtls_cipher_info_from_string
-#define cipher_info_from_type mbedtls_cipher_info_from_type
-#define cipher_info_from_values mbedtls_cipher_info_from_values
-#define cipher_info_t mbedtls_cipher_info_t
-#define cipher_init mbedtls_cipher_init
-#define cipher_init_ctx mbedtls_cipher_setup
-#define cipher_list mbedtls_cipher_list
-#define cipher_mode_t mbedtls_cipher_mode_t
-#define cipher_padding_t mbedtls_cipher_padding_t
-#define cipher_reset mbedtls_cipher_reset
-#define cipher_set_iv mbedtls_cipher_set_iv
-#define cipher_set_padding_mode mbedtls_cipher_set_padding_mode
-#define cipher_setkey mbedtls_cipher_setkey
-#define cipher_type_t mbedtls_cipher_type_t
-#define cipher_update mbedtls_cipher_update
-#define cipher_update_ad mbedtls_cipher_update_ad
-#define cipher_write_tag mbedtls_cipher_write_tag
-#define ctr_drbg_context mbedtls_ctr_drbg_context
-#define ctr_drbg_free mbedtls_ctr_drbg_free
-#define ctr_drbg_init mbedtls_ctr_drbg_init
-#define ctr_drbg_random mbedtls_ctr_drbg_random
-#define ctr_drbg_random_with_add mbedtls_ctr_drbg_random_with_add
-#define ctr_drbg_reseed mbedtls_ctr_drbg_reseed
-#define ctr_drbg_self_test mbedtls_ctr_drbg_self_test
-#define ctr_drbg_set_entropy_len mbedtls_ctr_drbg_set_entropy_len
-#define ctr_drbg_set_prediction_resistance mbedtls_ctr_drbg_set_prediction_resistance
-#define ctr_drbg_set_reseed_interval mbedtls_ctr_drbg_set_reseed_interval
-#define ctr_drbg_update mbedtls_ctr_drbg_update
-#define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
-#define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
-#define debug_print_buf mbedtls_debug_print_buf
-#define debug_print_crt mbedtls_debug_print_crt
-#define debug_print_ecp mbedtls_debug_print_ecp
-#define debug_print_mpi mbedtls_debug_print_mpi
-#define debug_print_msg mbedtls_debug_print_msg
-#define debug_print_ret mbedtls_debug_print_ret
-#define debug_set_threshold mbedtls_debug_set_threshold
-#define des3_context mbedtls_des3_context
-#define des3_crypt_cbc mbedtls_des3_crypt_cbc
-#define des3_crypt_ecb mbedtls_des3_crypt_ecb
-#define des3_free mbedtls_des3_free
-#define des3_init mbedtls_des3_init
-#define des3_set2key_dec mbedtls_des3_set2key_dec
-#define des3_set2key_enc mbedtls_des3_set2key_enc
-#define des3_set3key_dec mbedtls_des3_set3key_dec
-#define des3_set3key_enc mbedtls_des3_set3key_enc
-#define des_context mbedtls_des_context
-#define des_crypt_cbc mbedtls_des_crypt_cbc
-#define des_crypt_ecb mbedtls_des_crypt_ecb
-#define des_free mbedtls_des_free
-#define des_init mbedtls_des_init
-#define des_key_check_key_parity mbedtls_des_key_check_key_parity
-#define des_key_check_weak mbedtls_des_key_check_weak
-#define des_key_set_parity mbedtls_des_key_set_parity
-#define des_self_test mbedtls_des_self_test
-#define des_setkey_dec mbedtls_des_setkey_dec
-#define des_setkey_enc mbedtls_des_setkey_enc
-#define dhm_calc_secret mbedtls_dhm_calc_secret
-#define dhm_context mbedtls_dhm_context
-#define dhm_free mbedtls_dhm_free
-#define dhm_init mbedtls_dhm_init
-#define dhm_make_params mbedtls_dhm_make_params
-#define dhm_make_public mbedtls_dhm_make_public
-#define dhm_parse_dhm mbedtls_dhm_parse_dhm
-#define dhm_parse_dhmfile mbedtls_dhm_parse_dhmfile
-#define dhm_read_params mbedtls_dhm_read_params
-#define dhm_read_public mbedtls_dhm_read_public
-#define dhm_self_test mbedtls_dhm_self_test
-#define ecdh_calc_secret mbedtls_ecdh_calc_secret
-#define ecdh_compute_shared mbedtls_ecdh_compute_shared
-#define ecdh_context mbedtls_ecdh_context
-#define ecdh_free mbedtls_ecdh_free
-#define ecdh_gen_public mbedtls_ecdh_gen_public
-#define ecdh_get_params mbedtls_ecdh_get_params
-#define ecdh_init mbedtls_ecdh_init
-#define ecdh_make_params mbedtls_ecdh_make_params
-#define ecdh_make_public mbedtls_ecdh_make_public
-#define ecdh_read_params mbedtls_ecdh_read_params
-#define ecdh_read_public mbedtls_ecdh_read_public
-#define ecdh_side mbedtls_ecdh_side
-#define ecdsa_context mbedtls_ecdsa_context
-#define ecdsa_free mbedtls_ecdsa_free
-#define ecdsa_from_keypair mbedtls_ecdsa_from_keypair
-#define ecdsa_genkey mbedtls_ecdsa_genkey
-#define ecdsa_info mbedtls_ecdsa_info
-#define ecdsa_init mbedtls_ecdsa_init
-#define ecdsa_read_signature mbedtls_ecdsa_read_signature
-#define ecdsa_sign mbedtls_ecdsa_sign
-#define ecdsa_sign_det mbedtls_ecdsa_sign_det
-#define ecdsa_verify mbedtls_ecdsa_verify
-#define ecdsa_write_signature mbedtls_ecdsa_write_signature
-#define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
-#define eckey_info mbedtls_eckey_info
-#define eckeydh_info mbedtls_eckeydh_info
-#define ecp_check_privkey mbedtls_ecp_check_privkey
-#define ecp_check_pub_priv mbedtls_ecp_check_pub_priv
-#define ecp_check_pubkey mbedtls_ecp_check_pubkey
-#define ecp_copy mbedtls_ecp_copy
-#define ecp_curve_info mbedtls_ecp_curve_info
-#define ecp_curve_info_from_grp_id mbedtls_ecp_curve_info_from_grp_id
-#define ecp_curve_info_from_name mbedtls_ecp_curve_info_from_name
-#define ecp_curve_info_from_tls_id mbedtls_ecp_curve_info_from_tls_id
-#define ecp_curve_list mbedtls_ecp_curve_list
-#define ecp_gen_key mbedtls_ecp_gen_key
-#define ecp_gen_keypair mbedtls_ecp_gen_keypair
-#define ecp_group mbedtls_ecp_group
-#define ecp_group_copy mbedtls_ecp_group_copy
-#define ecp_group_free mbedtls_ecp_group_free
-#define ecp_group_id mbedtls_ecp_group_id
-#define ecp_group_init mbedtls_ecp_group_init
-#define ecp_grp_id_list mbedtls_ecp_grp_id_list
-#define ecp_is_zero mbedtls_ecp_is_zero
-#define ecp_keypair mbedtls_ecp_keypair
-#define ecp_keypair_free mbedtls_ecp_keypair_free
-#define ecp_keypair_init mbedtls_ecp_keypair_init
-#define ecp_mul mbedtls_ecp_mul
-#define ecp_point mbedtls_ecp_point
-#define ecp_point_free mbedtls_ecp_point_free
-#define ecp_point_init mbedtls_ecp_point_init
-#define ecp_point_read_binary mbedtls_ecp_point_read_binary
-#define ecp_point_read_string mbedtls_ecp_point_read_string
-#define ecp_point_write_binary mbedtls_ecp_point_write_binary
-#define ecp_self_test mbedtls_ecp_self_test
-#define ecp_set_zero mbedtls_ecp_set_zero
-#define ecp_tls_read_group mbedtls_ecp_tls_read_group
-#define ecp_tls_read_point mbedtls_ecp_tls_read_point
-#define ecp_tls_write_group mbedtls_ecp_tls_write_group
-#define ecp_tls_write_point mbedtls_ecp_tls_write_point
-#define ecp_use_known_dp mbedtls_ecp_group_load
-#define entropy_add_source mbedtls_entropy_add_source
-#define entropy_context mbedtls_entropy_context
-#define entropy_free mbedtls_entropy_free
-#define entropy_func mbedtls_entropy_func
-#define entropy_gather mbedtls_entropy_gather
-#define entropy_init mbedtls_entropy_init
-#define entropy_self_test mbedtls_entropy_self_test
-#define entropy_update_manual mbedtls_entropy_update_manual
-#define entropy_update_seed_file mbedtls_entropy_update_seed_file
-#define entropy_write_seed_file mbedtls_entropy_write_seed_file
-#define error_strerror mbedtls_strerror
-#define f_source_ptr mbedtls_entropy_f_source_ptr
-#define gcm_auth_decrypt mbedtls_gcm_auth_decrypt
-#define gcm_context mbedtls_gcm_context
-#define gcm_crypt_and_tag mbedtls_gcm_crypt_and_tag
-#define gcm_finish mbedtls_gcm_finish
-#define gcm_free mbedtls_gcm_free
-#define gcm_init mbedtls_gcm_init
-#define gcm_self_test mbedtls_gcm_self_test
-#define gcm_starts mbedtls_gcm_starts
-#define gcm_update mbedtls_gcm_update
-#define get_timer mbedtls_timing_get_timer
-#define hardclock mbedtls_timing_hardclock
-#define hardclock_poll mbedtls_hardclock_poll
-#define havege_free mbedtls_havege_free
-#define havege_init mbedtls_havege_init
-#define havege_poll mbedtls_havege_poll
-#define havege_random mbedtls_havege_random
-#define havege_state mbedtls_havege_state
-#define hmac_drbg_context mbedtls_hmac_drbg_context
-#define hmac_drbg_free mbedtls_hmac_drbg_free
-#define hmac_drbg_init mbedtls_hmac_drbg_init
-#define hmac_drbg_random mbedtls_hmac_drbg_random
-#define hmac_drbg_random_with_add mbedtls_hmac_drbg_random_with_add
-#define hmac_drbg_reseed mbedtls_hmac_drbg_reseed
-#define hmac_drbg_self_test mbedtls_hmac_drbg_self_test
-#define hmac_drbg_set_entropy_len mbedtls_hmac_drbg_set_entropy_len
-#define hmac_drbg_set_prediction_resistance mbedtls_hmac_drbg_set_prediction_resistance
-#define hmac_drbg_set_reseed_interval mbedtls_hmac_drbg_set_reseed_interval
-#define hmac_drbg_update mbedtls_hmac_drbg_update
-#define hmac_drbg_update_seed_file mbedtls_hmac_drbg_update_seed_file
-#define hmac_drbg_write_seed_file mbedtls_hmac_drbg_write_seed_file
-#define hr_time mbedtls_timing_hr_time
-#define key_exchange_type_t mbedtls_key_exchange_type_t
-#define md mbedtls_md
-#define md2 mbedtls_md2
-#define md2_context mbedtls_md2_context
-#define md2_finish mbedtls_md2_finish
-#define md2_free mbedtls_md2_free
-#define md2_info mbedtls_md2_info
-#define md2_init mbedtls_md2_init
-#define md2_process mbedtls_md2_process
-#define md2_self_test mbedtls_md2_self_test
-#define md2_starts mbedtls_md2_starts
-#define md2_update mbedtls_md2_update
-#define md4 mbedtls_md4
-#define md4_context mbedtls_md4_context
-#define md4_finish mbedtls_md4_finish
-#define md4_free mbedtls_md4_free
-#define md4_info mbedtls_md4_info
-#define md4_init mbedtls_md4_init
-#define md4_process mbedtls_md4_process
-#define md4_self_test mbedtls_md4_self_test
-#define md4_starts mbedtls_md4_starts
-#define md4_update mbedtls_md4_update
-#define md5 mbedtls_md5
-#define md5_context mbedtls_md5_context
-#define md5_finish mbedtls_md5_finish
-#define md5_free mbedtls_md5_free
-#define md5_info mbedtls_md5_info
-#define md5_init mbedtls_md5_init
-#define md5_process mbedtls_md5_process
-#define md5_self_test mbedtls_md5_self_test
-#define md5_starts mbedtls_md5_starts
-#define md5_update mbedtls_md5_update
-#define md_context_t mbedtls_md_context_t
-#define md_file mbedtls_md_file
-#define md_finish mbedtls_md_finish
-#define md_free mbedtls_md_free
-#define md_get_name mbedtls_md_get_name
-#define md_get_size mbedtls_md_get_size
-#define md_get_type mbedtls_md_get_type
-#define md_hmac mbedtls_md_hmac
-#define md_hmac_finish mbedtls_md_hmac_finish
-#define md_hmac_reset mbedtls_md_hmac_reset
-#define md_hmac_starts mbedtls_md_hmac_starts
-#define md_hmac_update mbedtls_md_hmac_update
-#define md_info_from_string mbedtls_md_info_from_string
-#define md_info_from_type mbedtls_md_info_from_type
-#define md_info_t mbedtls_md_info_t
-#define md_init mbedtls_md_init
-#define md_init_ctx mbedtls_md_init_ctx
-#define md_list mbedtls_md_list
-#define md_process mbedtls_md_process
-#define md_starts mbedtls_md_starts
-#define md_type_t mbedtls_md_type_t
-#define md_update mbedtls_md_update
-#define memory_buffer_alloc_cur_get mbedtls_memory_buffer_alloc_cur_get
-#define memory_buffer_alloc_free mbedtls_memory_buffer_alloc_free
-#define memory_buffer_alloc_init mbedtls_memory_buffer_alloc_init
-#define memory_buffer_alloc_max_get mbedtls_memory_buffer_alloc_max_get
-#define memory_buffer_alloc_max_reset mbedtls_memory_buffer_alloc_max_reset
-#define memory_buffer_alloc_self_test mbedtls_memory_buffer_alloc_self_test
-#define memory_buffer_alloc_status mbedtls_memory_buffer_alloc_status
-#define memory_buffer_alloc_verify mbedtls_memory_buffer_alloc_verify
-#define memory_buffer_set_verify mbedtls_memory_buffer_set_verify
-#define mpi mbedtls_mpi
-#define mpi_add_abs mbedtls_mpi_add_abs
-#define mpi_add_int mbedtls_mpi_add_int
-#define mpi_add_mpi mbedtls_mpi_add_mpi
-#define mpi_cmp_abs mbedtls_mpi_cmp_abs
-#define mpi_cmp_int mbedtls_mpi_cmp_int
-#define mpi_cmp_mpi mbedtls_mpi_cmp_mpi
-#define mpi_copy mbedtls_mpi_copy
-#define mpi_div_int mbedtls_mpi_div_int
-#define mpi_div_mpi mbedtls_mpi_div_mpi
-#define mpi_exp_mod mbedtls_mpi_exp_mod
-#define mpi_fill_random mbedtls_mpi_fill_random
-#define mpi_free mbedtls_mpi_free
-#define mpi_gcd mbedtls_mpi_gcd
-#define mpi_gen_prime mbedtls_mpi_gen_prime
-#define mpi_get_bit mbedtls_mpi_get_bit
-#define mpi_grow mbedtls_mpi_grow
-#define mpi_init mbedtls_mpi_init
-#define mpi_inv_mod mbedtls_mpi_inv_mod
-#define mpi_is_prime mbedtls_mpi_is_prime
-#define mpi_lsb mbedtls_mpi_lsb
-#define mpi_lset mbedtls_mpi_lset
-#define mpi_mod_int mbedtls_mpi_mod_int
-#define mpi_mod_mpi mbedtls_mpi_mod_mpi
-#define mpi_msb mbedtls_mpi_bitlen
-#define mpi_mul_int mbedtls_mpi_mul_int
-#define mpi_mul_mpi mbedtls_mpi_mul_mpi
-#define mpi_read_binary mbedtls_mpi_read_binary
-#define mpi_read_file mbedtls_mpi_read_file
-#define mpi_read_string mbedtls_mpi_read_string
-#define mpi_safe_cond_assign mbedtls_mpi_safe_cond_assign
-#define mpi_safe_cond_swap mbedtls_mpi_safe_cond_swap
-#define mpi_self_test mbedtls_mpi_self_test
-#define mpi_set_bit mbedtls_mpi_set_bit
-#define mpi_shift_l mbedtls_mpi_shift_l
-#define mpi_shift_r mbedtls_mpi_shift_r
-#define mpi_shrink mbedtls_mpi_shrink
-#define mpi_size mbedtls_mpi_size
-#define mpi_sub_abs mbedtls_mpi_sub_abs
-#define mpi_sub_int mbedtls_mpi_sub_int
-#define mpi_sub_mpi mbedtls_mpi_sub_mpi
-#define mpi_swap mbedtls_mpi_swap
-#define mpi_write_binary mbedtls_mpi_write_binary
-#define mpi_write_file mbedtls_mpi_write_file
-#define mpi_write_string mbedtls_mpi_write_string
-#define net_accept mbedtls_net_accept
-#define net_bind mbedtls_net_bind
-#define net_close mbedtls_net_free
-#define net_connect mbedtls_net_connect
-#define net_recv mbedtls_net_recv
-#define net_recv_timeout mbedtls_net_recv_timeout
-#define net_send mbedtls_net_send
-#define net_set_block mbedtls_net_set_block
-#define net_set_nonblock mbedtls_net_set_nonblock
-#define net_usleep mbedtls_net_usleep
-#define oid_descriptor_t mbedtls_oid_descriptor_t
-#define oid_get_attr_short_name mbedtls_oid_get_attr_short_name
-#define oid_get_cipher_alg mbedtls_oid_get_cipher_alg
-#define oid_get_ec_grp mbedtls_oid_get_ec_grp
-#define oid_get_extended_key_usage mbedtls_oid_get_extended_key_usage
-#define oid_get_md_alg mbedtls_oid_get_md_alg
-#define oid_get_numeric_string mbedtls_oid_get_numeric_string
-#define oid_get_oid_by_ec_grp mbedtls_oid_get_oid_by_ec_grp
-#define oid_get_oid_by_md mbedtls_oid_get_oid_by_md
-#define oid_get_oid_by_pk_alg mbedtls_oid_get_oid_by_pk_alg
-#define oid_get_oid_by_sig_alg mbedtls_oid_get_oid_by_sig_alg
-#define oid_get_pk_alg mbedtls_oid_get_pk_alg
-#define oid_get_pkcs12_pbe_alg mbedtls_oid_get_pkcs12_pbe_alg
-#define oid_get_sig_alg mbedtls_oid_get_sig_alg
-#define oid_get_sig_alg_desc mbedtls_oid_get_sig_alg_desc
-#define oid_get_x509_ext_type mbedtls_oid_get_x509_ext_type
-#define operation_t mbedtls_operation_t
-#define padlock_supports mbedtls_padlock_has_support
-#define padlock_xcryptcbc mbedtls_padlock_xcryptcbc
-#define padlock_xcryptecb mbedtls_padlock_xcryptecb
-#define pem_context mbedtls_pem_context
-#define pem_free mbedtls_pem_free
-#define pem_init mbedtls_pem_init
-#define pem_read_buffer mbedtls_pem_read_buffer
-#define pem_write_buffer mbedtls_pem_write_buffer
-#define pk_can_do mbedtls_pk_can_do
-#define pk_check_pair mbedtls_pk_check_pair
-#define pk_context mbedtls_pk_context
-#define pk_debug mbedtls_pk_debug
-#define pk_debug_item mbedtls_pk_debug_item
-#define pk_debug_type mbedtls_pk_debug_type
-#define pk_decrypt mbedtls_pk_decrypt
-#define pk_ec mbedtls_pk_ec
-#define pk_encrypt mbedtls_pk_encrypt
-#define pk_free mbedtls_pk_free
-#define pk_get_len mbedtls_pk_get_len
-#define pk_get_name mbedtls_pk_get_name
-#define pk_get_size mbedtls_pk_get_bitlen
-#define pk_get_type mbedtls_pk_get_type
-#define pk_info_from_type mbedtls_pk_info_from_type
-#define pk_info_t mbedtls_pk_info_t
-#define pk_init mbedtls_pk_init
-#define pk_init_ctx mbedtls_pk_setup
-#define pk_init_ctx_rsa_alt mbedtls_pk_setup_rsa_alt
-#define pk_load_file mbedtls_pk_load_file
-#define pk_parse_key mbedtls_pk_parse_key
-#define pk_parse_keyfile mbedtls_pk_parse_keyfile
-#define pk_parse_public_key mbedtls_pk_parse_public_key
-#define pk_parse_public_keyfile mbedtls_pk_parse_public_keyfile
-#define pk_parse_subpubkey mbedtls_pk_parse_subpubkey
-#define pk_rsa mbedtls_pk_rsa
-#define pk_rsa_alt_decrypt_func mbedtls_pk_rsa_alt_decrypt_func
-#define pk_rsa_alt_key_len_func mbedtls_pk_rsa_alt_key_len_func
-#define pk_rsa_alt_sign_func mbedtls_pk_rsa_alt_sign_func
-#define pk_rsassa_pss_options mbedtls_pk_rsassa_pss_options
-#define pk_sign mbedtls_pk_sign
-#define pk_type_t mbedtls_pk_type_t
-#define pk_verify mbedtls_pk_verify
-#define pk_verify_ext mbedtls_pk_verify_ext
-#define pk_write_key_der mbedtls_pk_write_key_der
-#define pk_write_key_pem mbedtls_pk_write_key_pem
-#define pk_write_pubkey mbedtls_pk_write_pubkey
-#define pk_write_pubkey_der mbedtls_pk_write_pubkey_der
-#define pk_write_pubkey_pem mbedtls_pk_write_pubkey_pem
-#define pkcs11_context mbedtls_pkcs11_context
-#define pkcs11_decrypt mbedtls_pkcs11_decrypt
-#define pkcs11_priv_key_free mbedtls_pkcs11_priv_key_free
-#define pkcs11_priv_key_init mbedtls_pkcs11_priv_key_bind
-#define pkcs11_sign mbedtls_pkcs11_sign
-#define pkcs11_x509_cert_init mbedtls_pkcs11_x509_cert_bind
-#define pkcs12_derivation mbedtls_pkcs12_derivation
-#define pkcs12_pbe mbedtls_pkcs12_pbe
-#define pkcs12_pbe_sha1_rc4_128 mbedtls_pkcs12_pbe_sha1_rc4_128
-#define pkcs5_pbes2 mbedtls_pkcs5_pbes2
-#define pkcs5_pbkdf2_hmac mbedtls_pkcs5_pbkdf2_hmac
-#define pkcs5_self_test mbedtls_pkcs5_self_test
-#define platform_entropy_poll mbedtls_platform_entropy_poll
-#define platform_set_exit mbedtls_platform_set_exit
-#define platform_set_fprintf mbedtls_platform_set_fprintf
-#define platform_set_printf mbedtls_platform_set_printf
-#define platform_set_snprintf mbedtls_platform_set_snprintf
-#define polarssl_exit mbedtls_exit
-#define polarssl_fprintf mbedtls_fprintf
-#define polarssl_free mbedtls_free
-#define polarssl_mutex_free mbedtls_mutex_free
-#define polarssl_mutex_init mbedtls_mutex_init
-#define polarssl_mutex_lock mbedtls_mutex_lock
-#define polarssl_mutex_unlock mbedtls_mutex_unlock
-#define polarssl_printf mbedtls_printf
-#define polarssl_snprintf mbedtls_snprintf
-#define polarssl_strerror mbedtls_strerror
-#define ripemd160 mbedtls_ripemd160
-#define ripemd160_context mbedtls_ripemd160_context
-#define ripemd160_finish mbedtls_ripemd160_finish
-#define ripemd160_free mbedtls_ripemd160_free
-#define ripemd160_info mbedtls_ripemd160_info
-#define ripemd160_init mbedtls_ripemd160_init
-#define ripemd160_process mbedtls_ripemd160_process
-#define ripemd160_self_test mbedtls_ripemd160_self_test
-#define ripemd160_starts mbedtls_ripemd160_starts
-#define ripemd160_update mbedtls_ripemd160_update
-#define rsa_alt_context mbedtls_rsa_alt_context
-#define rsa_alt_info mbedtls_rsa_alt_info
-#define rsa_check_privkey mbedtls_rsa_check_privkey
-#define rsa_check_pub_priv mbedtls_rsa_check_pub_priv
-#define rsa_check_pubkey mbedtls_rsa_check_pubkey
-#define rsa_context mbedtls_rsa_context
-#define rsa_copy mbedtls_rsa_copy
-#define rsa_free mbedtls_rsa_free
-#define rsa_gen_key mbedtls_rsa_gen_key
-#define rsa_info mbedtls_rsa_info
-#define rsa_init mbedtls_rsa_init
-#define rsa_pkcs1_decrypt mbedtls_rsa_pkcs1_decrypt
-#define rsa_pkcs1_encrypt mbedtls_rsa_pkcs1_encrypt
-#define rsa_pkcs1_sign mbedtls_rsa_pkcs1_sign
-#define rsa_pkcs1_verify mbedtls_rsa_pkcs1_verify
-#define rsa_private mbedtls_rsa_private
-#define rsa_public mbedtls_rsa_public
-#define rsa_rsaes_oaep_decrypt mbedtls_rsa_rsaes_oaep_decrypt
-#define rsa_rsaes_oaep_encrypt mbedtls_rsa_rsaes_oaep_encrypt
-#define rsa_rsaes_pkcs1_v15_decrypt mbedtls_rsa_rsaes_pkcs1_v15_decrypt
-#define rsa_rsaes_pkcs1_v15_encrypt mbedtls_rsa_rsaes_pkcs1_v15_encrypt
-#define rsa_rsassa_pkcs1_v15_sign mbedtls_rsa_rsassa_pkcs1_v15_sign
-#define rsa_rsassa_pkcs1_v15_verify mbedtls_rsa_rsassa_pkcs1_v15_verify
-#define rsa_rsassa_pss_sign mbedtls_rsa_rsassa_pss_sign
-#define rsa_rsassa_pss_verify mbedtls_rsa_rsassa_pss_verify
-#define rsa_rsassa_pss_verify_ext mbedtls_rsa_rsassa_pss_verify_ext
-#define rsa_self_test mbedtls_rsa_self_test
-#define rsa_set_padding mbedtls_rsa_set_padding
-#define safer_memcmp mbedtls_ssl_safer_memcmp
-#define set_alarm mbedtls_set_alarm
-#define sha1 mbedtls_sha1
-#define sha1_context mbedtls_sha1_context
-#define sha1_finish mbedtls_sha1_finish
-#define sha1_free mbedtls_sha1_free
-#define sha1_info mbedtls_sha1_info
-#define sha1_init mbedtls_sha1_init
-#define sha1_process mbedtls_sha1_process
-#define sha1_self_test mbedtls_sha1_self_test
-#define sha1_starts mbedtls_sha1_starts
-#define sha1_update mbedtls_sha1_update
-#define sha224_info mbedtls_sha224_info
-#define sha256 mbedtls_sha256
-#define sha256_context mbedtls_sha256_context
-#define sha256_finish mbedtls_sha256_finish
-#define sha256_free mbedtls_sha256_free
-#define sha256_info mbedtls_sha256_info
-#define sha256_init mbedtls_sha256_init
-#define sha256_process mbedtls_sha256_process
-#define sha256_self_test mbedtls_sha256_self_test
-#define sha256_starts mbedtls_sha256_starts
-#define sha256_update mbedtls_sha256_update
-#define sha384_info mbedtls_sha384_info
-#define sha512 mbedtls_sha512
-#define sha512_context mbedtls_sha512_context
-#define sha512_finish mbedtls_sha512_finish
-#define sha512_free mbedtls_sha512_free
-#define sha512_info mbedtls_sha512_info
-#define sha512_init mbedtls_sha512_init
-#define sha512_process mbedtls_sha512_process
-#define sha512_self_test mbedtls_sha512_self_test
-#define sha512_starts mbedtls_sha512_starts
-#define sha512_update mbedtls_sha512_update
-#define source_state mbedtls_entropy_source_state
-#define ssl_cache_context mbedtls_ssl_cache_context
-#define ssl_cache_entry mbedtls_ssl_cache_entry
-#define ssl_cache_free mbedtls_ssl_cache_free
-#define ssl_cache_get mbedtls_ssl_cache_get
-#define ssl_cache_init mbedtls_ssl_cache_init
-#define ssl_cache_set mbedtls_ssl_cache_set
-#define ssl_cache_set_max_entries mbedtls_ssl_cache_set_max_entries
-#define ssl_cache_set_timeout mbedtls_ssl_cache_set_timeout
-#define ssl_check_cert_usage mbedtls_ssl_check_cert_usage
-#define ssl_ciphersuite_from_id mbedtls_ssl_ciphersuite_from_id
-#define ssl_ciphersuite_from_string mbedtls_ssl_ciphersuite_from_string
-#define ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
-#define ssl_ciphersuite_uses_ec mbedtls_ssl_ciphersuite_uses_ec
-#define ssl_ciphersuite_uses_psk mbedtls_ssl_ciphersuite_uses_psk
-#define ssl_close_notify mbedtls_ssl_close_notify
-#define ssl_context mbedtls_ssl_context
-#define ssl_cookie_check mbedtls_ssl_cookie_check
-#define ssl_cookie_check_t mbedtls_ssl_cookie_check_t
-#define ssl_cookie_ctx mbedtls_ssl_cookie_ctx
-#define ssl_cookie_free mbedtls_ssl_cookie_free
-#define ssl_cookie_init mbedtls_ssl_cookie_init
-#define ssl_cookie_set_timeout mbedtls_ssl_cookie_set_timeout
-#define ssl_cookie_setup mbedtls_ssl_cookie_setup
-#define ssl_cookie_write mbedtls_ssl_cookie_write
-#define ssl_cookie_write_t mbedtls_ssl_cookie_write_t
-#define ssl_derive_keys mbedtls_ssl_derive_keys
-#define ssl_dtls_replay_check mbedtls_ssl_dtls_replay_check
-#define ssl_dtls_replay_update mbedtls_ssl_dtls_replay_update
-#define ssl_fetch_input mbedtls_ssl_fetch_input
-#define ssl_flight_item mbedtls_ssl_flight_item
-#define ssl_flush_output mbedtls_ssl_flush_output
-#define ssl_free mbedtls_ssl_free
-#define ssl_get_alpn_protocol mbedtls_ssl_get_alpn_protocol
-#define ssl_get_bytes_avail mbedtls_ssl_get_bytes_avail
-#define ssl_get_ciphersuite mbedtls_ssl_get_ciphersuite
-#define ssl_get_ciphersuite_id mbedtls_ssl_get_ciphersuite_id
-#define ssl_get_ciphersuite_name mbedtls_ssl_get_ciphersuite_name
-#define ssl_get_ciphersuite_sig_pk_alg mbedtls_ssl_get_ciphersuite_sig_pk_alg
-#define ssl_get_peer_cert mbedtls_ssl_get_peer_cert
-#define ssl_get_record_expansion mbedtls_ssl_get_record_expansion
-#define ssl_get_session mbedtls_ssl_get_session
-#define ssl_get_verify_result mbedtls_ssl_get_verify_result
-#define ssl_get_version mbedtls_ssl_get_version
-#define ssl_handshake mbedtls_ssl_handshake
-#define ssl_handshake_client_step mbedtls_ssl_handshake_client_step
-#define ssl_handshake_free mbedtls_ssl_handshake_free
-#define ssl_handshake_params mbedtls_ssl_handshake_params
-#define ssl_handshake_server_step mbedtls_ssl_handshake_server_step
-#define ssl_handshake_step mbedtls_ssl_handshake_step
-#define ssl_handshake_wrapup mbedtls_ssl_handshake_wrapup
-#define ssl_hdr_len mbedtls_ssl_hdr_len
-#define ssl_hs_hdr_len mbedtls_ssl_hs_hdr_len
-#define ssl_hw_record_activate mbedtls_ssl_hw_record_activate
-#define ssl_hw_record_finish mbedtls_ssl_hw_record_finish
-#define ssl_hw_record_init mbedtls_ssl_hw_record_init
-#define ssl_hw_record_read mbedtls_ssl_hw_record_read
-#define ssl_hw_record_reset mbedtls_ssl_hw_record_reset
-#define ssl_hw_record_write mbedtls_ssl_hw_record_write
-#define ssl_init mbedtls_ssl_init
-#define ssl_key_cert mbedtls_ssl_key_cert
-#define ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation
-#define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites
-#define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash
-#define ssl_optimize_checksum mbedtls_ssl_optimize_checksum
-#define ssl_own_cert mbedtls_ssl_own_cert
-#define ssl_own_key mbedtls_ssl_own_key
-#define ssl_parse_certificate mbedtls_ssl_parse_certificate
-#define ssl_parse_change_cipher_spec mbedtls_ssl_parse_change_cipher_spec
-#define ssl_parse_finished mbedtls_ssl_parse_finished
-#define ssl_pk_alg_from_sig mbedtls_ssl_pk_alg_from_sig
-#define ssl_pkcs11_decrypt mbedtls_ssl_pkcs11_decrypt
-#define ssl_pkcs11_key_len mbedtls_ssl_pkcs11_key_len
-#define ssl_pkcs11_sign mbedtls_ssl_pkcs11_sign
-#define ssl_psk_derive_premaster mbedtls_ssl_psk_derive_premaster
-#define ssl_read mbedtls_ssl_read
-#define ssl_read_record mbedtls_ssl_read_record
-#define ssl_read_version mbedtls_ssl_read_version
-#define ssl_recv_flight_completed mbedtls_ssl_recv_flight_completed
-#define ssl_renegotiate mbedtls_ssl_renegotiate
-#define ssl_resend mbedtls_ssl_resend
-#define ssl_reset_checksum mbedtls_ssl_reset_checksum
-#define ssl_send_alert_message mbedtls_ssl_send_alert_message
-#define ssl_send_fatal_handshake_failure mbedtls_ssl_send_fatal_handshake_failure
-#define ssl_send_flight_completed mbedtls_ssl_send_flight_completed
-#define ssl_session mbedtls_ssl_session
-#define ssl_session_free mbedtls_ssl_session_free
-#define ssl_session_init mbedtls_ssl_session_init
-#define ssl_session_reset mbedtls_ssl_session_reset
-#define ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols
-#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
-#define ssl_set_authmode mbedtls_ssl_conf_authmode
-#define ssl_set_bio mbedtls_ssl_set_bio
-#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
-#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
-#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
-#define ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version
-#define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
-#define ssl_set_curves mbedtls_ssl_conf_curves
-#define ssl_set_dbg mbedtls_ssl_conf_dbg
-#define ssl_set_dh_param mbedtls_ssl_conf_dh_param
-#define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
-#define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
-#define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
-#define ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies
-#define ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac
-#define ssl_set_endpoint mbedtls_ssl_conf_endpoint
-#define ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret
-#define ssl_set_fallback mbedtls_ssl_conf_fallback
-#define ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout
-#define ssl_set_hostname mbedtls_ssl_set_hostname
-#define ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len
-#define ssl_set_max_version mbedtls_ssl_conf_max_version
-#define ssl_set_min_version mbedtls_ssl_conf_min_version
-#define ssl_set_own_cert mbedtls_ssl_conf_own_cert
-#define ssl_set_psk mbedtls_ssl_conf_psk
-#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
-#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
-#define ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced
-#define ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period
-#define ssl_set_rng mbedtls_ssl_conf_rng
-#define ssl_set_session mbedtls_ssl_set_session
-#define ssl_set_session_cache mbedtls_ssl_conf_session_cache
-#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
-#define ssl_set_sni mbedtls_ssl_conf_sni
-#define ssl_set_transport mbedtls_ssl_conf_transport
-#define ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac
-#define ssl_set_verify mbedtls_ssl_conf_verify
-#define ssl_sig_from_pk mbedtls_ssl_sig_from_pk
-#define ssl_states mbedtls_ssl_states
-#define ssl_transform mbedtls_ssl_transform
-#define ssl_transform_free mbedtls_ssl_transform_free
-#define ssl_write mbedtls_ssl_write
-#define ssl_write_certificate mbedtls_ssl_write_certificate
-#define ssl_write_change_cipher_spec mbedtls_ssl_write_change_cipher_spec
-#define ssl_write_finished mbedtls_ssl_write_finished
-#define ssl_write_record mbedtls_ssl_write_record
-#define ssl_write_version mbedtls_ssl_write_version
-#define supported_ciphers mbedtls_cipher_supported
-#define t_sint mbedtls_mpi_sint
-#define t_udbl mbedtls_t_udbl
-#define t_uint mbedtls_mpi_uint
-#define test_ca_crt mbedtls_test_ca_crt
-#define test_ca_crt_ec mbedtls_test_ca_crt_ec
-#define test_ca_crt_rsa mbedtls_test_ca_crt_rsa
-#define test_ca_key mbedtls_test_ca_key
-#define test_ca_key_ec mbedtls_test_ca_key_ec
-#define test_ca_key_rsa mbedtls_test_ca_key_rsa
-#define test_ca_list mbedtls_test_cas_pem
-#define test_ca_pwd mbedtls_test_ca_pwd
-#define test_ca_pwd_ec mbedtls_test_ca_pwd_ec
-#define test_ca_pwd_rsa mbedtls_test_ca_pwd_rsa
-#define test_cli_crt mbedtls_test_cli_crt
-#define test_cli_crt_ec mbedtls_test_cli_crt_ec
-#define test_cli_crt_rsa mbedtls_test_cli_crt_rsa
-#define test_cli_key mbedtls_test_cli_key
-#define test_cli_key_ec mbedtls_test_cli_key_ec
-#define test_cli_key_rsa mbedtls_test_cli_key_rsa
-#define test_srv_crt mbedtls_test_srv_crt
-#define test_srv_crt_ec mbedtls_test_srv_crt_ec
-#define test_srv_crt_rsa mbedtls_test_srv_crt_rsa
-#define test_srv_key mbedtls_test_srv_key
-#define test_srv_key_ec mbedtls_test_srv_key_ec
-#define test_srv_key_rsa mbedtls_test_srv_key_rsa
-#define threading_mutex_t mbedtls_threading_mutex_t
-#define threading_set_alt mbedtls_threading_set_alt
-#define timing_self_test mbedtls_timing_self_test
-#define version_check_feature mbedtls_version_check_feature
-#define version_get_number mbedtls_version_get_number
-#define version_get_string mbedtls_version_get_string
-#define version_get_string_full mbedtls_version_get_string_full
-#define x509_bitstring mbedtls_x509_bitstring
-#define x509_buf mbedtls_x509_buf
-#define x509_crl mbedtls_x509_crl
-#define x509_crl_entry mbedtls_x509_crl_entry
-#define x509_crl_free mbedtls_x509_crl_free
-#define x509_crl_info mbedtls_x509_crl_info
-#define x509_crl_init mbedtls_x509_crl_init
-#define x509_crl_parse mbedtls_x509_crl_parse
-#define x509_crl_parse_der mbedtls_x509_crl_parse_der
-#define x509_crl_parse_file mbedtls_x509_crl_parse_file
-#define x509_crt mbedtls_x509_crt
-#define x509_crt_check_extended_key_usage mbedtls_x509_crt_check_extended_key_usage
-#define x509_crt_check_key_usage mbedtls_x509_crt_check_key_usage
-#define x509_crt_free mbedtls_x509_crt_free
-#define x509_crt_info mbedtls_x509_crt_info
-#define x509_crt_init mbedtls_x509_crt_init
-#define x509_crt_parse mbedtls_x509_crt_parse
-#define x509_crt_parse_der mbedtls_x509_crt_parse_der
-#define x509_crt_parse_file mbedtls_x509_crt_parse_file
-#define x509_crt_parse_path mbedtls_x509_crt_parse_path
-#define x509_crt_revoked mbedtls_x509_crt_is_revoked
-#define x509_crt_verify mbedtls_x509_crt_verify
-#define x509_csr mbedtls_x509_csr
-#define x509_csr_free mbedtls_x509_csr_free
-#define x509_csr_info mbedtls_x509_csr_info
-#define x509_csr_init mbedtls_x509_csr_init
-#define x509_csr_parse mbedtls_x509_csr_parse
-#define x509_csr_parse_der mbedtls_x509_csr_parse_der
-#define x509_csr_parse_file mbedtls_x509_csr_parse_file
-#define x509_dn_gets mbedtls_x509_dn_gets
-#define x509_get_alg mbedtls_x509_get_alg
-#define x509_get_alg_null mbedtls_x509_get_alg_null
-#define x509_get_ext mbedtls_x509_get_ext
-#define x509_get_name mbedtls_x509_get_name
-#define x509_get_rsassa_pss_params mbedtls_x509_get_rsassa_pss_params
-#define x509_get_serial mbedtls_x509_get_serial
-#define x509_get_sig mbedtls_x509_get_sig
-#define x509_get_sig_alg mbedtls_x509_get_sig_alg
-#define x509_get_time mbedtls_x509_get_time
-#define x509_key_size_helper mbedtls_x509_key_size_helper
-#define x509_name mbedtls_x509_name
-#define x509_self_test mbedtls_x509_self_test
-#define x509_sequence mbedtls_x509_sequence
-#define x509_serial_gets mbedtls_x509_serial_gets
-#define x509_set_extension mbedtls_x509_set_extension
-#define x509_sig_alg_gets mbedtls_x509_sig_alg_gets
-#define x509_string_to_names mbedtls_x509_string_to_names
-#define x509_time mbedtls_x509_time
-#define x509_time_expired mbedtls_x509_time_is_past
-#define x509_time_future mbedtls_x509_time_is_future
-#define x509_write_extensions mbedtls_x509_write_extensions
-#define x509_write_names mbedtls_x509_write_names
-#define x509_write_sig mbedtls_x509_write_sig
-#define x509write_cert mbedtls_x509write_cert
-#define x509write_crt_der mbedtls_x509write_crt_der
-#define x509write_crt_free mbedtls_x509write_crt_free
-#define x509write_crt_init mbedtls_x509write_crt_init
-#define x509write_crt_pem mbedtls_x509write_crt_pem
-#define x509write_crt_set_authority_key_identifier \
-    mbedtls_x509write_crt_set_authority_key_identifier
-#define x509write_crt_set_basic_constraints mbedtls_x509write_crt_set_basic_constraints
-#define x509write_crt_set_extension mbedtls_x509write_crt_set_extension
-#define x509write_crt_set_issuer_key mbedtls_x509write_crt_set_issuer_key
-#define x509write_crt_set_issuer_name mbedtls_x509write_crt_set_issuer_name
-#define x509write_crt_set_key_usage mbedtls_x509write_crt_set_key_usage
-#define x509write_crt_set_md_alg mbedtls_x509write_crt_set_md_alg
-#define x509write_crt_set_ns_cert_type mbedtls_x509write_crt_set_ns_cert_type
-#define x509write_crt_set_serial mbedtls_x509write_crt_set_serial
-#define x509write_crt_set_subject_key mbedtls_x509write_crt_set_subject_key
-#define x509write_crt_set_subject_key_identifier mbedtls_x509write_crt_set_subject_key_identifier
-#define x509write_crt_set_subject_name mbedtls_x509write_crt_set_subject_name
-#define x509write_crt_set_validity mbedtls_x509write_crt_set_validity
-#define x509write_crt_set_version mbedtls_x509write_crt_set_version
-#define x509write_csr mbedtls_x509write_csr
-#define x509write_csr_der mbedtls_x509write_csr_der
-#define x509write_csr_free mbedtls_x509write_csr_free
-#define x509write_csr_init mbedtls_x509write_csr_init
-#define x509write_csr_pem mbedtls_x509write_csr_pem
-#define x509write_csr_set_extension mbedtls_x509write_csr_set_extension
-#define x509write_csr_set_key mbedtls_x509write_csr_set_key
-#define x509write_csr_set_key_usage mbedtls_x509write_csr_set_key_usage
-#define x509write_csr_set_md_alg mbedtls_x509write_csr_set_md_alg
-#define x509write_csr_set_ns_cert_type mbedtls_x509write_csr_set_ns_cert_type
-#define x509write_csr_set_subject_name mbedtls_x509write_csr_set_subject_name
-#define xtea_context mbedtls_xtea_context
-#define xtea_crypt_cbc mbedtls_xtea_crypt_cbc
-#define xtea_crypt_ecb mbedtls_xtea_crypt_ecb
-#define xtea_free mbedtls_xtea_free
-#define xtea_init mbedtls_xtea_init
-#define xtea_self_test mbedtls_xtea_self_test
-#define xtea_setup mbedtls_xtea_setup
-
-#endif /* compat-1.3.h */
-#endif /* MBEDTLS_DEPRECATED_REMOVED */

+ 46 - 0
thirdparty/mbedtls/include/mbedtls/compat-2.x.h

@@ -0,0 +1,46 @@
+/**
+ * \file compat-2.x.h
+ *
+ * \brief Compatibility definitions
+ *
+ * \deprecated Use the new names directly instead
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Including compat-2.x.h is deprecated"
+#endif
+
+#ifndef MBEDTLS_COMPAT2X_H
+#define MBEDTLS_COMPAT2X_H
+
+/*
+ * Macros for renamed functions
+ */
+#define mbedtls_ctr_drbg_update_ret   mbedtls_ctr_drbg_update
+#define mbedtls_hmac_drbg_update_ret  mbedtls_hmac_drbg_update
+#define mbedtls_md5_starts_ret        mbedtls_md5_starts
+#define mbedtls_md5_update_ret        mbedtls_md5_update
+#define mbedtls_md5_finish_ret        mbedtls_md5_finish
+#define mbedtls_md5_ret               mbedtls_md5
+#define mbedtls_ripemd160_starts_ret  mbedtls_ripemd160_starts
+#define mbedtls_ripemd160_update_ret  mbedtls_ripemd160_update
+#define mbedtls_ripemd160_finish_ret  mbedtls_ripemd160_finish
+#define mbedtls_ripemd160_ret         mbedtls_ripemd160
+#define mbedtls_sha1_starts_ret       mbedtls_sha1_starts
+#define mbedtls_sha1_update_ret       mbedtls_sha1_update
+#define mbedtls_sha1_finish_ret       mbedtls_sha1_finish
+#define mbedtls_sha1_ret              mbedtls_sha1
+#define mbedtls_sha256_starts_ret     mbedtls_sha256_starts
+#define mbedtls_sha256_update_ret     mbedtls_sha256_update
+#define mbedtls_sha256_finish_ret     mbedtls_sha256_finish
+#define mbedtls_sha256_ret            mbedtls_sha256
+#define mbedtls_sha512_starts_ret     mbedtls_sha512_starts
+#define mbedtls_sha512_update_ret     mbedtls_sha512_update
+#define mbedtls_sha512_finish_ret     mbedtls_sha512_finish
+#define mbedtls_sha512_ret            mbedtls_sha512
+
+#endif /* MBEDTLS_COMPAT2X_H */

+ 535 - 0
thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_crypto.h

@@ -0,0 +1,535 @@
+/**
+ * \file mbedtls/config_adjust_legacy_crypto.h
+ * \brief Adjust legacy configuration configuration
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * Automatically enable certain dependencies. Generally, MBEDTLS_xxx
+ * configurations need to be explicitly enabled by the user: enabling
+ * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
+ * compilation error. However, we do automatically enable certain options
+ * in some circumstances. One case is if MBEDTLS_xxx_B is an internal option
+ * used to identify parts of a module that are used by other module, and we
+ * don't want to make the symbol MBEDTLS_xxx_B part of the public API.
+ * Another case is if A didn't depend on B in earlier versions, and we
+ * want to use B in A but we need to preserve backward compatibility with
+ * configurations that explicitly activate MBEDTLS_xxx_A but not
+ * MBEDTLS_xxx_B.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
+#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/* Ideally, we'd set those as defaults in mbedtls_config.h, but
+ * putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py.
+ *
+ * So, adjust it here.
+ * Not related to crypto, but this is the bottom of the stack. */
+#if defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER <= 1900)
+#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#if !defined(MBEDTLS_PLATFORM_VSNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_VSNPRINTF_ALT
+#endif
+#endif /* _MINGW32__ || (_MSC_VER && (_MSC_VER <= 1900)) */
+
+/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT
+ * is defined as well to include all PSA code.
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#define MBEDTLS_PSA_CRYPTO_CLIENT
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
+ * in PSA. */
+#if defined(MBEDTLS_PSA_CRYPTO_C) && \
+    (defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC))
+#define MBEDTLS_CIPHER_C
+#endif
+
+/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
+ * This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
+ */
+#if defined(MBEDTLS_MD_C)
+#define MBEDTLS_MD_LIGHT
+#endif
+
+/* Auto-enable MBEDTLS_MD_LIGHT if needed by a module that didn't require it
+ * in a previous release, to ensure backwards compatibility.
+ */
+#if defined(MBEDTLS_ECJPAKE_C) || \
+    defined(MBEDTLS_PEM_PARSE_C) || \
+    defined(MBEDTLS_ENTROPY_C) || \
+    defined(MBEDTLS_PK_C) || \
+    defined(MBEDTLS_PKCS12_C) || \
+    defined(MBEDTLS_RSA_C) || \
+    defined(MBEDTLS_SSL_TLS_C) || \
+    defined(MBEDTLS_X509_USE_C) || \
+    defined(MBEDTLS_X509_CREATE_C)
+#define MBEDTLS_MD_LIGHT
+#endif
+
+#if defined(MBEDTLS_MD_LIGHT)
+/*
+ * - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx.
+ * - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA
+ *   (see below).
+ * - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed
+ *   via PSA (see below).
+ * - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed
+ *   via a direct legacy call (see below).
+ *
+ * The md module performs an algorithm via PSA if there is a PSA hash
+ * accelerator and the PSA driver subsytem is initialized at the time the
+ * operation is started, and makes a direct legacy call otherwise.
+ */
+
+/* PSA accelerated implementations */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
+#define MBEDTLS_MD_CAN_MD5
+#define MBEDTLS_MD_MD5_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
+#define MBEDTLS_MD_CAN_SHA1
+#define MBEDTLS_MD_SHA1_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
+#define MBEDTLS_MD_CAN_SHA224
+#define MBEDTLS_MD_SHA224_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
+#define MBEDTLS_MD_CAN_SHA256
+#define MBEDTLS_MD_SHA256_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
+#define MBEDTLS_MD_CAN_SHA384
+#define MBEDTLS_MD_SHA384_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
+#define MBEDTLS_MD_CAN_SHA512
+#define MBEDTLS_MD_SHA512_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
+#define MBEDTLS_MD_CAN_RIPEMD160
+#define MBEDTLS_MD_RIPEMD160_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
+#define MBEDTLS_MD_CAN_SHA3_224
+#define MBEDTLS_MD_SHA3_224_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
+#define MBEDTLS_MD_CAN_SHA3_256
+#define MBEDTLS_MD_SHA3_256_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
+#define MBEDTLS_MD_CAN_SHA3_384
+#define MBEDTLS_MD_SHA3_384_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
+#define MBEDTLS_MD_CAN_SHA3_512
+#define MBEDTLS_MD_SHA3_512_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+
+#elif defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+#if defined(PSA_WANT_ALG_MD5)
+#define MBEDTLS_MD_CAN_MD5
+#define MBEDTLS_MD_MD5_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA_1)
+#define MBEDTLS_MD_CAN_SHA1
+#define MBEDTLS_MD_SHA1_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA_224)
+#define MBEDTLS_MD_CAN_SHA224
+#define MBEDTLS_MD_SHA224_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA_256)
+#define MBEDTLS_MD_CAN_SHA256
+#define MBEDTLS_MD_SHA256_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA_384)
+#define MBEDTLS_MD_CAN_SHA384
+#define MBEDTLS_MD_SHA384_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA_512)
+#define MBEDTLS_MD_CAN_SHA512
+#define MBEDTLS_MD_SHA512_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_RIPEMD160)
+#define MBEDTLS_MD_CAN_RIPEMD160
+#define MBEDTLS_MD_RIPEMD160_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA3_224)
+#define MBEDTLS_MD_CAN_SHA3_224
+#define MBEDTLS_MD_SHA3_224_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA3_256)
+#define MBEDTLS_MD_CAN_SHA3_256
+#define MBEDTLS_MD_SHA3_256_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA3_384)
+#define MBEDTLS_MD_CAN_SHA3_384
+#define MBEDTLS_MD_SHA3_384_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+#if defined(PSA_WANT_ALG_SHA3_512)
+#define MBEDTLS_MD_CAN_SHA3_512
+#define MBEDTLS_MD_SHA3_512_VIA_PSA
+#define MBEDTLS_MD_SOME_PSA
+#endif
+
+#endif /* !MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C */
+
+/* Built-in implementations */
+#if defined(MBEDTLS_MD5_C)
+#define MBEDTLS_MD_CAN_MD5
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA1_C)
+#define MBEDTLS_MD_CAN_SHA1
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA224_C)
+#define MBEDTLS_MD_CAN_SHA224
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_MD_CAN_SHA256
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA384_C)
+#define MBEDTLS_MD_CAN_SHA384
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_MD_CAN_SHA512
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_SHA3_C)
+#define MBEDTLS_MD_CAN_SHA3_224
+#define MBEDTLS_MD_CAN_SHA3_256
+#define MBEDTLS_MD_CAN_SHA3_384
+#define MBEDTLS_MD_CAN_SHA3_512
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+#define MBEDTLS_MD_CAN_RIPEMD160
+#define MBEDTLS_MD_SOME_LEGACY
+#endif
+
+#endif /* MBEDTLS_MD_LIGHT */
+
+/* BLOCK_CIPHER module can dispatch to PSA when:
+ * - PSA is enabled and drivers have been initialized
+ * - desired key type is supported on the PSA side
+ * If the above conditions are not met, but the legacy support is enabled, then
+ * BLOCK_CIPHER will dynamically fallback to it.
+ *
+ * In case BLOCK_CIPHER is defined (see below) the following symbols/helpers
+ * can be used to define its capabilities:
+ * - MBEDTLS_BLOCK_CIPHER_SOME_PSA: there is at least 1 key type between AES,
+ *   ARIA and Camellia which is supported through a driver;
+ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_PSA: xxx key type is supported through a
+ *   driver;
+ * - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through
+ *   a legacy module (i.e. MBEDTLS_xxx_C)
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
+#define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
+#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
+#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
+#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
+#endif
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
+#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
+#endif
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY
+#endif
+#if defined(MBEDTLS_ARIA_C)
+#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY
+#endif
+#if defined(MBEDTLS_CAMELLIA_C)
+#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY
+#endif
+
+/* Helpers to state that BLOCK_CIPHER module supports AES, ARIA and/or Camellia
+ * block ciphers via either PSA or legacy. */
+#if defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA) || \
+    defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY)
+#define MBEDTLS_BLOCK_CIPHER_CAN_AES
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA) || \
+    defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY)
+#define MBEDTLS_BLOCK_CIPHER_CAN_ARIA
+#endif
+#if defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA) || \
+    defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY)
+#define MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA
+#endif
+
+/* GCM_C and CCM_C can either depend on (in order of preference) BLOCK_CIPHER_C
+ * or CIPHER_C. The former is auto-enabled when:
+ * - CIPHER_C is not defined, which is also the legacy solution;
+ * - BLOCK_CIPHER_SOME_PSA because in this case BLOCK_CIPHER can take advantage
+ *   of the driver's acceleration.
+ */
+#if (defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)) && \
+    (!defined(MBEDTLS_CIPHER_C) || defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA))
+#define MBEDTLS_BLOCK_CIPHER_C
+#endif
+
+/* Helpers for GCM/CCM capabilities */
+#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_AES_C)) || \
+    (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_AES))
+#define MBEDTLS_CCM_GCM_CAN_AES
+#endif
+
+#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_ARIA_C)) || \
+    (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_ARIA))
+#define MBEDTLS_CCM_GCM_CAN_ARIA
+#endif
+
+#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_CAMELLIA_C)) || \
+    (defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA))
+#define MBEDTLS_CCM_GCM_CAN_CAMELLIA
+#endif
+
+/* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
+ * - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
+ *   for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
+ *   some reason, then MBEDTLS_ECP_LIGHT should be enabled as well.
+ * - MBEDTLS_PK_PARSE_EC_EXTENDED and MBEDTLS_PK_PARSE_EC_COMPRESSED because
+ *   these features are not supported in PSA so the only way to have them is
+ *   to enable the built-in solution.
+ *   Both of them are temporary dependencies:
+ *   - PK_PARSE_EC_EXTENDED will be removed after #7779 and #7789
+ *   - support for compressed points should also be added to PSA, but in this
+ *     case there is no associated issue to track it yet.
+ * - PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE because Weierstrass key derivation
+ *   still depends on ECP_LIGHT.
+ * - PK_C + USE_PSA + PSA_WANT_ALG_ECDSA is a temporary dependency which will
+ *   be fixed by #7453.
+ */
+#if defined(MBEDTLS_ECP_C) || \
+    defined(MBEDTLS_PK_PARSE_EC_EXTENDED) || \
+    defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define MBEDTLS_ECP_LIGHT
+#endif
+
+/* Backward compatibility: after #8740 the RSA module offers functions to parse
+ * and write RSA private/public keys without relying on the PK one. Of course
+ * this needs ASN1 support to do so, so we enable it here. */
+#if defined(MBEDTLS_RSA_C)
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif
+
+/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
+ * in previous version compressed points were automatically supported as long
+ * as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
+ * compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions
+ * are met. */
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PK_PARSE_EC_COMPRESSED
+#endif
+
+/* Helper symbol to state that there is support for ECDH, either through
+ * library implementation (ECDH_C) or through PSA. */
+#if (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_ECDH)) || \
+    (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C))
+#define MBEDTLS_CAN_ECDH
+#endif
+
+/* PK module can achieve ECDSA functionalities by means of either software
+ * implementations (ECDSA_C) or through a PSA driver. The following defines
+ * are meant to list these capabilities in a general way which abstracts how
+ * they are implemented under the hood. */
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_ECDSA_C)
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
+#define MBEDTLS_PK_CAN_ECDSA_VERIFY
+#endif /* MBEDTLS_ECDSA_C */
+#else /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(PSA_WANT_ALG_ECDSA)
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#define MBEDTLS_PK_CAN_ECDSA_VERIFY
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+#endif /* PSA_WANT_ALG_ECDSA */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) || defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
+#define MBEDTLS_PK_CAN_ECDSA_SOME
+#endif
+
+/* Helpers to state that each key is supported either on the builtin or PSA side. */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
+#define MBEDTLS_ECP_HAVE_SECP521R1
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#define MBEDTLS_ECP_HAVE_BP512R1
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
+#define MBEDTLS_ECP_HAVE_CURVE448
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#define MBEDTLS_ECP_HAVE_BP384R1
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
+#define MBEDTLS_ECP_HAVE_SECP384R1
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#define MBEDTLS_ECP_HAVE_BP256R1
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
+#define MBEDTLS_ECP_HAVE_SECP256K1
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
+#define MBEDTLS_ECP_HAVE_SECP256R1
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
+#define MBEDTLS_ECP_HAVE_CURVE25519
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
+#define MBEDTLS_ECP_HAVE_SECP224K1
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
+#define MBEDTLS_ECP_HAVE_SECP224R1
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
+#define MBEDTLS_ECP_HAVE_SECP192K1
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
+#define MBEDTLS_ECP_HAVE_SECP192R1
+#endif
+
+/* Helper symbol to state that the PK module has support for EC keys. This
+ * can either be provided through the legacy ECP solution or through the
+ * PSA friendly MBEDTLS_PK_USE_PSA_EC_DATA (see pk.h for its description). */
+#if defined(MBEDTLS_ECP_C) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
+#define MBEDTLS_PK_HAVE_ECC_KEYS
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
+
+/* Historically pkparse did not check the CBC padding when decrypting
+ * a key. This was a bug, which is now fixed. As a consequence, pkparse
+ * now needs PKCS7 padding support, but existing configurations might not
+ * enable it, so we enable it here. */
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+
+/* Backwards compatibility for some macros which were renamed to reflect that
+ * they are related to Armv8, not aarch64. */
+#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
+    !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
+#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
+#endif
+#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
+#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
+#endif
+
+/* psa_util file features some ECDSA conversion functions, to convert between
+ * legacy's ASN.1 DER format and PSA's raw one. */
+#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
+    (defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)))
+#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
+#endif
+
+/* Some internal helpers to determine which keys are available. */
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
+#define MBEDTLS_SSL_HAVE_AES
+#endif
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ARIA_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ARIA))
+#define MBEDTLS_SSL_HAVE_ARIA
+#endif
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CAMELLIA_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_CAMELLIA))
+#define MBEDTLS_SSL_HAVE_CAMELLIA
+#endif
+
+/* Some internal helpers to determine which operation modes are available. */
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
+#define MBEDTLS_SSL_HAVE_CBC
+#endif
+
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_GCM_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
+#define MBEDTLS_SSL_HAVE_GCM
+#endif
+
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CCM_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
+#define MBEDTLS_SSL_HAVE_CCM
+#endif
+
+#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CHACHAPOLY_C)) || \
+    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
+#define MBEDTLS_SSL_HAVE_CHACHAPOLY
+#endif
+
+#if defined(MBEDTLS_SSL_HAVE_GCM) || defined(MBEDTLS_SSL_HAVE_CCM) || \
+    defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
+#define MBEDTLS_SSL_HAVE_AEAD
+#endif
+
+#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */

+ 873 - 0
thirdparty/mbedtls/include/mbedtls/config_adjust_legacy_from_psa.h

@@ -0,0 +1,873 @@
+/**
+ * \file mbedtls/config_adjust_legacy_from_psa.h
+ * \brief Adjust PSA configuration: activate legacy implementations
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, activate legacy implementations
+ * of cryptographic mechanisms as needed to fulfill the needs of the PSA
+ * configuration. Generally speaking, we activate a legacy mechanism if
+ * it's needed for a requested PSA mechanism and there is no PSA driver
+ * for it.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
+#define MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/* Define appropriate ACCEL macros for the p256-m driver.
+ * In the future, those should be generated from the drivers JSON description.
+ */
+#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
+#define MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256
+#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
+#define MBEDTLS_PSA_ACCEL_ALG_ECDH
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+#define MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+#endif
+
+/*
+ * ECC: support for a feature is controlled by a triplet or a pair:
+ * (curve, key_type public/basic, alg) or (curve, key_type_<action>).
+ *
+ * A triplet/pair is accelerated if all of is components are accelerated;
+ * otherwise each component needs to be built in.
+ *
+ * We proceed in two passes:
+ * 1. Check if acceleration is complete for curves, key types, algs.
+ * 2. Then enable built-ins for each thing that's either not accelerated of
+ * doesn't have complete acceleration of the other triplet/pair components.
+ *
+ * Note: this needs psa/crypto_adjust_keypair_types.h to have been included
+ * already, so that we know the full set of key types that are requested.
+ */
+
+/* ECC: curves: is acceleration complete? */
+#if (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) && \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256)) || \
+    (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) && \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384)) || \
+    (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) && \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_384) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)) || \
+    (defined(PSA_WANT_ECC_SECP_R1_521) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)) || \
+    (defined(PSA_WANT_ECC_SECP_K1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)) || \
+    (defined(PSA_WANT_ECC_SECP_K1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
+#endif
+
+#if (defined(PSA_WANT_ECC_MONTGOMERY_255) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255)) || \
+    (defined(PSA_WANT_ECC_MONTGOMERY_448) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
+#endif
+
+/* ECC: algs: is acceleration complete? */
+#if (defined(PSA_WANT_ALG_ECDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)) || \
+    (defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)) || \
+    (defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)) || \
+    (defined(PSA_WANT_ALG_JPAKE) && !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
+#endif
+
+/* ECC: key types: is acceleration complete? */
+#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
+#endif
+
+/* Special case: we don't support cooked key derivation in drivers yet */
+#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
+#endif
+
+/* Note: the condition about key derivation is always true as DERIVE can't be
+ * accelerated yet */
+#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)) || \
+    (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE))
+#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
+#endif
+
+/* ECC: curves: enable built-ins as needed.
+ *
+ * We need the curve built-in:
+ * - if it's not accelerated, or
+ * - if there's a key type with missing acceleration, or
+ * - if there's a alg with missing acceleration.
+ */
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_256 */
+
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_384 */
+
+#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_512 */
+
+#if defined(PSA_WANT_ECC_MONTGOMERY_255)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_MONTGOMERY_255 */
+
+#if defined(PSA_WANT_ECC_MONTGOMERY_448)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_MONTGOMERY_448 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_192)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_192 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_224)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_224 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_256)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_256 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_384)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_384 */
+
+#if defined(PSA_WANT_ECC_SECP_R1_521)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_R1_521 */
+
+#if defined(PSA_WANT_ECC_SECP_K1_192)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_K1_192 */
+
+#if defined(PSA_WANT_ECC_SECP_K1_256)
+#if !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif /* missing accel */
+#endif /* PSA_WANT_ECC_SECP_K1_256 */
+
+/* ECC: algs: enable built-ins as needed.
+ *
+ * We need the alg built-in:
+ * - if it's not accelerated, or
+ * - if there's a relevant curve (see below) with missing acceleration, or
+ * - if there's a key type among (public, basic) with missing acceleration.
+ *
+ * Relevant curves are:
+ * - all curves for ECDH
+ * - Weierstrass curves for (deterministic) ECDSA
+ * - secp256r1 for EC J-PAKE
+ */
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */
+
+#if defined(PSA_WANT_ALG_ECDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_ECDH */
+
+#if defined(PSA_WANT_ALG_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_ECDSA */
+
+#if defined(PSA_WANT_ALG_JPAKE)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE) || \
+    !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC)
+#define MBEDTLS_PSA_BUILTIN_PAKE 1
+#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECJPAKE_C
+#endif /* missing accel */
+#endif /* PSA_WANT_ALG_JPAKE */
+
+/* ECC: key types: enable built-ins as needed.
+ *
+ * We need the key type built-in:
+ * - if it's not accelerated, or
+ * - if there's a curve with missing acceleration, or
+ * - only for public/basic: if there's an alg with missing acceleration.
+ */
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+#endif /* missing accel */
+#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
+
+/* Note: the condition is always true as DERIVE can't be accelerated yet */
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
+    defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
+#endif /* missing accel */
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
+#define MBEDTLS_ECP_LIGHT
+#define MBEDTLS_BIGNUM_C
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
+#define MBEDTLS_ECP_C
+#define MBEDTLS_BIGNUM_C
+#endif
+
+/* End of ECC section */
+
+/*
+ * DH key types follow the same pattern used above for EC keys. They are defined
+ * by a triplet (group, key_type, alg). A triplet is accelerated if all its
+ * component are accelerated, otherwise each component needs to be builtin.
+ */
+
+/* DH: groups: is acceleration complete? */
+#if (defined(PSA_WANT_DH_RFC7919_2048) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048)) || \
+    (defined(PSA_WANT_DH_RFC7919_3072) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072)) || \
+    (defined(PSA_WANT_DH_RFC7919_4096) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096)) || \
+    (defined(PSA_WANT_DH_RFC7919_6144) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144)) || \
+    (defined(PSA_WANT_DH_RFC7919_8192) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192))
+#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS
+#endif
+
+/* DH: algs: is acceleration complete? */
+#if defined(PSA_WANT_ALG_FFDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
+#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS
+#endif
+
+/* DH: key types: is acceleration complete? */
+#if (defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT)) || \
+    (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) && \
+    !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE))
+#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES
+#endif
+
+#if defined(PSA_WANT_DH_RFC7919_2048)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
+#endif /* PSA_WANT_DH_RFC7919_2048 */
+
+#if defined(PSA_WANT_DH_RFC7919_3072)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
+#endif /* PSA_WANT_DH_RFC7919_3072 */
+
+#if defined(PSA_WANT_DH_RFC7919_4096)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
+#endif /* PSA_WANT_DH_RFC7919_4096 */
+
+#if defined(PSA_WANT_DH_RFC7919_6144)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
+#endif /* PSA_WANT_DH_RFC7919_6144 */
+
+#if defined(PSA_WANT_DH_RFC7919_8192)
+#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1
+#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
+#endif /* PSA_WANT_DH_RFC7919_8192 */
+
+#if defined(PSA_WANT_ALG_FFDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
+#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */
+#endif /* PSA_WANT_ALG_FFDH */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC */
+
+#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
+    defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */
+
+/* End of DH section */
+
+#if defined(PSA_WANT_ALG_HKDF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
+/*
+ * The PSA implementation has its own implementation of HKDF, separate from
+ * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
+ */
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
+#endif /* PSA_WANT_ALG_HKDF */
+
+#if defined(PSA_WANT_ALG_HKDF_EXTRACT)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)
+/*
+ * The PSA implementation has its own implementation of HKDF, separate from
+ * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
+ */
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */
+#endif /* PSA_WANT_ALG_HKDF_EXTRACT */
+
+#if defined(PSA_WANT_ALG_HKDF_EXPAND)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)
+/*
+ * The PSA implementation has its own implementation of HKDF, separate from
+ * hkdf.c. No need to enable MBEDTLS_HKDF_C here.
+ */
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */
+#endif /* PSA_WANT_ALG_HKDF_EXPAND */
+
+#if defined(PSA_WANT_ALG_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* PSA_WANT_ALG_HMAC */
+
+#if defined(PSA_WANT_ALG_MD5) && !defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1
+#define MBEDTLS_MD5_C
+#endif
+
+#if defined(PSA_WANT_ALG_RIPEMD160) && !defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
+#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
+#define MBEDTLS_RIPEMD160_C
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP */
+#endif /* PSA_WANT_ALG_RSA_OAEP */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_CRYPT */
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V15
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN */
+#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
+
+#if defined(PSA_WANT_ALG_RSA_PSS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA_PSS)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS1_V21
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA_PSS */
+#endif /* PSA_WANT_ALG_RSA_PSS */
+
+#if defined(PSA_WANT_ALG_SHA_1) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1
+#define MBEDTLS_SHA1_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1
+#define MBEDTLS_SHA224_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
+#define MBEDTLS_SHA256_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
+#define MBEDTLS_SHA384_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
+#define MBEDTLS_SHA512_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_224) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_256) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_384) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_SHA3_512) && !defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1
+#define MBEDTLS_SHA3_C
+#endif
+
+#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
+#define PSA_HAVE_SOFT_PBKDF2_HMAC 1
+#endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
+
+#if defined(PSA_WANT_ALG_TLS12_PRF)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF */
+#endif /* PSA_WANT_ALG_TLS12_PRF */
+
+#if defined(PSA_WANT_ALG_TLS12_PSK_TO_MS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS */
+#endif /* PSA_WANT_ALG_TLS12_PSK_TO_MS */
+
+#if defined(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_TLS12_ECJPAKE_TO_PMS */
+#endif /* PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_IMPORT */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_EXPORT */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
+#define MBEDTLS_GENPRIME
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
+
+#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
+#define MBEDTLS_RSA_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */
+
+/* If any of the block modes are requested that don't have an
+ * associated HW assist, define PSA_HAVE_SOFT_BLOCK_MODE for checking
+ * in the block cipher key types. */
+#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \
+    (defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \
+    (defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \
+    (defined(PSA_WANT_ALG_ECB_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)) || \
+    (defined(PSA_WANT_ALG_CBC_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \
+    (defined(PSA_WANT_ALG_CBC_PKCS7) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) || \
+    (defined(PSA_WANT_ALG_CMAC) && !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC))
+#define PSA_HAVE_SOFT_BLOCK_MODE 1
+#endif
+
+#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)
+#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 1
+#define PSA_HAVE_SOFT_PBKDF2_CMAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128 */
+#endif /* PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 */
+
+#if defined(PSA_WANT_KEY_TYPE_AES)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
+#define PSA_HAVE_SOFT_KEY_TYPE_AES 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
+#define MBEDTLS_AES_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_AES */
+
+#if defined(PSA_WANT_KEY_TYPE_ARIA)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
+#define PSA_HAVE_SOFT_KEY_TYPE_ARIA 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
+#define MBEDTLS_ARIA_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_ARIA || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_ARIA */
+
+#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
+#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
+#define MBEDTLS_CAMELLIA_C
+#endif /* PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */
+
+#if defined(PSA_WANT_KEY_TYPE_DES)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES)
+#define PSA_HAVE_SOFT_KEY_TYPE_DES 1
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
+    defined(PSA_HAVE_SOFT_BLOCK_MODE)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
+#define MBEDTLS_DES_C
+#endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */
+#endif /* PSA_WANT_KEY_TYPE_DES */
+
+#if defined(PSA_WANT_ALG_STREAM_CIPHER)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
+#endif /* MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER */
+#endif /* PSA_WANT_ALG_STREAM_CIPHER */
+
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) || \
+    defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
+#define MBEDTLS_CHACHA20_C
+#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */
+#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
+
+/* If any of the software block ciphers are selected, define
+ * PSA_HAVE_SOFT_BLOCK_CIPHER, which can be used in any of these
+ * situations. */
+#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
+#endif
+
+#if defined(PSA_WANT_ALG_CMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1
+#define MBEDTLS_CMAC_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_CMAC */
+#endif /* PSA_WANT_ALG_CMAC */
+
+#if defined(PSA_HAVE_SOFT_PBKDF2_HMAC) || \
+    defined(PSA_HAVE_SOFT_PBKDF2_CMAC)
+#define PSA_HAVE_SOFT_PBKDF2 1
+#endif /* PSA_HAVE_SOFT_PBKDF2_HMAC || PSA_HAVE_SOFT_PBKDF2_CMAC */
+
+#if defined(PSA_WANT_ALG_CTR)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CTR) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1
+#define MBEDTLS_CIPHER_MODE_CTR
+#endif
+#endif /* PSA_WANT_ALG_CTR */
+
+#if defined(PSA_WANT_ALG_CFB)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CFB) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1
+#define MBEDTLS_CIPHER_MODE_CFB
+#endif
+#endif /* PSA_WANT_ALG_CFB */
+
+#if defined(PSA_WANT_ALG_OFB)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_OFB) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1
+#define MBEDTLS_CIPHER_MODE_OFB
+#endif
+#endif /* PSA_WANT_ALG_OFB */
+
+#if defined(PSA_WANT_ALG_ECB_NO_PADDING) &&     \
+    !defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
+#endif
+
+#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1
+#endif
+#endif /* PSA_WANT_ALG_CBC_NO_PADDING */
+
+#if defined(PSA_WANT_ALG_CBC_PKCS7)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) || \
+    defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+#endif /* PSA_WANT_ALG_CBC_PKCS7 */
+
+#if defined(PSA_WANT_ALG_CCM)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
+#define MBEDTLS_CCM_C
+#endif
+#endif /* PSA_WANT_ALG_CCM */
+
+#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
+#define MBEDTLS_CCM_C
+#endif
+#endif /* PSA_WANT_ALG_CCM_STAR_NO_TAG */
+
+#if defined(PSA_WANT_ALG_GCM)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+    defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
+#define MBEDTLS_GCM_C
+#endif
+#endif /* PSA_WANT_ALG_GCM */
+
+#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305)
+#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
+#define MBEDTLS_CHACHAPOLY_C
+#define MBEDTLS_CHACHA20_C
+#define MBEDTLS_POLY1305_C
+#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
+#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_CHACHA20_POLY1305 */
+#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */
+
+#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H */

+ 359 - 0
thirdparty/mbedtls/include/mbedtls/config_adjust_psa_from_legacy.h

@@ -0,0 +1,359 @@
+/**
+ * \file mbedtls/config_adjust_psa_from_legacy.h
+ * \brief Adjust PSA configuration: construct PSA configuration from legacy
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, we automatically enable
+ * cryptographic mechanisms through the PSA interface when the corresponding
+ * legacy mechanism is enabled. In many cases, this just enables the PSA
+ * wrapper code around the legacy implementation, but we also do this for
+ * some mechanisms where PSA has its own independent implementation so
+ * that high-level modules that can use either cryptographic API have the
+ * same feature set in both cases.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
+#define MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/*
+ * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG
+ * is not defined
+ */
+
+#if defined(MBEDTLS_CCM_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
+#define PSA_WANT_ALG_CCM 1
+#if defined(MBEDTLS_CIPHER_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
+#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1
+#endif /* MBEDTLS_CIPHER_C */
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CMAC_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1
+#define PSA_WANT_ALG_CMAC 1
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
+#define PSA_WANT_ALG_ECDH 1
+#endif /* MBEDTLS_ECDH_C */
+
+#if defined(MBEDTLS_ECDSA_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
+#define PSA_WANT_ALG_ECDSA 1
+#define PSA_WANT_ALG_ECDSA_ANY 1
+
+// Only add in DETERMINISTIC support if ECDSA is also enabled
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
+#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+/* Normally we wouldn't enable this because it's not implemented in ecp.c,
+ * but since it used to be available any time ECP_C was enabled, let's enable
+ * it anyway for the sake of backwards compatibility */
+#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
+/* See comment for PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE above. */
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_DHM_C)
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
+#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
+#define PSA_WANT_ALG_FFDH 1
+#define PSA_WANT_DH_RFC7919_2048 1
+#define PSA_WANT_DH_RFC7919_3072 1
+#define PSA_WANT_DH_RFC7919_4096 1
+#define PSA_WANT_DH_RFC7919_6144 1
+#define PSA_WANT_DH_RFC7919_8192 1
+#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1
+#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_GCM_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
+#define PSA_WANT_ALG_GCM 1
+#endif /* MBEDTLS_GCM_C */
+
+/* Enable PSA HKDF algorithm if mbedtls HKDF is supported.
+ * PSA HKDF EXTRACT and PSA HKDF EXPAND have minimal cost when
+ * PSA HKDF is enabled, so enable both algorithms together
+ * with PSA HKDF. */
+#if defined(MBEDTLS_HKDF_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#define PSA_WANT_ALG_HMAC 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
+#define PSA_WANT_ALG_HKDF 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
+#define PSA_WANT_ALG_HKDF_EXTRACT 1
+#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
+#define PSA_WANT_ALG_HKDF_EXPAND 1
+#endif /* MBEDTLS_HKDF_C */
+
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_KEY_TYPE_HMAC 1
+
+#if defined(MBEDTLS_MD_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
+#define PSA_WANT_ALG_TLS12_PRF 1
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS 1
+#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_MD5_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_MD5 1
+#define PSA_WANT_ALG_MD5 1
+#endif
+
+#if defined(MBEDTLS_ECJPAKE_C)
+#define MBEDTLS_PSA_BUILTIN_PAKE 1
+#define MBEDTLS_PSA_BUILTIN_ALG_JPAKE 1
+#define PSA_WANT_ALG_JPAKE 1
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_RIPEMD160 1
+#define PSA_WANT_ALG_RIPEMD160 1
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_PKCS1_V15)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT 1
+#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW 1
+#endif /* MBEDTLS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
+#define PSA_WANT_ALG_RSA_OAEP 1
+#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS 1
+#define PSA_WANT_ALG_RSA_PSS 1
+#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_GENPRIME)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
+#endif /* MBEDTLS_GENPRIME */
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
+#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SHA1_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_1 1
+#define PSA_WANT_ALG_SHA_1 1
+#endif
+
+#if defined(MBEDTLS_SHA224_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_224 1
+#define PSA_WANT_ALG_SHA_224 1
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_256 1
+#define PSA_WANT_ALG_SHA_256 1
+#endif
+
+#if defined(MBEDTLS_SHA384_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_384 1
+#define PSA_WANT_ALG_SHA_384 1
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA_512 1
+#define PSA_WANT_ALG_SHA_512 1
+#endif
+
+#if defined(MBEDTLS_SHA3_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_224 1
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_256 1
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_384 1
+#define MBEDTLS_PSA_BUILTIN_ALG_SHA3_512 1
+#define PSA_WANT_ALG_SHA3_224 1
+#define PSA_WANT_ALG_SHA3_256 1
+#define PSA_WANT_ALG_SHA3_384 1
+#define PSA_WANT_ALG_SHA3_512 1
+#endif
+
+#if defined(MBEDTLS_AES_C)
+#define PSA_WANT_KEY_TYPE_AES 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#define PSA_WANT_KEY_TYPE_ARIA 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#define PSA_WANT_KEY_TYPE_CAMELLIA 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#define PSA_WANT_KEY_TYPE_DES 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1
+#endif
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA_256)
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS 1
+#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#define PSA_WANT_KEY_TYPE_CHACHA20 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
+/* ALG_STREAM_CIPHER requires CIPHER_C in order to be supported in PSA */
+#if defined(MBEDTLS_CIPHER_C)
+#define PSA_WANT_ALG_STREAM_CIPHER 1
+#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
+#endif
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#define PSA_WANT_ALG_CHACHA20_POLY1305 1
+#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
+#endif
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1
+#define PSA_WANT_ALG_CBC_NO_PADDING 1
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1
+#define PSA_WANT_ALG_CBC_PKCS7 1
+#endif
+#endif
+
+#if (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
+    defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)) && \
+    defined(MBEDTLS_CIPHER_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
+#define PSA_WANT_ALG_ECB_NO_PADDING 1
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1
+#define PSA_WANT_ALG_CFB 1
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1
+#define PSA_WANT_ALG_CTR 1
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1
+#define PSA_WANT_ALG_OFB 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_256 1
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_384 1
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_BRAINPOOL_P_R1_512 1
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_255 1
+#define PSA_WANT_ECC_MONTGOMERY_255 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_MONTGOMERY_448 1
+#define PSA_WANT_ECC_MONTGOMERY_448 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_192 1
+#define PSA_WANT_ECC_SECP_R1_192 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_224 1
+#define PSA_WANT_ECC_SECP_R1_224 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_256 1
+#define PSA_WANT_ECC_SECP_R1_256 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_384 1
+#define PSA_WANT_ECC_SECP_R1_384 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_R1_521 1
+#define PSA_WANT_ECC_SECP_R1_521 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_192 1
+#define PSA_WANT_ECC_SECP_K1_192 1
+#endif
+
+/* SECP224K1 is buggy via the PSA API (https://github.com/Mbed-TLS/mbedtls/issues/3541) */
+#if 0 && defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_224 1
+#define PSA_WANT_ECC_SECP_K1_224 1
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define MBEDTLS_PSA_BUILTIN_ECC_SECP_K1_256 1
+#define PSA_WANT_ECC_SECP_K1_256 1
+#endif
+
+#endif /* MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H */

+ 145 - 0
thirdparty/mbedtls/include/mbedtls/config_adjust_psa_superset_legacy.h

@@ -0,0 +1,145 @@
+/**
+ * \file mbedtls/config_adjust_psa_superset_legacy.h
+ * \brief Adjust PSA configuration: automatic enablement from legacy
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * To simplify some edge cases, we automatically enable certain cryptographic
+ * mechanisms in the PSA API if they are enabled in the legacy API. The general
+ * idea is that if legacy module M uses mechanism A internally, and A has
+ * both a legacy and a PSA implementation, we enable A through PSA whenever
+ * it's enabled through legacy. This facilitates the transition to PSA
+ * implementations of A for users of M.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
+#define MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/****************************************************************/
+/* Hashes that are built in are also enabled in PSA.
+ * This simplifies dependency declarations especially
+ * for modules that obey MBEDTLS_USE_PSA_CRYPTO. */
+/****************************************************************/
+
+#if defined(MBEDTLS_MD5_C)
+#define PSA_WANT_ALG_MD5 1
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#define PSA_WANT_ALG_RIPEMD160 1
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#define PSA_WANT_ALG_SHA_1 1
+#endif
+
+#if defined(MBEDTLS_SHA224_C)
+#define PSA_WANT_ALG_SHA_224 1
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#define PSA_WANT_ALG_SHA_256 1
+#endif
+
+#if defined(MBEDTLS_SHA384_C)
+#define PSA_WANT_ALG_SHA_384 1
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#define PSA_WANT_ALG_SHA_512 1
+#endif
+
+#if defined(MBEDTLS_SHA3_C)
+#define PSA_WANT_ALG_SHA3_224 1
+#define PSA_WANT_ALG_SHA3_256 1
+#define PSA_WANT_ALG_SHA3_384 1
+#define PSA_WANT_ALG_SHA3_512 1
+#endif
+
+/* Ensure that the PSA's supported curves (PSA_WANT_ECC_xxx) are always a
+ * superset of the builtin ones (MBEDTLS_ECP_DP_xxx). */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_256 */
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_384 */
+#endif /*MBEDTLS_ECP_DP_BP384R1_ENABLED  */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#if !defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
+#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1
+#endif /* PSA_WANT_ECC_BRAINPOOL_P_R1_512 */
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#if !defined(PSA_WANT_ECC_MONTGOMERY_255)
+#define PSA_WANT_ECC_MONTGOMERY_255 1
+#endif /* PSA_WANT_ECC_MONTGOMERY_255 */
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#if !defined(PSA_WANT_ECC_MONTGOMERY_448)
+#define PSA_WANT_ECC_MONTGOMERY_448 1
+#endif /* PSA_WANT_ECC_MONTGOMERY_448 */
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_192)
+#define PSA_WANT_ECC_SECP_R1_192 1
+#endif /* PSA_WANT_ECC_SECP_R1_192 */
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_224)
+#define PSA_WANT_ECC_SECP_R1_224 1
+#endif /* PSA_WANT_ECC_SECP_R1_224 */
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_256)
+#define PSA_WANT_ECC_SECP_R1_256 1
+#endif /* PSA_WANT_ECC_SECP_R1_256 */
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_384)
+#define PSA_WANT_ECC_SECP_R1_384 1
+#endif /* PSA_WANT_ECC_SECP_R1_384 */
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_R1_521)
+#define PSA_WANT_ECC_SECP_R1_521 1
+#endif /* PSA_WANT_ECC_SECP_R1_521 */
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_K1_192)
+#define PSA_WANT_ECC_SECP_K1_192 1
+#endif /* PSA_WANT_ECC_SECP_K1_192 */
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#if !defined(PSA_WANT_ECC_SECP_K1_256)
+#define PSA_WANT_ECC_SECP_K1_256 1
+#endif /* PSA_WANT_ECC_SECP_K1_256 */
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#endif /* MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H */

+ 91 - 0
thirdparty/mbedtls/include/mbedtls/config_adjust_ssl.h

@@ -0,0 +1,91 @@
+/**
+ * \file mbedtls/config_adjust_ssl.h
+ * \brief Adjust TLS configuration
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * Automatically enable certain dependencies. Generally, MBEDTLS_xxx
+ * configurations need to be explicitly enabled by the user: enabling
+ * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
+ * compilation error. However, we do automatically enable certain options
+ * in some circumstances. One case is if MBEDTLS_xxx_B is an internal option
+ * used to identify parts of a module that are used by other module, and we
+ * don't want to make the symbol MBEDTLS_xxx_B part of the public API.
+ * Another case is if A didn't depend on B in earlier versions, and we
+ * want to use B in A but we need to preserve backward compatibility with
+ * configurations that explicitly activate MBEDTLS_xxx_A but not
+ * MBEDTLS_xxx_B.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_SSL_H
+#define MBEDTLS_CONFIG_ADJUST_SSL_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+/* The following blocks make it easier to disable all of TLS,
+ * or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all
+ * key exchanges, options and extensions related to them. */
+
+#if !defined(MBEDTLS_SSL_TLS_C)
+#undef MBEDTLS_SSL_CLI_C
+#undef MBEDTLS_SSL_SRV_C
+#undef MBEDTLS_SSL_PROTO_TLS1_3
+#undef MBEDTLS_SSL_PROTO_TLS1_2
+#undef MBEDTLS_SSL_PROTO_DTLS
+#endif
+
+#if !(defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS))
+#undef MBEDTLS_SSL_TICKET_C
+#endif
+
+#if !defined(MBEDTLS_SSL_PROTO_DTLS)
+#undef MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#undef MBEDTLS_SSL_DTLS_CONNECTION_ID
+#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
+#undef MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#undef MBEDTLS_SSL_DTLS_SRTP
+#undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+#endif
+
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#undef MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#undef MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#undef MBEDTLS_SSL_RENEGOTIATION
+#undef MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+#endif
+
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+#undef MBEDTLS_SSL_EARLY_DATA
+#undef MBEDTLS_SSL_RECORD_SIZE_LIMIT
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED))
+#define MBEDTLS_SSL_TLS1_2_SOME_ECC
+#endif
+
+#endif /* MBEDTLS_CONFIG_ADJUST_SSL_H */

+ 35 - 0
thirdparty/mbedtls/include/mbedtls/config_adjust_x509.h

@@ -0,0 +1,35 @@
+/**
+ * \file mbedtls/config_adjust_x509.h
+ * \brief Adjust X.509 configuration
+ *
+ * This is an internal header. Do not include it directly.
+ *
+ * Automatically enable certain dependencies. Generally, MBEDTLS_xxx
+ * configurations need to be explicitly enabled by the user: enabling
+ * MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
+ * compilation error. However, we do automatically enable certain options
+ * in some circumstances. One case is if MBEDTLS_xxx_B is an internal option
+ * used to identify parts of a module that are used by other module, and we
+ * don't want to make the symbol MBEDTLS_xxx_B part of the public API.
+ * Another case is if A didn't depend on B in earlier versions, and we
+ * want to use B in A but we need to preserve backward compatibility with
+ * configurations that explicitly activate MBEDTLS_xxx_A but not
+ * MBEDTLS_xxx_B.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_ADJUST_X509_H
+#define MBEDTLS_CONFIG_ADJUST_X509_H
+
+#if !defined(MBEDTLS_CONFIG_FILES_READ)
+#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
+    "up to and including runtime errors such as buffer overflows. " \
+    "If you're trying to fix a complaint from check_config.h, just remove " \
+    "it from your configuration file: since Mbed TLS 3.0, it is included " \
+    "automatically at the right point."
+#endif /* */
+
+#endif /* MBEDTLS_CONFIG_ADJUST_X509_H */

+ 61 - 0
thirdparty/mbedtls/include/mbedtls/config_psa.h

@@ -0,0 +1,61 @@
+/**
+ * \file mbedtls/config_psa.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ *  This set of compile-time options takes settings defined in
+ *  include/mbedtls/mbedtls_config.h and include/psa/crypto_config.h and uses
+ *  those definitions to define symbols used in the library code.
+ *
+ *  Users and integrators should not edit this file, please edit
+ *  include/mbedtls/mbedtls_config.h for MBEDTLS_XXX settings or
+ *  include/psa/crypto_config.h for PSA_WANT_XXX settings.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_CONFIG_PSA_H
+#define MBEDTLS_CONFIG_PSA_H
+
+#include "psa/crypto_legacy.h"
+
+#include "psa/crypto_adjust_config_synonyms.h"
+
+#include "psa/crypto_adjust_config_dependencies.h"
+
+#include "mbedtls/config_adjust_psa_superset_legacy.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+
+/* Require built-in implementations based on PSA requirements */
+
+/* We need this to have a complete list of requirements
+ * before we deduce what built-ins are required. */
+#include "psa/crypto_adjust_config_key_pair_types.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+/* If we are implementing PSA crypto ourselves, then we want to enable the
+ * required built-ins. Otherwise, PSA features will be provided by the server. */
+#include "mbedtls/config_adjust_legacy_from_psa.h"
+#endif
+
+#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+/* Infer PSA requirements from Mbed TLS capabilities */
+
+#include "mbedtls/config_adjust_psa_from_legacy.h"
+
+/* Hopefully the file above will have enabled keypair symbols in a consistent
+ * way, but including this here fixes them if that wasn't the case. */
+#include "psa/crypto_adjust_config_key_pair_types.h"
+
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+#if defined(PSA_WANT_ALG_JPAKE)
+#define PSA_WANT_ALG_SOME_PAKE 1
+#endif
+
+#include "psa/crypto_adjust_auto_enabled.h"
+
+#endif /* MBEDTLS_CONFIG_PSA_H */

+ 10 - 7
thirdparty/mbedtls/include/mbedtls/constant_time.h

@@ -1,6 +1,7 @@
 /**
  *  Constant-time functions
- *
+ */
+/*
  *  Copyright The Mbed TLS Contributors
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
@@ -10,20 +11,22 @@
 
 #include <stddef.h>
 
-
 /** Constant-time buffer comparison without branches.
  *
  * This is equivalent to the standard memcmp function, but is likely to be
- * compiled to code using bitwise operation rather than a branch.
+ * compiled to code using bitwise operations rather than a branch, such that
+ * the time taken is constant w.r.t. the data pointed to by \p a and \p b,
+ * and w.r.t. whether \p a and \p b are equal or not. It is not constant-time
+ * w.r.t. \p n .
  *
  * This function can be used to write constant-time code by replacing branches
  * with bit operations using masks.
  *
- * \param a     Pointer to the first buffer.
- * \param b     Pointer to the second buffer.
- * \param n     The number of bytes to compare in the buffer.
+ * \param a     Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
+ * \param b     Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
+ * \param n     The number of bytes to compare.
  *
- * \return      Zero if the content of the two buffer is the same,
+ * \return      Zero if the contents of the two buffers are the same,
  *              otherwise non-zero.
  */
 int mbedtls_ct_memcmp(const void *a,

+ 70 - 71
thirdparty/mbedtls/include/mbedtls/ctr_drbg.h

@@ -16,7 +16,7 @@
  * The security strength as defined in NIST SP 800-90A is
  * 128 bits when AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
  * and 256 bits otherwise, provided that #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
- * kept at its default value (and not overridden in config.h) and that the
+ * kept at its default value (and not overridden in mbedtls_config.h) and that the
  * DRBG instance is set up with default parameters.
  * See the documentation of mbedtls_ctr_drbg_seed() for more
  * information.
@@ -28,14 +28,34 @@
 
 #ifndef MBEDTLS_CTR_DRBG_H
 #define MBEDTLS_CTR_DRBG_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
+#include "mbedtls/build_info.h"
+
+/* The CTR_DRBG implementation can either directly call the low-level AES
+ * module (gated by MBEDTLS_AES_C) or call the PSA API to perform AES
+ * operations. Calling the AES module directly is the default, both for
+ * maximum backward compatibility and because it's a bit more efficient
+ * (less glue code).
+ *
+ * When MBEDTLS_AES_C is disabled, the CTR_DRBG module calls PSA crypto and
+ * thus benefits from the PSA AES accelerator driver.
+ * It is technically possible to enable MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO
+ * to use PSA even when MBEDTLS_AES_C is enabled, but there is very little
+ * reason to do so other than testing purposes and this is not officially
+ * supported.
+ */
+#if !defined(MBEDTLS_AES_C)
+#define MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO
 #endif
 
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#else
 #include "mbedtls/aes.h"
+#endif
+
+#include "entropy.h"
 
 #if defined(MBEDTLS_THREADING_C)
 #include "mbedtls/threading.h"
@@ -75,7 +95,7 @@
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them using the compiler command
+ * Either change them in mbedtls_config.h or define them using the compiler command
  * line.
  * \{
  */
@@ -85,17 +105,14 @@
  * \brief The amount of entropy used per seed by default, in bytes.
  */
 #if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
-#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
-/** This is 48 bytes because the entropy module uses SHA-512
- * (\c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled).
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+/** This is 48 bytes because the entropy module uses SHA-512.
  */
 #define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
 
-#else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+#else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
 
-/** This is 32 bytes because the entropy module uses SHA-256
- * (the SHA512 module is disabled or
- * \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
+/** This is 32 bytes because the entropy module uses SHA-256.
  */
 #if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
 /** \warning To achieve a 256-bit security strength, you must pass a nonce
@@ -103,7 +120,7 @@
  */
 #endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
 #define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
-#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+#endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
 #endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
 
 #if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
@@ -155,40 +172,51 @@ extern "C" {
 #define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN (MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1) / 2
 #endif
 
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
+typedef struct mbedtls_ctr_drbg_psa_context {
+    mbedtls_svc_key_id_t key_id;
+    psa_cipher_operation_t operation;
+} mbedtls_ctr_drbg_psa_context;
+#endif
+
 /**
  * \brief          The CTR_DRBG context structure.
  */
 typedef struct mbedtls_ctr_drbg_context {
-    unsigned char counter[16];  /*!< The counter (V). */
-    int reseed_counter;         /*!< The reseed counter.
-                                 * This is the number of requests that have
-                                 * been made since the last (re)seeding,
-                                 * minus one.
-                                 * Before the initial seeding, this field
-                                 * contains the amount of entropy in bytes
-                                 * to use as a nonce for the initial seeding,
-                                 * or -1 if no nonce length has been explicitly
-                                 * set (see mbedtls_ctr_drbg_set_nonce_len()).
-                                 */
-    int prediction_resistance;  /*!< This determines whether prediction
-                                     resistance is enabled, that is
-                                     whether to systematically reseed before
-                                     each random generation. */
-    size_t entropy_len;         /*!< The amount of entropy grabbed on each
-                                     seed or reseed operation, in bytes. */
-    int reseed_interval;        /*!< The reseed interval.
-                                 * This is the maximum number of requests
-                                 * that can be made between reseedings. */
-
-    mbedtls_aes_context aes_ctx;        /*!< The AES context. */
+    unsigned char MBEDTLS_PRIVATE(counter)[16];  /*!< The counter (V). */
+    int MBEDTLS_PRIVATE(reseed_counter);         /*!< The reseed counter.
+                                                  * This is the number of requests that have
+                                                  * been made since the last (re)seeding,
+                                                  * minus one.
+                                                  * Before the initial seeding, this field
+                                                  * contains the amount of entropy in bytes
+                                                  * to use as a nonce for the initial seeding,
+                                                  * or -1 if no nonce length has been explicitly
+                                                  * set (see mbedtls_ctr_drbg_set_nonce_len()).
+                                                  */
+    int MBEDTLS_PRIVATE(prediction_resistance);  /*!< This determines whether prediction
+                                                    resistance is enabled, that is
+                                                    whether to systematically reseed before
+                                                    each random generation. */
+    size_t MBEDTLS_PRIVATE(entropy_len);         /*!< The amount of entropy grabbed on each
+                                                    seed or reseed operation, in bytes. */
+    int MBEDTLS_PRIVATE(reseed_interval);        /*!< The reseed interval.
+                                                  * This is the maximum number of requests
+                                                  * that can be made between reseedings. */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
+    mbedtls_ctr_drbg_psa_context MBEDTLS_PRIVATE(psa_ctx); /*!< The PSA context. */
+#else
+    mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx);        /*!< The AES context. */
+#endif
 
     /*
      * Callbacks (Entropy)
      */
-    int (*f_entropy)(void *, unsigned char *, size_t);
+    int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t);
     /*!< The entropy callback function. */
 
-    void *p_entropy;            /*!< The context for the entropy function. */
+    void *MBEDTLS_PRIVATE(p_entropy);            /*!< The context for the entropy function. */
 
 #if defined(MBEDTLS_THREADING_C)
     /* Invariant: the mutex is initialized if and only if f_entropy != NULL.
@@ -198,7 +226,7 @@ typedef struct mbedtls_ctr_drbg_context {
      * Note that this invariant may change without notice. Do not rely on it
      * and do not access the mutex directly in application code.
      */
-    mbedtls_threading_mutex_t mutex;
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
 #endif
 }
 mbedtls_ctr_drbg_context;
@@ -453,9 +481,9 @@ int mbedtls_ctr_drbg_reseed(mbedtls_ctr_drbg_context *ctx,
  *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
  * \return             An error from the underlying AES cipher on failure.
  */
-int mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx,
-                                const unsigned char *additional,
-                                size_t add_len);
+int mbedtls_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx,
+                            const unsigned char *additional,
+                            size_t add_len);
 
 /**
  * \brief   This function updates a CTR_DRBG instance with additional
@@ -519,35 +547,6 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
 int mbedtls_ctr_drbg_random(void *p_rng,
                             unsigned char *output, size_t output_len);
 
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief              This function updates the state of the CTR_DRBG context.
- *
- * \deprecated         Superseded by mbedtls_ctr_drbg_update_ret()
- *                     in 2.16.0.
- *
- * \note               If \p add_len is greater than
- *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
- *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
- *                     The remaining Bytes are silently discarded.
- *
- * \param ctx          The CTR_DRBG context.
- * \param additional   The data to update the state with.
- * \param add_len      Length of \p additional data.
- */
-MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
-    mbedtls_ctr_drbg_context *ctx,
-    const unsigned char *additional,
-    size_t add_len);
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief               This function writes a seed file.

+ 16 - 160
thirdparty/mbedtls/include/mbedtls/debug.h

@@ -10,11 +10,7 @@
 #ifndef MBEDTLS_DEBUG_H
 #define MBEDTLS_DEBUG_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/ssl.h"
 
@@ -47,9 +43,13 @@
 #endif
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 #define MBEDTLS_SSL_DEBUG_CRT(level, text, crt)                \
     mbedtls_debug_print_crt(ssl, level, __FILE__, __LINE__, text, crt)
-#endif
+#else
+#define MBEDTLS_SSL_DEBUG_CRT(level, text, crt)       do { } while (0)
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_ECDH_C)
 #define MBEDTLS_SSL_DEBUG_ECDH(level, ecdh, attr)               \
@@ -119,6 +119,15 @@
 #endif \
     /* defined(__MINGW32__) || (defined(_MSC_VER) && _MSC_VER < 1900) */
 
+#if !defined(MBEDTLS_PRINTF_MS_TIME)
+#include <inttypes.h>
+#if !defined(PRId64)
+#define MBEDTLS_PRINTF_MS_TIME MBEDTLS_PRINTF_LONGLONG
+#else
+#define MBEDTLS_PRINTF_MS_TIME PRId64
+#endif
+#endif /* MBEDTLS_PRINTF_MS_TIME */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -140,161 +149,8 @@ extern "C" {
  */
 void mbedtls_debug_set_threshold(int threshold);
 
-/**
- * \brief    Print a message to the debug output. This function is always used
- *          through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
- *          context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the message has occurred in
- * \param line      line number the message has occurred at
- * \param format    format specifier, in printf format
- * \param ...       variables used by the format specifier
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *format, ...) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
-
-/**
- * \brief   Print the return value of a function to the debug output. This
- *          function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
- *          which supplies the ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      the name of the function that returned the error
- * \param ret       the return code value
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_ret(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, int ret);
-
-/**
- * \brief   Output a buffer of size len bytes to the debug output. This function
- *          is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
- *          which supplies the ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the buffer being dumped. Normally the
- *                  variable or buffer name
- * \param buf       the buffer to be outputted
- * \param len       length of the buffer
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_buf(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line, const char *text,
-                             const unsigned char *buf, size_t len);
-
-#if defined(MBEDTLS_BIGNUM_C)
-/**
- * \brief   Print a MPI variable to the debug output. This function is always
- *          used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
- *          ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the MPI being output. Normally the
- *                  variable name
- * \param X         the MPI variable
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, const mbedtls_mpi *X);
-#endif
-
-#if defined(MBEDTLS_ECP_C)
-/**
- * \brief   Print an ECP point to the debug output. This function is always
- *          used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
- *          ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the ECP point being output. Normally the
- *                  variable name
- * \param X         the ECP point
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, const mbedtls_ecp_point *X);
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-/**
- * \brief   Print a X.509 certificate structure to the debug output. This
- *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
- *          which supplies the ssl context, file and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param text      a name or label for the certificate being output
- * \param crt       X.509 certificate structure
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_print_crt(const mbedtls_ssl_context *ssl, int level,
-                             const char *file, int line,
-                             const char *text, const mbedtls_x509_crt *crt);
-#endif
-
-#if defined(MBEDTLS_ECDH_C)
-typedef enum {
-    MBEDTLS_DEBUG_ECDH_Q,
-    MBEDTLS_DEBUG_ECDH_QP,
-    MBEDTLS_DEBUG_ECDH_Z,
-} mbedtls_debug_ecdh_attr;
-
-/**
- * \brief   Print a field of the ECDH structure in the SSL context to the debug
- *          output. This function is always used through the
- *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
- *          and line number parameters.
- *
- * \param ssl       SSL context
- * \param level     error level of the debug message
- * \param file      file the error has occurred in
- * \param line      line number the error has occurred in
- * \param ecdh      the ECDH context
- * \param attr      the identifier of the attribute being output
- *
- * \attention       This function is intended for INTERNAL usage within the
- *                  library only.
- */
-void mbedtls_debug_printf_ecdh(const mbedtls_ssl_context *ssl, int level,
-                               const char *file, int line,
-                               const mbedtls_ecdh_context *ecdh,
-                               mbedtls_debug_ecdh_attr attr);
-#endif
-
 #ifdef __cplusplus
 }
 #endif
 
-#endif /* debug.h */
+#endif /* MBEDTLS_DEBUG_H */

+ 4 - 11
thirdparty/mbedtls/include/mbedtls/des.h

@@ -14,12 +14,9 @@
  */
 #ifndef MBEDTLS_DES_H
 #define MBEDTLS_DES_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 #include "mbedtls/platform_util.h"
 
 #include <stddef.h>
@@ -31,10 +28,6 @@
 /** The data input has an invalid length. */
 #define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032
 
-/* MBEDTLS_ERR_DES_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** DES hardware accelerator failed. */
-#define MBEDTLS_ERR_DES_HW_ACCEL_FAILED                   -0x0033
-
 #define MBEDTLS_DES_KEY_SIZE    8
 
 #ifdef __cplusplus
@@ -53,7 +46,7 @@ extern "C" {
  *                 instead.
  */
 typedef struct mbedtls_des_context {
-    uint32_t sk[32];            /*!<  DES subkeys       */
+    uint32_t MBEDTLS_PRIVATE(sk)[32];            /*!<  DES subkeys       */
 }
 mbedtls_des_context;
 
@@ -65,7 +58,7 @@ mbedtls_des_context;
  *                 instead.
  */
 typedef struct mbedtls_des3_context {
-    uint32_t sk[96];            /*!<  3DES subkeys      */
+    uint32_t MBEDTLS_PRIVATE(sk)[96];            /*!<  3DES subkeys      */
 }
 mbedtls_des3_context;
 

+ 65 - 183
thirdparty/mbedtls/include/mbedtls/dhm.h

@@ -50,12 +50,9 @@
 
 #ifndef MBEDTLS_DHM_H
 #define MBEDTLS_DHM_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 #include "mbedtls/bignum.h"
 
 /*
@@ -79,14 +76,19 @@
 #define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400
 /** Read or write of file failed. */
 #define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480
-
-/* MBEDTLS_ERR_DHM_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** DHM hardware accelerator failed. */
-#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED                   -0x3500
-
 /** Setting the modulus and generator failed. */
 #define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580
 
+/** Which parameter to access in mbedtls_dhm_get_value(). */
+typedef enum {
+    MBEDTLS_DHM_PARAM_P,  /*!<  The prime modulus. */
+    MBEDTLS_DHM_PARAM_G,  /*!<  The generator. */
+    MBEDTLS_DHM_PARAM_X,  /*!<  Our secret value. */
+    MBEDTLS_DHM_PARAM_GX, /*!<  Our public key = \c G^X mod \c P. */
+    MBEDTLS_DHM_PARAM_GY, /*!<  The public key of the peer = \c G^Y mod \c P. */
+    MBEDTLS_DHM_PARAM_K,  /*!<  The shared secret = \c G^(XY) mod \c P. */
+} mbedtls_dhm_parameter;
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -97,17 +99,16 @@ extern "C" {
  * \brief          The DHM context structure.
  */
 typedef struct mbedtls_dhm_context {
-    size_t len;         /*!<  The size of \p P in Bytes. */
-    mbedtls_mpi P;      /*!<  The prime modulus. */
-    mbedtls_mpi G;      /*!<  The generator. */
-    mbedtls_mpi X;      /*!<  Our secret value. */
-    mbedtls_mpi GX;     /*!<  Our public key = \c G^X mod \c P. */
-    mbedtls_mpi GY;     /*!<  The public key of the peer = \c G^Y mod \c P. */
-    mbedtls_mpi K;      /*!<  The shared secret = \c G^(XY) mod \c P. */
-    mbedtls_mpi RP;     /*!<  The cached value = \c R^2 mod \c P. */
-    mbedtls_mpi Vi;     /*!<  The blinding value. */
-    mbedtls_mpi Vf;     /*!<  The unblinding value. */
-    mbedtls_mpi pX;     /*!<  The previous \c X. */
+    mbedtls_mpi MBEDTLS_PRIVATE(P);      /*!<  The prime modulus. */
+    mbedtls_mpi MBEDTLS_PRIVATE(G);      /*!<  The generator. */
+    mbedtls_mpi MBEDTLS_PRIVATE(X);      /*!<  Our secret value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(GX);     /*!<  Our public key = \c G^X mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(GY);     /*!<  The public key of the peer = \c G^Y mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(K);      /*!<  The shared secret = \c G^(XY) mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(RP);     /*!<  The cached value = \c R^2 mod \c P. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Vi);     /*!<  The blinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Vf);     /*!<  The unblinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(pX);     /*!<  The previous \c X. */
 }
 mbedtls_dhm_context;
 
@@ -182,7 +183,7 @@ int mbedtls_dhm_read_params(mbedtls_dhm_context *ctx,
  */
 int mbedtls_dhm_make_params(mbedtls_dhm_context *ctx, int x_size,
                             unsigned char *output, size_t *olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
+                            mbedtls_f_rng_t *f_rng,
                             void *p_rng);
 
 /**
@@ -249,7 +250,7 @@ int mbedtls_dhm_read_public(mbedtls_dhm_context *ctx,
  */
 int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
                             unsigned char *output, size_t olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
+                            mbedtls_f_rng_t *f_rng,
                             void *p_rng);
 
 /**
@@ -270,19 +271,55 @@ int mbedtls_dhm_make_public(mbedtls_dhm_context *ctx, int x_size,
  * \param output_size   The size of the destination buffer. This must be at
  *                      least the size of \c ctx->len (the size of \c P).
  * \param olen          On exit, holds the actual number of Bytes written.
- * \param f_rng         The RNG function, for blinding purposes. This may
- *                      b \c NULL if blinding isn't needed.
- * \param p_rng         The RNG context. This may be \c NULL if \p f_rng
- *                      doesn't need a context argument.
+ * \param f_rng         The RNG function. Must not be \c NULL. Used for
+ *                      blinding.
+ * \param p_rng         The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
  *
  * \return              \c 0 on success.
  * \return              An \c MBEDTLS_ERR_DHM_XXX error code on failure.
  */
 int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx,
                             unsigned char *output, size_t output_size, size_t *olen,
-                            int (*f_rng)(void *, unsigned char *, size_t),
+                            mbedtls_f_rng_t *f_rng,
                             void *p_rng);
 
+/**
+ * \brief          This function returns the size of the prime modulus in bits.
+ *
+ * \param ctx      The DHM context to query.
+ *
+ * \return         The size of the prime modulus in bits,
+ *                 i.e. the number n such that 2^(n-1) <= P < 2^n.
+ */
+size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx);
+
+/**
+ * \brief          This function returns the size of the prime modulus in bytes.
+ *
+ * \param ctx      The DHM context to query.
+ *
+ * \return         The size of the prime modulus in bytes,
+ *                 i.e. the number n such that 2^(8*(n-1)) <= P < 2^(8*n).
+ */
+size_t mbedtls_dhm_get_len(const mbedtls_dhm_context *ctx);
+
+/**
+ * \brief          This function copies a parameter of a DHM key.
+ *
+ * \param ctx      The DHM context to query.
+ * \param param    The parameter to copy.
+ * \param dest     The MPI object to copy the value into. It must be
+ *                 initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_DHM_BAD_INPUT_DATA if \p param is invalid.
+ * \return         An \c MBEDTLS_ERR_MPI_XXX error code if the copy fails.
+ */
+int mbedtls_dhm_get_value(const mbedtls_dhm_context *ctx,
+                          mbedtls_dhm_parameter param,
+                          mbedtls_mpi *dest);
+
 /**
  * \brief          This function frees and clears the components
  *                 of a DHM context.
@@ -384,161 +421,6 @@ int mbedtls_dhm_self_test(int verbose);
  *
  */
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-
-/**
- * \warning The origin of the primes in RFC 5114 is not documented and
- *          their use therefore constitutes a security risk!
- *
- * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are
- *             likely to be removed in a future version of the library without
- *             replacement.
- */
-
-/**
- * The hexadecimal presentation of the prime underlying the
- * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
- * in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
- * IETF Standards</em>.
- */
-#define MBEDTLS_DHM_RFC5114_MODP_2048_P                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1"      \
-        "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15"      \
-        "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212"      \
-        "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207"      \
-        "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708"      \
-        "B3BF8A317091883681286130BC8985DB1602E714415D9330"      \
-        "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D"      \
-        "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8"      \
-        "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763"      \
-        "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71"      \
-        "CF9DE5384E71B81C0AC4DFFE0C10E64F")
-
-/**
- * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
- * Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
- * Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
- */
-#define MBEDTLS_DHM_RFC5114_MODP_2048_G                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"      \
-        "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"      \
-        "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"      \
-        "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"      \
-        "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"      \
-        "F180EB34118E98D119529A45D6F834566E3025E316A330EF"      \
-        "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"      \
-        "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"      \
-        "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"      \
-        "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"      \
-        "81BC087F2A7065B384B890D3191F2BFA")
-
-/**
- * The hexadecimal presentation of the prime underlying the 2048-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- *
- * \deprecated The hex-encoded primes from RFC 3625 are deprecated and
- *             superseded by the corresponding macros providing them as
- *             binary constants. Their hex-encoded constants are likely
- *             to be removed in a future version of the library.
- *
- */
-#define MBEDTLS_DHM_RFC3526_MODP_2048_P                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
-        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
-        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
-        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
-        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
-        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
-        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
-        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
-        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
-        "15728E5A8AACAA68FFFFFFFFFFFFFFFF")
-
-/**
- * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_2048_G                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT("02")
-
-/**
- * The hexadecimal presentation of the prime underlying the 3072-bit MODP
- * Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_3072_P                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
-        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
-        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
-        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
-        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
-        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
-        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
-        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
-        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
-        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"      \
-        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"      \
-        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"      \
-        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"      \
-        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"      \
-        "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF")
-
-/**
- * The hexadecimal presentation of the chosen generator of the 3072-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_3072_G                      \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT("02")
-
-/**
- * The hexadecimal presentation of the prime underlying the 4096-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_4096_P                      \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                      \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"   \
-        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"   \
-        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"   \
-        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"   \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"   \
-        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"   \
-        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"   \
-        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"   \
-        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"   \
-        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"   \
-        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"   \
-        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"   \
-        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"   \
-        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"   \
-        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"   \
-        "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"   \
-        "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"   \
-        "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"   \
-        "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"   \
-        "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"   \
-        "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199"   \
-        "FFFFFFFFFFFFFFFF")
-
-/**
- * The hexadecimal presentation of the chosen generator of the 4096-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_4096_G                      \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT("02")
-
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 /*
  * Trustworthy DHM parameters in binary form
  */

+ 72 - 47
thirdparty/mbedtls/include/mbedtls/ecdh.h

@@ -19,15 +19,31 @@
 
 #ifndef MBEDTLS_ECDH_H
 #define MBEDTLS_ECDH_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/ecp.h"
 
+/*
+ * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context
+ * defined in `ecdh.h`). For most applications, the choice of format makes
+ * no difference, since all library functions can work with either format,
+ * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE.
+
+ * The new format used when this option is disabled is smaller
+ * (56 bytes on a 32-bit platform). In future versions of the library, it
+ * will support alternative implementations of ECDH operations.
+ * The new format is incompatible with applications that access
+ * context fields directly and with restartable ECP operations.
+ */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_ECDH_LEGACY_CONTEXT
+#else
+#undef MBEDTLS_ECDH_LEGACY_CONTEXT
+#endif
+
 #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
 #undef MBEDTLS_ECDH_LEGACY_CONTEXT
 #include "everest/everest.h"
@@ -68,13 +84,13 @@ typedef enum {
  * mbedtls_ecdh_context_mbed.
  */
 typedef struct mbedtls_ecdh_context_mbed {
-    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
-    mbedtls_mpi d;           /*!< The private key. */
-    mbedtls_ecp_point Q;     /*!< The public key. */
-    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
-    mbedtls_mpi z;           /*!< The shared secret. */
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);   /*!< The elliptic curve used. */
+    mbedtls_mpi MBEDTLS_PRIVATE(d);           /*!< The private key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);     /*!< The public key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Qp);    /*!< The value of the public key of the peer. */
+    mbedtls_mpi MBEDTLS_PRIVATE(z);           /*!< The shared secret. */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
-    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */
 #endif
 } mbedtls_ecdh_context_mbed;
 #endif
@@ -88,43 +104,56 @@ typedef struct mbedtls_ecdh_context_mbed {
  */
 typedef struct mbedtls_ecdh_context {
 #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
-    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
-    mbedtls_mpi d;           /*!< The private key. */
-    mbedtls_ecp_point Q;     /*!< The public key. */
-    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
-    mbedtls_mpi z;           /*!< The shared secret. */
-    int point_format;        /*!< The format of point export in TLS messages. */
-    mbedtls_ecp_point Vi;    /*!< The blinding value. */
-    mbedtls_ecp_point Vf;    /*!< The unblinding value. */
-    mbedtls_mpi _d;          /*!< The previous \p d. */
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);   /*!< The elliptic curve used. */
+    mbedtls_mpi MBEDTLS_PRIVATE(d);           /*!< The private key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);     /*!< The public key. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Qp);    /*!< The value of the public key of the peer. */
+    mbedtls_mpi MBEDTLS_PRIVATE(z);           /*!< The shared secret. */
+    int MBEDTLS_PRIVATE(point_format);        /*!< The format of point export in TLS messages. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Vi);    /*!< The blinding value. */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Vf);    /*!< The unblinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(_d);          /*!< The previous \p d. */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
-    int restart_enabled;        /*!< The flag for restartable mode. */
-    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+    int MBEDTLS_PRIVATE(restart_enabled);        /*!< The flag for restartable mode. */
+    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #else
-    uint8_t point_format;       /*!< The format of point export in TLS messages
-                                   as defined in RFC 4492. */
-    mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
-    mbedtls_ecdh_variant var;   /*!< The ECDH implementation/structure used. */
+    uint8_t MBEDTLS_PRIVATE(point_format);       /*!< The format of point export in TLS messages
+                                                    as defined in RFC 4492. */
+    mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id);/*!< The elliptic curve used. */
+    mbedtls_ecdh_variant MBEDTLS_PRIVATE(var);   /*!< The ECDH implementation/structure used. */
     union {
-        mbedtls_ecdh_context_mbed   mbed_ecdh;
+        mbedtls_ecdh_context_mbed   MBEDTLS_PRIVATE(mbed_ecdh);
 #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
-        mbedtls_ecdh_context_everest everest_ecdh;
+        mbedtls_ecdh_context_everest MBEDTLS_PRIVATE(everest_ecdh);
 #endif
-    } ctx;                      /*!< Implementation-specific context. The
-                                   context in use is specified by the \c var
-                                   field. */
+    } MBEDTLS_PRIVATE(ctx);                      /*!< Implementation-specific context. The
+                                                    context in use is specified by the \c var
+                                                    field. */
 #if defined(MBEDTLS_ECP_RESTARTABLE)
-    uint8_t restart_enabled;    /*!< The flag for restartable mode. Functions of
-                                   an alternative implementation not supporting
-                                   restartable mode must return
-                                   MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
-                                   if this flag is set. */
+    uint8_t MBEDTLS_PRIVATE(restart_enabled);    /*!< The flag for restartable mode. Functions of
+                                                    an alternative implementation not supporting
+                                                    restartable mode must return
+                                                    MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
+                                                    if this flag is set. */
 #endif /* MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
 }
 mbedtls_ecdh_context;
 
+/**
+ * \brief          Return the ECP group for provided context.
+ *
+ * \note           To access group specific fields, users should use
+ *                 `mbedtls_ecp_curve_info_from_grp_id` or
+ *                 `mbedtls_ecp_group_load` on the extracted `group_id`.
+ *
+ * \param ctx      The ECDH context to parse. This must not be \c NULL.
+ *
+ * \return         The \c mbedtls_ecp_group_id of the context.
+ */
+mbedtls_ecp_group_id mbedtls_ecdh_get_grp_id(mbedtls_ecdh_context *ctx);
+
 /**
  * \brief          Check whether a given group can be used for ECDH.
  *
@@ -160,7 +189,7 @@ int mbedtls_ecdh_can_do(mbedtls_ecp_group_id gid);
  *                  \c MBEDTLS_MPI_XXX error code on failure.
  */
 int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                            int (*f_rng)(void *, unsigned char *, size_t),
+                            mbedtls_f_rng_t *f_rng,
                             void *p_rng);
 
 /**
@@ -185,10 +214,7 @@ int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_
  *                  This must be initialized.
  * \param d         Our secret exponent (private key).
  *                  This must be initialized.
- * \param f_rng     The RNG function. This may be \c NULL if randomization
- *                  of intermediate results during the ECP computations is
- *                  not needed (discouraged). See the documentation of
- *                  mbedtls_ecp_mul() for more.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
  * \param p_rng     The RNG context to be passed to \p f_rng. This may be
  *                  \c NULL if \p f_rng is \c NULL or doesn't need a
  *                  context argument.
@@ -199,7 +225,7 @@ int mbedtls_ecdh_gen_public(mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_
  */
 int mbedtls_ecdh_compute_shared(mbedtls_ecp_group *grp, mbedtls_mpi *z,
                                 const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
-                                int (*f_rng)(void *, unsigned char *, size_t),
+                                mbedtls_f_rng_t *f_rng,
                                 void *p_rng);
 
 /**
@@ -264,7 +290,7 @@ void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx);
  */
 int mbedtls_ecdh_make_params(mbedtls_ecdh_context *ctx, size_t *olen,
                              unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
+                             mbedtls_f_rng_t *f_rng,
                              void *p_rng);
 
 /**
@@ -346,7 +372,7 @@ int mbedtls_ecdh_get_params(mbedtls_ecdh_context *ctx,
  */
 int mbedtls_ecdh_make_public(mbedtls_ecdh_context *ctx, size_t *olen,
                              unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
+                             mbedtls_f_rng_t *f_rng,
                              void *p_rng);
 
 /**
@@ -391,8 +417,7 @@ int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
  * \param buf       The buffer to write the generated shared key to. This
  *                  must be a writable buffer of size \p blen Bytes.
  * \param blen      The length of the destination buffer \p buf in Bytes.
- * \param f_rng     The RNG function, for blinding purposes. This may
- *                  b \c NULL if blinding isn't needed.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
  * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
  *                  doesn't need a context argument.
  *
@@ -403,7 +428,7 @@ int mbedtls_ecdh_read_public(mbedtls_ecdh_context *ctx,
  */
 int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen,
                              unsigned char *buf, size_t blen,
-                             int (*f_rng)(void *, unsigned char *, size_t),
+                             mbedtls_f_rng_t *f_rng,
                              void *p_rng);
 
 #if defined(MBEDTLS_ECP_RESTARTABLE)

+ 209 - 147
thirdparty/mbedtls/include/mbedtls/ecdsa.h

@@ -17,12 +17,9 @@
 
 #ifndef MBEDTLS_ECDSA_H
 #define MBEDTLS_ECDSA_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/ecp.h"
 #include "mbedtls/md.h"
@@ -62,6 +59,11 @@ extern "C" {
  * \warning         Performing multiple operations concurrently on the same
  *                  ECDSA context is not supported; objects of this type
  *                  should not be shared between multiple threads.
+ *
+ * \note            pk_wrap module assumes that "ecdsa_context" is identical
+ *                  to "ecp_keypair" (see for example structure
+ *                  "mbedtls_eckey_info" where ECDSA sign/verify functions
+ *                  are used also for EC key)
  */
 typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
 
@@ -94,12 +96,12 @@ typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
  * \brief           General context for resuming ECDSA operations
  */
 typedef struct {
-    mbedtls_ecp_restart_ctx ecp;        /*!<  base context for ECP restart and
-                                              shared administrative info    */
-    mbedtls_ecdsa_restart_ver_ctx *ver; /*!<  ecdsa_verify() sub-context    */
-    mbedtls_ecdsa_restart_sig_ctx *sig; /*!<  ecdsa_sign() sub-context      */
+    mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(ecp);        /*!<  base context for ECP restart and
+                                                            shared administrative info    */
+    mbedtls_ecdsa_restart_ver_ctx *MBEDTLS_PRIVATE(ver); /*!<  ecdsa_verify() sub-context    */
+    mbedtls_ecdsa_restart_sig_ctx *MBEDTLS_PRIVATE(sig); /*!<  ecdsa_sign() sub-context      */
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-    mbedtls_ecdsa_restart_det_ctx *det; /*!<  ecdsa_sign_det() sub-context  */
+    mbedtls_ecdsa_restart_det_ctx *MBEDTLS_PRIVATE(det); /*!<  ecdsa_sign_det() sub-context  */
 #endif
 } mbedtls_ecdsa_restart_ctx;
 
@@ -125,7 +127,7 @@ int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid);
  *                  previously-hashed message.
  *
  * \note            The deterministic version implemented in
- *                  mbedtls_ecdsa_sign_det() is usually preferred.
+ *                  mbedtls_ecdsa_sign_det_ext() is usually preferred.
  *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated
@@ -148,7 +150,8 @@ int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid);
  *                  buffer of length \p blen Bytes. It may be \c NULL if
  *                  \p blen is zero.
  * \param blen      The length of \p buf in Bytes.
- * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param f_rng     The RNG function, used both to generate the ECDSA nonce
+ *                  and for blinding. This must not be \c NULL.
  * \param p_rng     The RNG context to be passed to \p f_rng. This may be
  *                  \c NULL if \p f_rng doesn't need a context parameter.
  *
@@ -158,70 +161,9 @@ int mbedtls_ecdsa_can_do(mbedtls_ecp_group_id gid);
  */
 int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
                        const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+                       mbedtls_f_rng_t *f_rng, void *p_rng);
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief           This function computes the ECDSA signature of a
- *                  previously-hashed message, deterministic version.
- *
- *                  For more information, see <em>RFC-6979: Deterministic
- *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
- *                  Curve Digital Signature Algorithm (ECDSA)</em>.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.3, step 5.
- *
- * \warning         Since the output of the internal RNG is always the same for
- *                  the same key and message, this limits the efficiency of
- *                  blinding and leaks information through side channels. For
- *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
- *
- *                  (Optimally the blinding is a random value that is different
- *                  on every execution. In this case the blinding is still
- *                  random from the attackers perspective, but is the same on
- *                  each execution. This means that this blinding does not
- *                  prevent attackers from recovering secrets by combining
- *                  several measurement traces, but may prevent some attacks
- *                  that exploit relationships between secret data.)
- *
- * \see             ecp.h
- *
- * \param grp       The context for the elliptic curve to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param r         The MPI context in which to store the first part
- *                  the signature. This must be initialized.
- * \param s         The MPI context in which to store the second part
- *                  the signature. This must be initialized.
- * \param d         The private signing key. This must be initialized
- *                  and setup, for example through mbedtls_ecp_gen_privkey().
- * \param buf       The hashed content to be signed. This must be a readable
- *                  buffer of length \p blen Bytes. It may be \c NULL if
- *                  \p blen is zero.
- * \param blen      The length of \p buf in Bytes.
- * \param md_alg    The hash algorithm used to hash the original data.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
- *                  error code on failure.
- */
-int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r,
-                           mbedtls_mpi *s, const mbedtls_mpi *d,
-                           const unsigned char *buf, size_t blen,
-                           mbedtls_md_type_t md_alg) MBEDTLS_DEPRECATED;
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief           This function computes the ECDSA signature of a
  *                  previously-hashed message, deterministic version.
@@ -255,8 +197,8 @@ int mbedtls_ecdsa_sign_det(mbedtls_ecp_group *grp, mbedtls_mpi *r,
  * \param f_rng_blind   The RNG function used for blinding. This must not be
  *                      \c NULL.
  * \param p_rng_blind   The RNG context to be passed to \p f_rng_blind. This
- *                      may be \c NULL if \p f_rng_blind doesn't need
- *                      a context parameter.
+ *                      may be \c NULL if \p f_rng_blind doesn't need a context
+ *                      parameter.
  *
  * \return          \c 0 on success.
  * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
@@ -266,10 +208,140 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
                                mbedtls_mpi *s, const mbedtls_mpi *d,
                                const unsigned char *buf, size_t blen,
                                mbedtls_md_type_t md_alg,
-                               int (*f_rng_blind)(void *, unsigned char *, size_t),
+                               mbedtls_f_rng_t *f_rng_blind,
                                void *p_rng_blind);
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
 
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/**
+ * \brief               This function computes the ECDSA signature of a
+ *                      previously-hashed message, in a restartable way.
+ *
+ * \note                The deterministic version implemented in
+ *                      mbedtls_ecdsa_sign_det_restartable() is usually
+ *                      preferred.
+ *
+ * \note                This function is like \c mbedtls_ecdsa_sign() but
+ *                      it can return early and restart according to the
+ *                      limit set with \c mbedtls_ecp_set_max_ops() to
+ *                      reduce blocking.
+ *
+ * \note                If the bitlength of the message hash is larger
+ *                      than the bitlength of the group order, then the
+ *                      hash is truncated as defined in <em>Standards for
+ *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
+ *                      Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see                 ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through
+ *                      mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param f_rng         The RNG function used to generate the ECDSA nonce.
+ *                      This must not be \c NULL.
+ * \param p_rng         The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx        The restart context to use. This may be \c NULL
+ *                      to disable restarting. If it is not \c NULL, it
+ *                      must point to an initialized restart context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                      operations was reached: see \c
+ *                      mbedtls_ecp_set_max_ops().
+ * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
+ *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ *                      error code on failure.
+ */
+int mbedtls_ecdsa_sign_restartable(
+    mbedtls_ecp_group *grp,
+    mbedtls_mpi *r, mbedtls_mpi *s,
+    const mbedtls_mpi *d,
+    const unsigned char *buf, size_t blen,
+    mbedtls_f_rng_t *f_rng,
+    void *p_rng,
+    mbedtls_f_rng_t *f_rng_blind,
+    void *p_rng_blind,
+    mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+
+/**
+ * \brief               This function computes the ECDSA signature of a
+ *                      previously-hashed message, in a restartable way.
+ *
+ * \note                This function is like \c
+ *                      mbedtls_ecdsa_sign_det_ext() but it can return
+ *                      early and restart according to the limit set with
+ *                      \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \note                If the bitlength of the message hash is larger
+ *                      than the bitlength of the group order, then the
+ *                      hash is truncated as defined in <em>Standards for
+ *                      Efficient Cryptography Group (SECG): SEC1 Elliptic
+ *                      Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see                 ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through
+ *                      mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng_blind. This may be
+ *                      \c NULL if \p f_rng_blind doesn't need a context parameter.
+ * \param rs_ctx        The restart context to use. This may be \c NULL
+ *                      to disable restarting. If it is not \c NULL, it
+ *                      must point to an initialized restart context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                      operations was reached: see \c
+ *                      mbedtls_ecp_set_max_ops().
+ * \return              Another \c MBEDTLS_ERR_ECP_XXX, \c
+ *                      MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ *                      error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_restartable(
+    mbedtls_ecp_group *grp,
+    mbedtls_mpi *r, mbedtls_mpi *s,
+    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+    mbedtls_md_type_t md_alg,
+    mbedtls_f_rng_t *f_rng_blind,
+    void *p_rng_blind,
+    mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
 /**
  * \brief           This function verifies the ECDSA signature of a
  *                  previously-hashed message.
@@ -305,6 +377,51 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
                          const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
                          const mbedtls_mpi *s);
 
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/**
+ * \brief           This function verifies the ECDSA signature of a
+ *                  previously-hashed message, in a restartable manner
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
+ * \param r         The first integer of the signature.
+ *                  This must be initialized.
+ * \param s         The second integer of the signature.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r,
+                                     const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
 /**
  * \brief           This function computes the ECDSA signature and writes it
  *                  to a buffer, serialized as defined in <em>RFC-4492:
@@ -340,12 +457,13 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
  *                  size of the curve used, plus 9. For example, 73 Bytes if
  *                  a 256-bit curve is used. A buffer length of
  *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param sig_size  The size of the \p sig buffer in bytes.
  * \param slen      The address at which to store the actual length of
  *                  the signature written. Must not be \c NULL.
- * \param f_rng     The RNG function. This must not be \c NULL if
- *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
- *                  it is used only for blinding and may be set to \c NULL, but
- *                  doing so is DEPRECATED.
+ * \param f_rng     The RNG function. This is used for blinding.
+ *                  If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also
+ *                  used to generate the ECDSA nonce.
+ *                  This must not be \c NULL.
  * \param p_rng     The RNG context to be passed to \p f_rng. This may be
  *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
  *
@@ -356,8 +474,8 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
 int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
                                   mbedtls_md_type_t md_alg,
                                   const unsigned char *hash, size_t hlen,
-                                  unsigned char *sig, size_t *slen,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  unsigned char *sig, size_t sig_size, size_t *slen,
+                                  mbedtls_f_rng_t *f_rng,
                                   void *p_rng);
 
 /**
@@ -382,11 +500,13 @@ int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
  *                  size of the curve used, plus 9. For example, 73 Bytes if
  *                  a 256-bit curve is used. A buffer length of
  *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param sig_size  The size of the \p sig buffer in bytes.
  * \param slen      The address at which to store the actual length of
  *                  the signature written. Must not be \c NULL.
- * \param f_rng     The RNG function. This must not be \c NULL if
- *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
- *                  it is unused and may be set to \c NULL.
+ * \param f_rng     The RNG function. This is used for blinding.
+ *                  If #MBEDTLS_ECDSA_DETERMINISTIC is unset, this is also
+ *                  used to generate the ECDSA nonce.
+ *                  This must not be \c NULL.
  * \param p_rng     The RNG context to be passed to \p f_rng. This may be
  *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
  * \param rs_ctx    The restart context to use. This may be \c NULL to disable
@@ -402,69 +522,11 @@ int mbedtls_ecdsa_write_signature(mbedtls_ecdsa_context *ctx,
 int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
                                               mbedtls_md_type_t md_alg,
                                               const unsigned char *hash, size_t hlen,
-                                              unsigned char *sig, size_t *slen,
-                                              int (*f_rng)(void *, unsigned char *, size_t),
+                                              unsigned char *sig, size_t sig_size, size_t *slen,
+                                              mbedtls_f_rng_t *f_rng,
                                               void *p_rng,
                                               mbedtls_ecdsa_restart_ctx *rs_ctx);
 
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief           This function computes an ECDSA signature and writes
- *                  it to a buffer, serialized as defined in <em>RFC-4492:
- *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
- *                  Transport Layer Security (TLS)</em>.
- *
- *                  The deterministic version is defined in <em>RFC-6979:
- *                  Deterministic Usage of the Digital Signature Algorithm (DSA)
- *                  and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
- *
- * \warning         It is not thread-safe to use the same context in
- *                  multiple threads.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.3, step 5.
- *
- * \see             ecp.h
- *
- * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in
- *                  Mbed TLS version 2.0 and later.
- *
- * \param ctx       The ECDSA context to use. This must be initialized
- *                  and have a group and private key bound to it, for example
- *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
- * \param hash      The message hash to be signed. This must be a readable
- *                  buffer of length \p hlen Bytes.
- * \param hlen      The length of the hash \p hash in Bytes.
- * \param sig       The buffer to which to write the signature. This must be a
- *                  writable buffer of length at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if
- *                  a 256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
- * \param slen      The address at which to store the actual length of
- *                  the signature written. Must not be \c NULL.
- * \param md_alg    The message digest that was used to hash the message.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
- *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_ecdsa_write_signature_det(mbedtls_ecdsa_context *ctx,
-                                      const unsigned char *hash, size_t hlen,
-                                      unsigned char *sig, size_t *slen,
-                                      mbedtls_md_type_t md_alg) MBEDTLS_DEPRECATED;
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
-
 /**
  * \brief           This function reads and verifies an ECDSA signature.
  *
@@ -549,7 +611,7 @@ int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
  */
 int mbedtls_ecdsa_genkey(mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
-                         int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+                         mbedtls_f_rng_t *f_rng, void *p_rng);
 
 /**
  * \brief           This function sets up an ECDSA context from an EC key pair.

+ 57 - 21
thirdparty/mbedtls/include/mbedtls/ecjpake.h

@@ -9,6 +9,7 @@
  */
 #ifndef MBEDTLS_ECJPAKE_H
 #define MBEDTLS_ECJPAKE_H
+#include "mbedtls/private_access.h"
 
 /*
  * J-PAKE is a password-authenticated key exchange that allows deriving a
@@ -26,11 +27,7 @@
  * The payloads are serialized in a way suitable for use in TLS, but could
  * also be use outside TLS.
  */
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/ecp.h"
 #include "mbedtls/md.h"
@@ -45,6 +42,7 @@ extern "C" {
 typedef enum {
     MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
     MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
+    MBEDTLS_ECJPAKE_NONE,               /**< Undefined                      */
 } mbedtls_ecjpake_role;
 
 #if !defined(MBEDTLS_ECJPAKE_ALT)
@@ -60,21 +58,21 @@ typedef enum {
  * description as a pair C: client name, S: server name
  */
 typedef struct mbedtls_ecjpake_context {
-    const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
-    mbedtls_ecp_group grp;              /**< Elliptic curve                 */
-    mbedtls_ecjpake_role role;          /**< Are we client or server?       */
-    int point_format;                   /**< Format for point export        */
+    mbedtls_md_type_t MBEDTLS_PRIVATE(md_type);          /**< Hash to use                    */
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);              /**< Elliptic curve                 */
+    mbedtls_ecjpake_role MBEDTLS_PRIVATE(role);          /**< Are we client or server?       */
+    int MBEDTLS_PRIVATE(point_format);                   /**< Format for point export        */
 
-    mbedtls_ecp_point Xm1;              /**< My public key 1   C: X1, S: X3 */
-    mbedtls_ecp_point Xm2;              /**< My public key 2   C: X2, S: X4 */
-    mbedtls_ecp_point Xp1;              /**< Peer public key 1 C: X3, S: X1 */
-    mbedtls_ecp_point Xp2;              /**< Peer public key 2 C: X4, S: X2 */
-    mbedtls_ecp_point Xp;               /**< Peer public key   C: Xs, S: Xc */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xm1);              /**< My public key 1   C: X1, S: X3 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xm2);              /**< My public key 2   C: X2, S: X4 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp1);              /**< Peer public key 1 C: X3, S: X1 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp2);              /**< Peer public key 2 C: X4, S: X2 */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Xp);               /**< Peer public key   C: Xs, S: Xc */
 
-    mbedtls_mpi xm1;                    /**< My private key 1  C: x1, S: x3 */
-    mbedtls_mpi xm2;                    /**< My private key 2  C: x2, S: x4 */
+    mbedtls_mpi MBEDTLS_PRIVATE(xm1);                    /**< My private key 1  C: x1, S: x3 */
+    mbedtls_mpi MBEDTLS_PRIVATE(xm2);                    /**< My private key 2  C: x2, S: x4 */
 
-    mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
+    mbedtls_mpi MBEDTLS_PRIVATE(s);                      /**< Pre-shared secret (passphrase) */
 } mbedtls_ecjpake_context;
 
 #else  /* MBEDTLS_ECJPAKE_ALT */
@@ -103,7 +101,7 @@ void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx);
  * \param curve     The identifier of the elliptic curve to use,
  *                  for example #MBEDTLS_ECP_DP_SECP256R1.
  * \param secret    The pre-shared secret (passphrase). This must be
- *                  a readable buffer of length \p len Bytes. It need
+ *                  a readable not empty buffer of length \p len Bytes. It need
  *                  only be valid for the duration of this call.
  * \param len       The length of the pre-shared secret \p secret.
  *
@@ -117,6 +115,21 @@ int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx,
                           const unsigned char *secret,
                           size_t len);
 
+/**
+ * \brief               Set the point format for future reads and writes.
+ *
+ * \param ctx           The ECJPAKE context to configure.
+ * \param point_format  The point format to use:
+ *                      #MBEDTLS_ECP_PF_UNCOMPRESSED (default)
+ *                      or #MBEDTLS_ECP_PF_COMPRESSED.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p point_format
+ *                      is invalid.
+ */
+int mbedtls_ecjpake_set_point_format(mbedtls_ecjpake_context *ctx,
+                                     int point_format);
+
 /**
  * \brief           Check if an ECJPAKE context is ready for use.
  *
@@ -149,7 +162,7 @@ int mbedtls_ecjpake_check(const mbedtls_ecjpake_context *ctx);
  */
 int mbedtls_ecjpake_write_round_one(mbedtls_ecjpake_context *ctx,
                                     unsigned char *buf, size_t len, size_t *olen,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    mbedtls_f_rng_t *f_rng,
                                     void *p_rng);
 
 /**
@@ -190,7 +203,7 @@ int mbedtls_ecjpake_read_round_one(mbedtls_ecjpake_context *ctx,
  */
 int mbedtls_ecjpake_write_round_two(mbedtls_ecjpake_context *ctx,
                                     unsigned char *buf, size_t len, size_t *olen,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    mbedtls_f_rng_t *f_rng,
                                     void *p_rng);
 
 /**
@@ -230,9 +243,32 @@ int mbedtls_ecjpake_read_round_two(mbedtls_ecjpake_context *ctx,
  */
 int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
                                   unsigned char *buf, size_t len, size_t *olen,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  mbedtls_f_rng_t *f_rng,
                                   void *p_rng);
 
+/**
+ * \brief           Write the shared key material to be passed to a Key
+ *                  Derivation Function as described in RFC8236.
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up and have performed both round one and two.
+ * \param buf       The buffer to write the derived secret to. This must
+ *                  be a writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_shared_key(mbedtls_ecjpake_context *ctx,
+                                     unsigned char *buf, size_t len, size_t *olen,
+                                     mbedtls_f_rng_t *f_rng,
+                                     void *p_rng);
+
 /**
  * \brief           This clears an ECJPAKE context and frees any
  *                  embedded data structure.

+ 296 - 137
thirdparty/mbedtls/include/mbedtls/ecp.h

@@ -21,20 +21,13 @@
 
 #ifndef MBEDTLS_ECP_H
 #define MBEDTLS_ECP_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
 
 #include "mbedtls/bignum.h"
 
-#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
-    !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
 /*
  * ECP error codes
  */
@@ -54,11 +47,6 @@
 #define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80
 /** The buffer contains a valid signature followed by more data. */
 #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00
-
-/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** The ECP hardware accelerator failed. */
-#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80
-
 /** Operation in progress, call again with the same parameters to continue. */
 #define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00
 
@@ -99,16 +87,17 @@ extern "C" {
  * - Add it at the end of this enum, otherwise you'll break the ABI by
  *   changing the numerical value for existing curves.
  * - Increment MBEDTLS_ECP_DP_MAX below if needed.
- * - Update the calculation of MBEDTLS_ECP_MAX_BITS_MIN below.
+ * - Update the calculation of MBEDTLS_ECP_MAX_BITS below.
  * - Add the corresponding MBEDTLS_ECP_DP_xxx_ENABLED macro definition to
- *   config.h.
+ *   mbedtls_config.h.
  * - List the curve as a dependency of MBEDTLS_ECP_C and
  *   MBEDTLS_ECDSA_C if supported in check_config.h.
  * - Add the curve to the appropriate curve type macro
  *   MBEDTLS_ECP_yyy_ENABLED above.
  * - Add the necessary definitions to ecp_curves.c.
  * - Add the curve to the ecp_supported_curves array in ecp.c.
- * - Add the curve to applicable profiles in x509_crt.c if applicable.
+ * - Add the curve to applicable profiles in x509_crt.c.
+ * - Add the curve to applicable presets in ssl_tls.c.
  */
 typedef enum {
     MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */
@@ -129,10 +118,8 @@ typedef enum {
 
 /**
  * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
- *
- * \note Montgomery curves are currently excluded.
  */
-#define MBEDTLS_ECP_DP_MAX     12
+#define MBEDTLS_ECP_DP_MAX     14
 
 /*
  * Curve types
@@ -145,6 +132,10 @@ typedef enum {
 
 /**
  * Curve information, for use by other modules.
+ *
+ * The fields of this structure are part of the public API and can be
+ * accessed directly by applications. Future versions of the library may
+ * add extra fields or reorder existing fields.
  */
 typedef struct mbedtls_ecp_curve_info {
     mbedtls_ecp_group_id grp_id;    /*!< An internal identifier. */
@@ -165,46 +156,12 @@ typedef struct mbedtls_ecp_curve_info {
  *                  coordinates.
  */
 typedef struct mbedtls_ecp_point {
-    mbedtls_mpi X;          /*!< The X coordinate of the ECP point. */
-    mbedtls_mpi Y;          /*!< The Y coordinate of the ECP point. */
-    mbedtls_mpi Z;          /*!< The Z coordinate of the ECP point. */
+    mbedtls_mpi MBEDTLS_PRIVATE(X);          /*!< The X coordinate of the ECP point. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Y);          /*!< The Y coordinate of the ECP point. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Z);          /*!< The Z coordinate of the ECP point. */
 }
 mbedtls_ecp_point;
 
-/* Determine the minimum safe value of MBEDTLS_ECP_MAX_BITS. */
-#if !defined(MBEDTLS_ECP_C)
-#define MBEDTLS_ECP_MAX_BITS_MIN 0
-/* Note: the curves must be listed in DECREASING size! */
-#elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 521
-#elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 512
-#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 448
-#elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 384
-#elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 384
-#elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 256
-#elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 256
-#elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 256
-#elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 255
-#elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 225 // n is slightly above 2^224
-#elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 224
-#elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 192
-#elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
-#define MBEDTLS_ECP_MAX_BITS_MIN 192
-#else
-#error "MBEDTLS_ECP_C enabled, but no curve?"
-#endif
-
 #if !defined(MBEDTLS_ECP_ALT)
 /*
  * default Mbed TLS elliptic curve arithmetic implementation
@@ -262,10 +219,16 @@ mbedtls_ecp_point;
  * additions or subtractions. Therefore, it is only an approximate modular
  * reduction. It must return 0 on success and non-zero on failure.
  *
- * \note        Alternative implementations must keep the group IDs distinct. If
- *              two group structures have the same ID, then they must be
- *              identical.
- *
+ * \note        Alternative implementations of the ECP module must obey the
+ *              following constraints.
+ *              * Group IDs must be distinct: if two group structures have
+ *                the same ID, then they must be identical.
+ *              * The fields \c id, \c P, \c A, \c B, \c G, \c N,
+ *                \c pbits and \c nbits must have the same type and semantics
+ *                as in the built-in implementation.
+ *                They must be available for reading, but direct modification
+ *                of these fields does not need to be supported.
+ *                They do not need to be at the same offset in the structure.
  */
 typedef struct mbedtls_ecp_group {
     mbedtls_ecp_group_id id;    /*!< An internal group identifier. */
@@ -283,14 +246,16 @@ typedef struct mbedtls_ecp_group {
     size_t nbits;               /*!< For Short Weierstrass: The number of bits in \p P.
                                      For Montgomery curves: the number of bits in the
                                      private keys. */
-    unsigned int h;             /*!< \internal 1 if the constants are static. */
-    int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction
-                                     mod \p P (see above).*/
-    int (*t_pre)(mbedtls_ecp_point *, void *);  /*!< Unused. */
-    int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */
-    void *t_data;               /*!< Unused. */
-    mbedtls_ecp_point *T;       /*!< Pre-computed points for ecp_mul_comb(). */
-    size_t T_size;              /*!< The number of pre-computed points. */
+    /* End of public fields */
+
+    unsigned int MBEDTLS_PRIVATE(h);             /*!< \internal 1 if the constants are static. */
+    int(*MBEDTLS_PRIVATE(modp))(mbedtls_mpi *);  /*!< The function for fast pseudo-reduction
+                                                    mod \p P (see above).*/
+    int(*MBEDTLS_PRIVATE(t_pre))(mbedtls_ecp_point *, void *);   /*!< Unused. */
+    int(*MBEDTLS_PRIVATE(t_post))(mbedtls_ecp_point *, void *);  /*!< Unused. */
+    void *MBEDTLS_PRIVATE(t_data);               /*!< Unused. */
+    mbedtls_ecp_point *MBEDTLS_PRIVATE(T);       /*!< Pre-computed points for ecp_mul_comb(). */
+    size_t MBEDTLS_PRIVATE(T_size);              /*!< The number of dynamic allocated pre-computed points. */
 }
 mbedtls_ecp_group;
 
@@ -298,32 +263,10 @@ mbedtls_ecp_group;
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h, or define them using the compiler command line.
+ * Either change them in mbedtls_config.h, or define them using the compiler command line.
  * \{
  */
 
-#if defined(MBEDTLS_ECP_MAX_BITS)
-
-#if MBEDTLS_ECP_MAX_BITS < MBEDTLS_ECP_MAX_BITS_MIN
-#error "MBEDTLS_ECP_MAX_BITS is smaller than the largest supported curve"
-#endif
-
-#elif defined(MBEDTLS_ECP_C)
-/**
- * The maximum size of the groups, that is, of \c N and \c P.
- */
-#define MBEDTLS_ECP_MAX_BITS     MBEDTLS_ECP_MAX_BITS_MIN
-
-#else
-/* MBEDTLS_ECP_MAX_BITS is not relevant without MBEDTLS_ECP_C, but set it
- * to a nonzero value so that code that unconditionally allocates an array
- * of a size based on it keeps working if built without ECC support. */
-#define MBEDTLS_ECP_MAX_BITS 1
-#endif
-
-#define MBEDTLS_ECP_MAX_BYTES    ((MBEDTLS_ECP_MAX_BITS + 7) / 8)
-#define MBEDTLS_ECP_MAX_PT_LEN   (2 * MBEDTLS_ECP_MAX_BYTES + 1)
-
 #if !defined(MBEDTLS_ECP_WINDOW_SIZE)
 /*
  * Maximum "window" size used for point multiplication.
@@ -350,15 +293,16 @@ mbedtls_ecp_group;
 
 #if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
 /*
- * Trade memory for speed on fixed-point multiplication.
+ * Trade code size for speed on fixed-point multiplication.
  *
  * This speeds up repeated multiplication of the generator (that is, the
  * multiplication in ECDSA signatures, and half of the multiplications in
  * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
  *
- * The cost is increasing EC peak memory usage by a factor roughly 2.
+ * For each n-bit Short Weierstrass curve that is enabled, this adds 4n bytes
+ * of code size if n < 384 and 8n otherwise.
  *
- * Change this value to 0 to reduce peak memory usage.
+ * Change this value to 0 to reduce code size.
  */
 #define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up. */
 #endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
@@ -369,6 +313,47 @@ mbedtls_ecp_group;
 #include "ecp_alt.h"
 #endif /* MBEDTLS_ECP_ALT */
 
+/**
+ * The maximum size of the groups, that is, of \c N and \c P.
+ */
+#if !defined(MBEDTLS_ECP_LIGHT)
+/* Dummy definition to help code that has optional ECP support and
+ * defines an MBEDTLS_ECP_MAX_BYTES-sized array unconditionally. */
+#define MBEDTLS_ECP_MAX_BITS 1
+/* Note: the curves must be listed in DECREASING size! */
+#elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 521
+#elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 512
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 448
+#elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 384
+#elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 384
+#elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 256
+#elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 256
+#elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 256
+#elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 255
+#elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 225 // n is slightly above 2^224
+#elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 224
+#elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 192
+#elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS 192
+#else /* !MBEDTLS_ECP_LIGHT */
+#error "Missing definition of MBEDTLS_ECP_MAX_BITS"
+#endif /* !MBEDTLS_ECP_LIGHT */
+
+#define MBEDTLS_ECP_MAX_BYTES    ((MBEDTLS_ECP_MAX_BITS + 7) / 8)
+#define MBEDTLS_ECP_MAX_PT_LEN   (2 * MBEDTLS_ECP_MAX_BYTES + 1)
+
 #if defined(MBEDTLS_ECP_RESTARTABLE)
 
 /**
@@ -389,10 +374,10 @@ typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
  * \brief           General context for resuming ECC operations
  */
 typedef struct {
-    unsigned ops_done;                  /*!<  current ops count             */
-    unsigned depth;                     /*!<  call depth (0 = top-level)    */
-    mbedtls_ecp_restart_mul_ctx *rsm;   /*!<  ecp_mul_comb() sub-context    */
-    mbedtls_ecp_restart_muladd_ctx *ma; /*!<  ecp_muladd() sub-context      */
+    unsigned MBEDTLS_PRIVATE(ops_done);                  /*!<  current ops count             */
+    unsigned MBEDTLS_PRIVATE(depth);                     /*!<  call depth (0 = top-level)    */
+    mbedtls_ecp_restart_mul_ctx *MBEDTLS_PRIVATE(rsm);   /*!<  ecp_mul_comb() sub-context    */
+    mbedtls_ecp_restart_muladd_ctx *MBEDTLS_PRIVATE(ma); /*!<  ecp_muladd() sub-context      */
 } mbedtls_ecp_restart_ctx;
 
 /*
@@ -441,17 +426,28 @@ typedef void mbedtls_ecp_restart_ctx;
  *          ::mbedtls_ecdsa_context structure.
  */
 typedef struct mbedtls_ecp_keypair {
-    mbedtls_ecp_group grp;      /*!<  Elliptic curve and base point     */
-    mbedtls_mpi d;              /*!<  our secret value                  */
-    mbedtls_ecp_point Q;        /*!<  our public value                  */
+    mbedtls_ecp_group MBEDTLS_PRIVATE(grp);      /*!<  Elliptic curve and base point     */
+    mbedtls_mpi MBEDTLS_PRIVATE(d);              /*!<  our secret value                  */
+    mbedtls_ecp_point MBEDTLS_PRIVATE(Q);        /*!<  our public value                  */
 }
 mbedtls_ecp_keypair;
 
-/*
- * Point formats, from RFC 4492's enum ECPointFormat
+/**
+ * The uncompressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
+ */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED    0
+/**
+ * The compressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
+ *
+ * \warning     While this format is supported for all concerned curves for
+ *              writing, when it comes to parsing, it is not supported for all
+ *              curves. Specifically, parsing compressed points on
+ *              MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1 is not
+ *              supported.
  */
-#define MBEDTLS_ECP_PF_UNCOMPRESSED    0   /**< Uncompressed point format. */
-#define MBEDTLS_ECP_PF_COMPRESSED      1   /**< Compressed point format. */
+#define MBEDTLS_ECP_PF_COMPRESSED      1
 
 /*
  * Some other constants from RFC 4492
@@ -489,6 +485,12 @@ mbedtls_ecp_keypair;
  *                  only enabled for specific sides and key exchanges
  *                  (currently only for clients and ECDHE-ECDSA).
  *
+ * \warning         Using the PSA interruptible interfaces with keys in local
+ *                  storage and no accelerator driver will also call this
+ *                  function to set the values specified via those interfaces,
+ *                  overwriting values previously set. Care should be taken if
+ *                  mixing these two interfaces.
+ *
  * \param max_ops   Maximum number of basic operations done in a row.
  *                  Default: 0 (unlimited).
  *                  Lower (non-zero) values mean ECC functions will block for
@@ -780,6 +782,9 @@ int mbedtls_ecp_point_write_binary(const mbedtls_ecp_group *grp,
  *                  belongs to the given group, see mbedtls_ecp_check_pubkey()
  *                  for that.
  *
+ * \note            For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ *                  limitations.
+ *
  * \param grp       The group to which the point should belong.
  *                  This must be initialized and have group parameters
  *                  set, for example through mbedtls_ecp_group_load().
@@ -939,15 +944,8 @@ int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp,
  * \note            To prevent timing attacks, this function
  *                  executes the exact same sequence of base-field
  *                  operations for any valid \p m. It avoids any if-branch or
- *                  array index depending on the value of \p m.
- *
- * \note            If \p f_rng is not NULL, it is used to randomize
- *                  intermediate results to prevent potential timing attacks
- *                  targeting these results. We recommend always providing
- *                  a non-NULL \p f_rng. The overhead is negligible.
- *                  Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
- *                  \p f_rng is NULL, an internal RNG (seeded from the value
- *                  of \p m) will be used instead.
+ *                  array index depending on the value of \p m. It also uses
+ *                  \p f_rng to randomize some intermediate results.
  *
  * \param grp       The ECP group to use.
  *                  This must be initialized and have group parameters
@@ -956,9 +954,9 @@ int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp,
  *                  This must be initialized.
  * \param m         The integer by which to multiply. This must be initialized.
  * \param P         The point to multiply. This must be initialized.
- * \param f_rng     The RNG function. This may be \c NULL if randomization
- *                  of intermediate results isn't desired (discouraged).
- * \param p_rng     The RNG context to be passed to \p p_rng.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
@@ -968,7 +966,7 @@ int mbedtls_ecp_tls_write_group(const mbedtls_ecp_group *grp,
  */
 int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                     const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+                    mbedtls_f_rng_t *f_rng, void *p_rng);
 
 /**
  * \brief           This function performs multiplication of a point by
@@ -987,9 +985,9 @@ int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
  *                  This must be initialized.
  * \param m         The integer by which to multiply. This must be initialized.
  * \param P         The point to multiply. This must be initialized.
- * \param f_rng     The RNG function. This may be \c NULL if randomization
- *                  of intermediate results isn't desired (discouraged).
- * \param p_rng     The RNG context to be passed to \p p_rng.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
  * \param rs_ctx    The restart context (NULL disables restart).
  *
  * \return          \c 0 on success.
@@ -1002,7 +1000,7 @@ int mbedtls_ecp_mul(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
  */
 int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
                                 const mbedtls_mpi *m, const mbedtls_ecp_point *P,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                mbedtls_f_rng_t *f_rng, void *p_rng,
                                 mbedtls_ecp_restart_ctx *rs_ctx);
 
 #if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
@@ -1023,7 +1021,7 @@ int mbedtls_ecp_mul_restartable(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
  */
 static inline int mbedtls_ecp_group_a_is_minus_3(const mbedtls_ecp_group *grp)
 {
-    return grp->A.p == NULL;
+    return grp->A.MBEDTLS_PRIVATE(p) == NULL;
 }
 
 /**
@@ -1181,7 +1179,7 @@ int mbedtls_ecp_check_privkey(const mbedtls_ecp_group *grp,
  */
 int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
                             mbedtls_mpi *d,
-                            int (*f_rng)(void *, unsigned char *, size_t),
+                            mbedtls_f_rng_t *f_rng,
                             void *p_rng);
 
 /**
@@ -1214,7 +1212,7 @@ int mbedtls_ecp_gen_privkey(const mbedtls_ecp_group *grp,
 int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
                                  const mbedtls_ecp_point *G,
                                  mbedtls_mpi *d, mbedtls_ecp_point *Q,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 mbedtls_f_rng_t *f_rng,
                                  void *p_rng);
 
 /**
@@ -1242,7 +1240,7 @@ int mbedtls_ecp_gen_keypair_base(mbedtls_ecp_group *grp,
  */
 int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d,
                             mbedtls_ecp_point *Q,
-                            int (*f_rng)(void *, unsigned char *, size_t),
+                            mbedtls_f_rng_t *f_rng,
                             void *p_rng);
 
 /**
@@ -1259,13 +1257,58 @@ int mbedtls_ecp_gen_keypair(mbedtls_ecp_group *grp, mbedtls_mpi *d,
  *                  on failure.
  */
 int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
-                        int (*f_rng)(void *, unsigned char *, size_t),
+                        mbedtls_f_rng_t *f_rng,
                         void *p_rng);
 
+/** \brief          Set the public key in a key pair object.
+ *
+ * \note            This function does not check that the point actually
+ *                  belongs to the given group. Call mbedtls_ecp_check_pubkey()
+ *                  on \p Q before calling this function to check that.
+ *
+ * \note            This function does not check that the public key matches
+ *                  the private key that is already in \p key, if any.
+ *                  To check the consistency of the resulting key pair object,
+ *                  call mbedtls_ecp_check_pub_priv() after setting both
+ *                  the public key and the private key.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The key pair object. It must be initialized.
+ *                  If its group has already been set, it must match \p grp_id.
+ *                  If its group has not been set, it will be set to \p grp_id.
+ *                  If the public key has already been set, it is overwritten.
+ * \param Q         The public key to copy. This must be a point on the
+ *                  curve indicated by \p grp_id.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p key does not
+ *                  match \p grp_id.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ *                  the group is not implemented.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_set_public_key(mbedtls_ecp_group_id grp_id,
+                               mbedtls_ecp_keypair *key,
+                               const mbedtls_ecp_point *Q);
+
 /**
  * \brief           This function reads an elliptic curve private key.
  *
- * \note            This function does not support Curve448 yet.
+ * \note            This function does not set the public key in the
+ *                  key pair object. Without a public key, the key pair object
+ *                  cannot be used with operations that require the public key.
+ *                  Call mbedtls_ecp_keypair_calc_public() to set the public
+ *                  key from the private key. Alternatively, you can call
+ *                  mbedtls_ecp_set_public_key() to set the public key part,
+ *                  and then optionally mbedtls_ecp_check_pub_priv() to check
+ *                  that the private and public parts are consistent.
+ *
+ * \note            If a public key has already been set in the key pair
+ *                  object, this function does not check that it is consistent
+ *                  with the private key. Call mbedtls_ecp_check_pub_priv()
+ *                  after setting both the public key and the private key
+ *                  to make that check.
  *
  * \param grp_id    The ECP group identifier.
  * \param key       The destination key.
@@ -1285,10 +1328,11 @@ int mbedtls_ecp_gen_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
 int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
                          const unsigned char *buf, size_t buflen);
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief           This function exports an elliptic curve private key.
  *
- * \note            Note that although this function accepts an output
+ * \deprecated      Note that although this function accepts an output
  *                  buffer that is smaller or larger than the key, most key
  *                  import interfaces require the output to have exactly
  *                  key's nominal length. It is generally simplest to
@@ -1296,13 +1340,15 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
  *                  checking that the output buffer is large enough.
  *                  See the description of the \p buflen parameter for
  *                  how to calculate the nominal length.
+ *                  To avoid this difficulty, use mbedtls_ecp_write_key_ext()
+ *                  instead.
+ *                  mbedtls_ecp_write_key() is deprecated and will be
+ *                  removed in a future version of the library.
  *
  * \note            If the private key was not set in \p key,
  *                  the output is unspecified. Future versions
  *                  may return an error in that case.
  *
- * \note            This function does not support Curve448 yet.
- *
  * \param key       The private key.
  * \param buf       The output buffer for containing the binary representation
  *                  of the key.
@@ -1327,8 +1373,61 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
  *                  representation is larger than the available space in \p buf.
  * \return          Another negative error code on different kinds of failure.
  */
-int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
-                          unsigned char *buf, size_t buflen);
+int MBEDTLS_DEPRECATED mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
+                                             unsigned char *buf, size_t buflen);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief           This function exports an elliptic curve private key.
+ *
+ * \param key       The private key.
+ * \param olen      On success, the length of the private key.
+ *                  This is always (`grp->nbits` + 7) / 8 bytes
+ *                  where `grp->nbits` is the private key size in bits.
+ * \param buf       The output buffer for containing the binary representation
+ *                  of the key.
+ * \param buflen    The total length of the buffer in bytes.
+ *                  #MBEDTLS_ECP_MAX_BYTES is always sufficient.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key
+ *                  representation is larger than the available space in \p buf.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if no private key is
+ *                  set in \p key.
+ * \return          Another negative error code on different kinds of failure.
+ */
+int mbedtls_ecp_write_key_ext(const mbedtls_ecp_keypair *key,
+                              size_t *olen, unsigned char *buf, size_t buflen);
+
+/**
+ * \brief           This function exports an elliptic curve public key.
+ *
+ * \note            If the public key was not set in \p key,
+ *                  the output is unspecified. Future versions
+ *                  may return an error in that case.
+ *
+ * \param key       The public key.
+ * \param format    The point format. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ *                  (For groups without these formats, this parameter is
+ *                  ignored. But it still has to be either of the above
+ *                  values.)
+ * \param olen      The address at which to store the length of
+ *                  the output in Bytes. This must not be \c NULL.
+ * \param buf       The output buffer. This must be a writable buffer
+ *                  of length \p buflen Bytes.
+ * \param buflen    The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ *                  is too small to hold the point.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ *                  or the export for the given group is not implemented.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_write_public_key(const mbedtls_ecp_keypair *key,
+                                 int format, size_t *olen,
+                                 unsigned char *buf, size_t buflen);
 
 /**
  * \brief           This function checks that the keypair objects
@@ -1341,14 +1440,74 @@ int mbedtls_ecp_write_key(mbedtls_ecp_keypair *key,
  *                  part is ignored.
  * \param prv       The keypair structure holding the full keypair.
  *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
  *
  * \return          \c 0 on success, meaning that the keys are valid and match.
  * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
  * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
  *                  error code on calculation failure.
  */
-int mbedtls_ecp_check_pub_priv(const mbedtls_ecp_keypair *pub,
-                               const mbedtls_ecp_keypair *prv);
+int mbedtls_ecp_check_pub_priv(
+    const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv,
+    mbedtls_f_rng_t *f_rng, void *p_rng);
+
+/** \brief          Calculate the public key from a private key in a key pair.
+ *
+ * \param key       A keypair structure. It must have a private key set.
+ *                  If the public key is set, it will be overwritten.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be \c
+ *                  NULL if \p f_rng doesn't need a context.
+ *
+ * \return          \c 0 on success. The key pair object can be used for
+ *                  operations that require the public key.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on calculation failure.
+ */
+int mbedtls_ecp_keypair_calc_public(
+    mbedtls_ecp_keypair *key,
+    mbedtls_f_rng_t *f_rng, void *p_rng);
+
+/** \brief          Query the group that a key pair belongs to.
+ *
+ * \param key       The key pair to query.
+ *
+ * \return          The group ID for the group registered in the key pair
+ *                  object.
+ *                  This is \c MBEDTLS_ECP_DP_NONE if no group has been set
+ *                  in the key pair object.
+ */
+mbedtls_ecp_group_id mbedtls_ecp_keypair_get_group_id(
+    const mbedtls_ecp_keypair *key);
+
+/**
+ * \brief           This function exports generic key-pair parameters.
+ *
+ *                  Each of the output parameters can be a null pointer
+ *                  if you do not need that parameter.
+ *
+ * \note            If the private key or the public key was not set in \p key,
+ *                  the corresponding output is unspecified. Future versions
+ *                  may return an error in that case.
+ *
+ * \param key       The key pair to export from.
+ * \param grp       Slot for exported ECP group.
+ *                  It must either be null or point to an initialized ECP group.
+ * \param d         Slot for the exported secret value.
+ *                  It must either be null or point to an initialized mpi.
+ * \param Q         Slot for the exported public value.
+ *                  It must either be null or point to an initialized ECP point.
+ *
+ * \return          \c 0 on success,
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if key id doesn't
+ *                  correspond to a known group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_export(const mbedtls_ecp_keypair *key, mbedtls_ecp_group *grp,
+                       mbedtls_mpi *d, mbedtls_ecp_point *Q);
 
 #if defined(MBEDTLS_SELF_TEST)
 

+ 33 - 39
thirdparty/mbedtls/include/mbedtls/entropy.h

@@ -9,22 +9,24 @@
  */
 #ifndef MBEDTLS_ENTROPY_H
 #define MBEDTLS_ENTROPY_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 
-#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
-#include "mbedtls/sha512.h"
+#include "md.h"
+
+#if (defined(MBEDTLS_MD_CAN_SHA512) || defined(PSA_WANT_ALG_SHA_512)) && \
+    !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
 #define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#define MBEDTLS_ENTROPY_MD  MBEDTLS_MD_SHA512
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
 #else
-#if defined(MBEDTLS_SHA256_C)
+#if (defined(MBEDTLS_MD_CAN_SHA256) || defined(PSA_WANT_ALG_SHA_256))
 #define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
-#include "mbedtls/sha256.h"
+#define MBEDTLS_ENTROPY_MD  MBEDTLS_MD_SHA256
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      32      /**< Block size of entropy accumulator (SHA-256) */
 #endif
 #endif
 
@@ -32,9 +34,6 @@
 #include "mbedtls/threading.h"
 #endif
 
-#if defined(MBEDTLS_HAVEGE_C)
-#include "mbedtls/havege.h"
-#endif
 
 /** Critical entropy source failure. */
 #define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C
@@ -51,7 +50,7 @@
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
  * \{
  */
 
@@ -65,12 +64,6 @@
 
 /** \} name SECTION: Module settings */
 
-#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
-#define MBEDTLS_ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
-#else
-#define MBEDTLS_ENTROPY_BLOCK_SIZE      32      /**< Block size of entropy accumulator (SHA-256) */
-#endif
-
 #define MBEDTLS_ENTROPY_MAX_SEED_SIZE   1024    /**< Maximum size of seed we read from seed file */
 #define MBEDTLS_ENTROPY_SOURCE_MANUAL   MBEDTLS_ENTROPY_MAX_SOURCES
 
@@ -99,11 +92,11 @@ typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, s
  * \brief           Entropy source state
  */
 typedef struct mbedtls_entropy_source_state {
-    mbedtls_entropy_f_source_ptr    f_source;   /**< The entropy source callback */
-    void *p_source;             /**< The callback data pointer */
-    size_t          size;       /**< Amount received in bytes */
-    size_t          threshold;  /**< Minimum bytes required before release */
-    int             strong;     /**< Is the source strong? */
+    mbedtls_entropy_f_source_ptr    MBEDTLS_PRIVATE(f_source);   /**< The entropy source callback */
+    void *MBEDTLS_PRIVATE(p_source);             /**< The callback data pointer */
+    size_t          MBEDTLS_PRIVATE(size);       /**< Amount received in bytes */
+    size_t          MBEDTLS_PRIVATE(threshold);  /**< Minimum bytes required before release */
+    int             MBEDTLS_PRIVATE(strong);     /**< Is the source strong? */
 }
 mbedtls_entropy_source_state;
 
@@ -111,28 +104,29 @@ mbedtls_entropy_source_state;
  * \brief           Entropy context structure
  */
 typedef struct mbedtls_entropy_context {
-    int accumulator_started; /* 0 after init.
-                              * 1 after the first update.
-                              * -1 after free. */
-#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
-    mbedtls_sha512_context  accumulator;
-#elif defined(MBEDTLS_ENTROPY_SHA256_ACCUMULATOR)
-    mbedtls_sha256_context  accumulator;
-#endif
-    int             source_count; /* Number of entries used in source. */
-    mbedtls_entropy_source_state    source[MBEDTLS_ENTROPY_MAX_SOURCES];
-#if defined(MBEDTLS_HAVEGE_C)
-    mbedtls_havege_state    havege_data;
-#endif
+    mbedtls_md_context_t  MBEDTLS_PRIVATE(accumulator);
+    int MBEDTLS_PRIVATE(accumulator_started); /* 0 after init.
+                                               * 1 after the first update.
+                                               * -1 after free. */
+    int             MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */
+    mbedtls_entropy_source_state    MBEDTLS_PRIVATE(source)[MBEDTLS_ENTROPY_MAX_SOURCES];
 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);    /*!< mutex                  */
 #endif
 #if defined(MBEDTLS_ENTROPY_NV_SEED)
-    int initial_entropy_run;
+    int MBEDTLS_PRIVATE(initial_entropy_run);
 #endif
 }
 mbedtls_entropy_context;
 
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+/**
+ * \brief           Platform-specific entropy poll callback
+ */
+int mbedtls_platform_entropy_poll(void *data,
+                                  unsigned char *output, size_t len, size_t *olen);
+#endif
+
 /**
  * \brief           Initialize the context
  *

+ 13 - 18
thirdparty/mbedtls/include/mbedtls/error.h

@@ -10,19 +10,10 @@
 #ifndef MBEDTLS_ERROR_H
 #define MBEDTLS_ERROR_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 
-#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
-    !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
 /**
  * Error code layout.
  *
@@ -48,12 +39,10 @@
  * Module   Nr  Codes assigned
  * ERROR     2  0x006E          0x0001
  * MPI       7  0x0002-0x0010
- * GCM       3  0x0012-0x0014   0x0013-0x0013
- * BLOWFISH  3  0x0016-0x0018   0x0017-0x0017
+ * GCM       3  0x0012-0x0016   0x0013-0x0013
  * THREADING 3  0x001A-0x001E
  * AES       5  0x0020-0x0022   0x0021-0x0025
  * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
- * XTEA      2  0x0028-0x0028   0x0029-0x0029
  * BASE64    2  0x002A-0x002C
  * OID       1  0x002E-0x002E   0x000B-0x000B
  * PADLOCK   1  0x0030-0x0030
@@ -67,18 +56,17 @@
  * PBKDF2    1  0x007C-0x007C
  * HMAC_DRBG 4                  0x0003-0x0009
  * CCM       3                  0x000D-0x0011
- * ARC4      1                  0x0019-0x0019
- * MD2       1                  0x002B-0x002B
- * MD4       1                  0x002D-0x002D
  * MD5       1                  0x002F-0x002F
  * RIPEMD160 1                  0x0031-0x0031
  * SHA1      1                  0x0035-0x0035 0x0073-0x0073
  * SHA256    1                  0x0037-0x0037 0x0074-0x0074
  * SHA512    1                  0x0039-0x0039 0x0075-0x0075
+ * SHA-3     1                  0x0076-0x0076
  * CHACHA20  3                  0x0051-0x0055
  * POLY1305  3                  0x0057-0x005B
  * CHACHAPOLY 2 0x0054-0x0056
  * PLATFORM  2  0x0070-0x0072
+ * LMS       5  0x0011-0x0019
  *
  * High-level module nr (3 bits - 0x0...-0x7...)
  * Name      ID  Nr of Errors
@@ -92,10 +80,12 @@
  * ECP       4   10 (Started from top)
  * MD        5   5
  * HKDF      5   1 (Started from top)
+ * PKCS7     5   12 (Started from 0x5300)
  * SSL       5   3 (Started from 0x5F00)
  * CIPHER    6   8 (Started from 0x6080)
- * SSL       6   24 (Started from top, plus 0x6000)
- * SSL       7   32
+ * SSL       6   22 (Started from top, plus 0x6000)
+ * SSL       7   20 (Started from 0x7000, gaps at
+ *                   0x7380, 0x7900-0x7980, 0x7A80-0x7E80)
  *
  * Module dependent error code (5 bits 0x.00.-0x.F8.)
  */
@@ -109,6 +99,11 @@ extern "C" {
 /** This is a bug in the library */
 #define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E
 
+/** Hardware accelerator failed */
+#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070
+/** The requested feature is not supported by the platform */
+#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072
+
 /**
  * \brief Combines a high-level and low-level error code together.
  *

+ 116 - 46
thirdparty/mbedtls/include/mbedtls/gcm.h

@@ -18,15 +18,16 @@
 
 #ifndef MBEDTLS_GCM_H
 #define MBEDTLS_GCM_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/cipher.h"
 
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+#include "mbedtls/block_cipher.h"
+#endif
+
 #include <stdint.h>
 
 #define MBEDTLS_GCM_ENCRYPT     1
@@ -34,13 +35,10 @@
 
 /** Authenticated decryption failed. */
 #define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012
-
-/* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** GCM hardware accelerator failed. */
-#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013
-
 /** Bad input parameters to function. */
 #define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014
+/** An output buffer is too small. */
+#define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL                  -0x0016
 
 #ifdef __cplusplus
 extern "C" {
@@ -48,21 +46,31 @@ extern "C" {
 
 #if !defined(MBEDTLS_GCM_ALT)
 
+#if defined(MBEDTLS_GCM_LARGE_TABLE)
+#define MBEDTLS_GCM_HTABLE_SIZE 256
+#else
+#define MBEDTLS_GCM_HTABLE_SIZE 16
+#endif
+
 /**
  * \brief          The GCM context structure.
  */
 typedef struct mbedtls_gcm_context {
-    mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
-    uint64_t HL[16];                      /*!< Precalculated HTable low. */
-    uint64_t HH[16];                      /*!< Precalculated HTable high. */
-    uint64_t len;                         /*!< The total length of the encrypted data. */
-    uint64_t add_len;                     /*!< The total length of the additional data. */
-    unsigned char base_ectr[16];          /*!< The first ECTR for tag. */
-    unsigned char y[16];                  /*!< The Y working value. */
-    unsigned char buf[16];                /*!< The buf working value. */
-    int mode;                             /*!< The operation to perform:
-                                           #MBEDTLS_GCM_ENCRYPT or
-                                           #MBEDTLS_GCM_DECRYPT. */
+#if defined(MBEDTLS_BLOCK_CIPHER_C)
+    mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx);  /*!< The cipher context used. */
+#else
+    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
+#endif
+    uint64_t MBEDTLS_PRIVATE(H)[MBEDTLS_GCM_HTABLE_SIZE][2]; /*!< Precalculated HTable. */
+    uint64_t MBEDTLS_PRIVATE(len);                           /*!< The total length of the encrypted data. */
+    uint64_t MBEDTLS_PRIVATE(add_len);                       /*!< The total length of the additional data. */
+    unsigned char MBEDTLS_PRIVATE(base_ectr)[16];            /*!< The first ECTR for tag. */
+    unsigned char MBEDTLS_PRIVATE(y)[16];                    /*!< The Y working value. */
+    unsigned char MBEDTLS_PRIVATE(buf)[16];                  /*!< The buf working value. */
+    unsigned char MBEDTLS_PRIVATE(mode);                     /*!< The operation to perform:
+                                                              #MBEDTLS_GCM_ENCRYPT or
+                                                              #MBEDTLS_GCM_DECRYPT. */
+    unsigned char MBEDTLS_PRIVATE(acceleration);             /*!< The acceleration to use. */
 }
 mbedtls_gcm_context;
 
@@ -222,6 +230,27 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
  * \param iv        The initialization vector. This must be a readable buffer of
  *                  at least \p iv_len Bytes.
  * \param iv_len    The length of the IV.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
+                       int mode,
+                       const unsigned char *iv,
+                       size_t iv_len);
+
+/**
+ * \brief           This function feeds an input buffer as associated data
+ *                  (authenticated but not encrypted data) in a GCM
+ *                  encryption or decryption operation.
+ *
+ *                  Call this function after mbedtls_gcm_starts() to pass
+ *                  the associated data. If the associated data is empty,
+ *                  you do not need to call this function. You may not
+ *                  call this function after calling mbedtls_cipher_update().
+ *
+ * \param ctx       The GCM context. This must have been started with
+ *                  mbedtls_gcm_starts() and must not have yet received
+ *                  any input with mbedtls_gcm_update().
  * \param add       The buffer holding the additional data, or \c NULL
  *                  if \p add_len is \c 0.
  * \param add_len   The length of the additional data. If \c 0,
@@ -229,20 +258,35 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
  *
  * \return          \c 0 on success.
  */
-int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
-                       int mode,
-                       const unsigned char *iv,
-                       size_t iv_len,
-                       const unsigned char *add,
-                       size_t add_len);
+int mbedtls_gcm_update_ad(mbedtls_gcm_context *ctx,
+                          const unsigned char *add,
+                          size_t add_len);
 
 /**
  * \brief           This function feeds an input buffer into an ongoing GCM
  *                  encryption or decryption operation.
  *
- *    `             The function expects input to be a multiple of 16
- *                  Bytes. Only the last call before calling
- *                  mbedtls_gcm_finish() can be less than 16 Bytes.
+ *                  You may call this function zero, one or more times
+ *                  to pass successive parts of the input: the plaintext to
+ *                  encrypt, or the ciphertext (not including the tag) to
+ *                  decrypt. After the last part of the input, call
+ *                  mbedtls_gcm_finish().
+ *
+ *                  This function may produce output in one of the following
+ *                  ways:
+ *                  - Immediate output: the output length is always equal
+ *                    to the input length.
+ *                  - Buffered output: the output consists of a whole number
+ *                    of 16-byte blocks. If the total input length so far
+ *                    (not including associated data) is 16 \* *B* + *A*
+ *                    with *A* < 16 then the total output length is 16 \* *B*.
+ *
+ *                  In particular:
+ *                  - It is always correct to call this function with
+ *                    \p output_size >= \p input_length + 15.
+ *                  - If \p input_length is a multiple of 16 for all the calls
+ *                    to this function during an operation, then it is
+ *                    correct to use \p output_size = \p input_length.
  *
  * \note            The output buffer \p output can be the same as the input
  *                  buffer \p input. If \p output is greater than \p input, they
@@ -250,23 +294,31 @@ int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
  *                  MBEDTLS_GCM_ALT to be enabled may not provide support for
  *                  overlapping buffers.
  *
- * \param ctx       The GCM context. This must be initialized.
- * \param length    The length of the input data. This must be a multiple of
- *                  16 except in the last call before mbedtls_gcm_finish().
- * \param input     The buffer holding the input data. If \p length is greater
- *                  than zero, this must be a readable buffer of at least that
- *                  size in Bytes.
- * \param output    The buffer for holding the output data. If \p length is
- *                  greater than zero, this must be a writable buffer of at
- *                  least that size in Bytes.
+ * \param ctx           The GCM context. This must be initialized.
+ * \param input         The buffer holding the input data. If \p input_length
+ *                      is greater than zero, this must be a readable buffer
+ *                      of at least \p input_length bytes.
+ * \param input_length  The length of the input data in bytes.
+ * \param output        The buffer for the output data. If \p output_size
+ *                      is greater than zero, this must be a writable buffer of
+ *                      of at least \p output_size bytes.
+ * \param output_size   The size of the output buffer in bytes.
+ *                      See the function description regarding the output size.
+ * \param output_length On success, \p *output_length contains the actual
+ *                      length of the output written in \p output.
+ *                      On failure, the content of \p *output_length is
+ *                      unspecified.
  *
  * \return         \c 0 on success.
- * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
+ *                 total input length too long,
+ *                 unsupported input/output buffer overlap detected,
+ *                 or \p output_size too small.
  */
 int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
-                       size_t length,
-                       const unsigned char *input,
-                       unsigned char *output);
+                       const unsigned char *input, size_t input_length,
+                       unsigned char *output, size_t output_size,
+                       size_t *output_length);
 
 /**
  * \brief           This function finishes the GCM operation and generates
@@ -280,13 +332,31 @@ int mbedtls_gcm_update(mbedtls_gcm_context *ctx,
  *                  buffer of at least \p tag_len Bytes.
  * \param tag_len   The length of the tag to generate. This must be at least
  *                  four.
+ * \param output    The buffer for the final output.
+ *                  If \p output_size is nonzero, this must be a writable
+ *                  buffer of at least \p output_size bytes.
+ * \param output_size  The size of the \p output buffer in bytes.
+ *                  This must be large enough for the output that
+ *                  mbedtls_gcm_update() has not produced. In particular:
+ *                  - If mbedtls_gcm_update() produces immediate output,
+ *                    or if the total input size is a multiple of \c 16,
+ *                    then mbedtls_gcm_finish() never produces any output,
+ *                    so \p output_size can be \c 0.
+ *                  - \p output_size never needs to be more than \c 15.
+ * \param output_length On success, \p *output_length contains the actual
+ *                      length of the output written in \p output.
+ *                      On failure, the content of \p *output_length is
+ *                      unspecified.
  *
  * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure:
+ *                  invalid value of \p tag_len,
+ *                  or \p output_size too small.
  */
 int mbedtls_gcm_finish(mbedtls_gcm_context *ctx,
-                       unsigned char *tag,
-                       size_t tag_len);
+                       unsigned char *output, size_t output_size,
+                       size_t *output_length,
+                       unsigned char *tag, size_t tag_len);
 
 /**
  * \brief           This function clears a GCM context and the underlying

+ 0 - 67
thirdparty/mbedtls/include/mbedtls/havege.h

@@ -1,67 +0,0 @@
-/**
- * \file havege.h
- *
- * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_HAVEGE_H
-#define MBEDTLS_HAVEGE_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          HAVEGE state structure
- */
-typedef struct mbedtls_havege_state {
-    uint32_t PT1, PT2, offset[2];
-    uint32_t pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
-    uint32_t WALK[8192];
-}
-mbedtls_havege_state;
-
-/**
- * \brief          HAVEGE initialization
- *
- * \param hs       HAVEGE state to be initialized
- */
-void mbedtls_havege_init(mbedtls_havege_state *hs);
-
-/**
- * \brief          Clear HAVEGE state
- *
- * \param hs       HAVEGE state to be cleared
- */
-void mbedtls_havege_free(mbedtls_havege_state *hs);
-
-/**
- * \brief          HAVEGE rand function
- *
- * \param p_rng    A HAVEGE state
- * \param output   Buffer to fill
- * \param len      Length of buffer
- *
- * \return         0
- */
-int mbedtls_havege_random(void *p_rng, unsigned char *output, size_t len);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* havege.h */

+ 1 - 5
thirdparty/mbedtls/include/mbedtls/hkdf.h

@@ -13,11 +13,7 @@
 #ifndef MBEDTLS_HKDF_H
 #define MBEDTLS_HKDF_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/md.h"
 

+ 15 - 42
thirdparty/mbedtls/include/mbedtls/hmac_drbg.h

@@ -13,12 +13,9 @@
  */
 #ifndef MBEDTLS_HMAC_DRBG_H
 #define MBEDTLS_HMAC_DRBG_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/md.h"
 
@@ -42,7 +39,7 @@
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
  * \{
  */
 
@@ -77,19 +74,19 @@ extern "C" {
 typedef struct mbedtls_hmac_drbg_context {
     /* Working state: the key K is not stored explicitly,
      * but is implied by the HMAC context */
-    mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
-    unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
-    int reseed_counter;                     /*!< reseed counter         */
+    mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx);                    /*!< HMAC context (inc. K)  */
+    unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
+    int MBEDTLS_PRIVATE(reseed_counter);                     /*!< reseed counter         */
 
     /* Administrative state */
-    size_t entropy_len;         /*!< entropy bytes grabbed on each (re)seed */
-    int prediction_resistance;  /*!< enable prediction resistance (Automatic
-                                     reseed before every random generation) */
-    int reseed_interval;        /*!< reseed interval   */
+    size_t MBEDTLS_PRIVATE(entropy_len);         /*!< entropy bytes grabbed on each (re)seed */
+    int MBEDTLS_PRIVATE(prediction_resistance);  /*!< enable prediction resistance (Automatic
+                                                    reseed before every random generation) */
+    int MBEDTLS_PRIVATE(reseed_interval);        /*!< reseed interval   */
 
     /* Callbacks */
-    int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
-    void *p_entropy;            /*!< context for the entropy function        */
+    int(*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t);  /*!< entropy function */
+    void *MBEDTLS_PRIVATE(p_entropy);            /*!< context for the entropy function        */
 
 #if defined(MBEDTLS_THREADING_C)
     /* Invariant: the mutex is initialized if and only if
@@ -100,7 +97,7 @@ typedef struct mbedtls_hmac_drbg_context {
      * Note that this invariant may change without notice. Do not rely on it
      * and do not access the mutex directly in application code.
      */
-    mbedtls_threading_mutex_t mutex;
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
 #endif
 } mbedtls_hmac_drbg_context;
 
@@ -285,8 +282,8 @@ void mbedtls_hmac_drbg_set_reseed_interval(mbedtls_hmac_drbg_context *ctx,
  * \return              \c 0 on success, or an error from the underlying
  *                      hash calculation.
  */
-int mbedtls_hmac_drbg_update_ret(mbedtls_hmac_drbg_context *ctx,
-                                 const unsigned char *additional, size_t add_len);
+int mbedtls_hmac_drbg_update(mbedtls_hmac_drbg_context *ctx,
+                             const unsigned char *additional, size_t add_len);
 
 /**
  * \brief               This function reseeds the HMAC_DRBG context, that is
@@ -388,30 +385,6 @@ int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len)
  */
 void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief               This function updates the state of the HMAC_DRBG context.
- *
- * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
- *                      in 2.16.0.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param additional    The data to update the state with.
- *                      If this is \c NULL, there is no additional data.
- * \param add_len       Length of \p additional in bytes.
- *                      Unused if \p additional is \c NULL.
- */
-MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
-    mbedtls_hmac_drbg_context *ctx,
-    const unsigned char *additional, size_t add_len);
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief               This function writes a seed file.

+ 440 - 0
thirdparty/mbedtls/include/mbedtls/lms.h

@@ -0,0 +1,440 @@
+/**
+ * \file lms.h
+ *
+ * \brief This file provides an API for the LMS post-quantum-safe stateful-hash
+          public-key signature scheme as defined in RFC8554 and NIST.SP.200-208.
+ *        This implementation currently only supports a single parameter set
+ *        MBEDTLS_LMS_SHA256_M32_H10 in order to reduce complexity. This is one
+ *        of the signature schemes recommended by the IETF draft SUIT standard
+ *        for IOT firmware upgrades (RFC9019).
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+#ifndef MBEDTLS_LMS_H
+#define MBEDTLS_LMS_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+#include "mbedtls/private_access.h"
+#include "mbedtls/build_info.h"
+
+#define MBEDTLS_ERR_LMS_BAD_INPUT_DATA   -0x0011 /**< Bad data has been input to an LMS function */
+#define MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS -0x0013 /**< Specified LMS key has utilised all of its private keys */
+#define MBEDTLS_ERR_LMS_VERIFY_FAILED    -0x0015 /**< LMS signature verification failed */
+#define MBEDTLS_ERR_LMS_ALLOC_FAILED     -0x0017 /**< LMS failed to allocate space for a private key */
+#define MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL -0x0019 /**< Input/output buffer is too small to contain requited data */
+
+/* Currently only defined for SHA256, 32 is the max hash output size */
+#define MBEDTLS_LMOTS_N_HASH_LEN_MAX           (32u)
+#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX    (34u)
+#define MBEDTLS_LMOTS_N_HASH_LEN(type)         ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 32u : 0)
+#define MBEDTLS_LMOTS_I_KEY_ID_LEN             (16u)
+#define MBEDTLS_LMOTS_Q_LEAF_ID_LEN            (4u)
+#define MBEDTLS_LMOTS_TYPE_LEN                 (4u)
+#define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type)  ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 34u : 0)
+#define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) (MBEDTLS_LMOTS_N_HASH_LEN(type))
+
+#define MBEDTLS_LMOTS_SIG_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \
+                                     MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) + \
+                                     (MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) * \
+                                      MBEDTLS_LMOTS_N_HASH_LEN(type)))
+
+
+#define MBEDTLS_LMS_TYPE_LEN            (4)
+#define MBEDTLS_LMS_H_TREE_HEIGHT(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 10u : 0)
+
+/* The length of a hash output, Currently only implemented for SHA256.
+ * Max is 32 bytes.
+ */
+#define MBEDTLS_LMS_M_NODE_BYTES(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 32 : 0)
+#define MBEDTLS_LMS_M_NODE_BYTES_MAX 32
+
+#define MBEDTLS_LMS_SIG_LEN(type, otstype) (MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \
+                                            MBEDTLS_LMOTS_SIG_LEN(otstype) + \
+                                            MBEDTLS_LMS_TYPE_LEN + \
+                                            (MBEDTLS_LMS_H_TREE_HEIGHT(type) * \
+                                             MBEDTLS_LMS_M_NODE_BYTES(type)))
+
+#define MBEDTLS_LMS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMS_TYPE_LEN + \
+                                          MBEDTLS_LMOTS_TYPE_LEN + \
+                                          MBEDTLS_LMOTS_I_KEY_ID_LEN + \
+                                          MBEDTLS_LMS_M_NODE_BYTES(type))
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** The Identifier of the LMS parameter set, as per
+ * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml
+ * We are only implementing a subset of the types, particularly H10, for the sake of simplicity.
+ */
+typedef enum {
+    MBEDTLS_LMS_SHA256_M32_H10 = 0x6,
+} mbedtls_lms_algorithm_type_t;
+
+/** The Identifier of the LMOTS parameter set, as per
+ *  https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml.
+ *  We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicity.
+ */
+typedef enum {
+    MBEDTLS_LMOTS_SHA256_N32_W8 = 4
+} mbedtls_lmots_algorithm_type_t;
+
+/** LMOTS parameters structure.
+ *
+ * This contains the metadata associated with an LMOTS key, detailing the
+ * algorithm type, the key ID, and the leaf identifier should be key be part of
+ * a LMS key.
+ */
+typedef struct {
+    unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
+                                                                                    identifier. */
+    unsigned char MBEDTLS_PRIVATE(q_leaf_identifier[MBEDTLS_LMOTS_Q_LEAF_ID_LEN]); /*!< Which
+                                                                                      leaf of the LMS key this is.
+                                                                                      0 if the key is not part of an LMS key. */
+    mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LM-OTS key type identifier as
+                                                               per IANA. Only SHA256_N32_W8 is
+                                                               currently supported. */
+} mbedtls_lmots_parameters_t;
+
+/** LMOTS public context structure.
+ *
+ * A LMOTS public key is a hash output, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lmots_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PUBLIC_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
+ *   HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
+    unsigned char MBEDTLS_PRIVATE(public_key)[MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
+                                                       Boolean values only. */
+} mbedtls_lmots_public_t;
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/** LMOTS private context structure.
+ *
+ * A LMOTS private key is one hash output for each of digit of the digest +
+ * checksum, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lmots_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PRIVATE_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
+ *   HAVE_PRIVATE_KEY -> INIT [label="sign"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params);
+    unsigned char MBEDTLS_PRIVATE(private_key)[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][
+        MBEDTLS_LMOTS_N_HASH_LEN_MAX];
+    unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
+                                                        Boolean values only. */
+} mbedtls_lmots_private_t;
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+
+/** LMS parameters structure.
+ *
+ * This contains the metadata associated with an LMS key, detailing the
+ * algorithm type, the type of the underlying OTS algorithm, and the key ID.
+ */
+typedef struct {
+    unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key
+                                                                                    identifier. */
+    mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(otstype); /*!< The LM-OTS key type identifier as
+                                                                per IANA. Only SHA256_N32_W8 is
+                                                                currently supported. */
+    mbedtls_lms_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LMS key type identifier as per
+                                                             IANA. Only SHA256_M32_H10 is currently
+                                                             supported. */
+} mbedtls_lms_parameters_t;
+
+/** LMS public context structure.
+ *
+ * A LMS public key is the hash output that is the root of the Merkle tree, and
+ * the applicable parameter set
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lms_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PUBLIC_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="import_public_key"];
+ *   INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"];
+ *   HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
+    unsigned char MBEDTLS_PRIVATE(T_1_pub_key)[MBEDTLS_LMS_M_NODE_BYTES_MAX]; /*!< The public key, in
+                                                                                 the form of the Merkle tree root node. */
+    unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key.
+                                                       Boolean values only. */
+} mbedtls_lms_public_t;
+
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/** LMS private context structure.
+ *
+ * A LMS private key is a set of LMOTS private keys, an index to the next usable
+ * key, and the applicable parameter set.
+ *
+ * The context must be initialized before it is used. A public key must either
+ * be imported or generated from a private context.
+ *
+ * \dot
+ * digraph lms_public_t {
+ *   UNINITIALIZED -> INIT [label="init"];
+ *   HAVE_PRIVATE_KEY -> INIT [label="free"];
+ *   INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"];
+ * }
+ * \enddot
+ */
+typedef struct {
+    mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params);
+    uint32_t MBEDTLS_PRIVATE(q_next_usable_key); /*!< The index of the next OTS key that has not
+                                                      been used. */
+    mbedtls_lmots_private_t *MBEDTLS_PRIVATE(ots_private_keys); /*!< The private key material. One OTS key
+                                                                   for each leaf node in the Merkle tree. NULL
+                                                                   when have_private_key is 0 and non-NULL otherwise.
+                                                                   is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) in length. */
+    mbedtls_lmots_public_t *MBEDTLS_PRIVATE(ots_public_keys); /*!< The OTS key public keys, used to
+                                                                   build the Merkle tree. NULL
+                                                                   when have_private_key is 0 and
+                                                                   non-NULL otherwise.
+                                                                   Is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type)
+                                                                   in length. */
+    unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key.
+                                                        Boolean values only. */
+} mbedtls_lms_private_t;
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+/**
+ * \brief                    This function initializes an LMS public context
+ *
+ * \param ctx                The uninitialized LMS context that will then be
+ *                           initialized.
+ */
+void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx);
+
+/**
+ * \brief                    This function uninitializes an LMS public context
+ *
+ * \param ctx                The initialized LMS context that will then be
+ *                           uninitialized.
+ */
+void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx);
+
+/**
+ * \brief                    This function imports an LMS public key into a
+ *                           public LMS context.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized.
+ *
+ * \note                     See IETF RFC8554 for details of the encoding of
+ *                           this public key.
+ *
+ * \param ctx                The initialized LMS context store the key in.
+ * \param key                The buffer from which the key will be read.
+ *                           #MBEDTLS_LMS_PUBLIC_KEY_LEN bytes will be read from
+ *                           this.
+ * \param key_size           The size of the key being imported.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_import_public_key(mbedtls_lms_public_t *ctx,
+                                  const unsigned char *key, size_t key_size);
+
+/**
+ * \brief                    This function exports an LMS public key from a
+ *                           LMS public context that already contains a public
+ *                           key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and the context must contain
+ *                           a public key.
+ *
+ * \note                     See IETF RFC8554 for details of the encoding of
+ *                           this public key.
+ *
+ * \param ctx                The initialized LMS public context that contains
+ *                           the public key.
+ * \param key                The buffer into which the key will be output. Must
+ *                           be at least #MBEDTLS_LMS_PUBLIC_KEY_LEN in size.
+ * \param key_size           The size of the key buffer.
+ * \param key_len            If not NULL, will be written with the size of the
+ *                           key.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_export_public_key(const mbedtls_lms_public_t *ctx,
+                                  unsigned char *key, size_t key_size,
+                                  size_t *key_len);
+
+/**
+ * \brief                    This function verifies a LMS signature, using a
+ *                           LMS context that contains a public key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and must contain a public key
+ *                           (either by import or generation).
+ *
+ * \param ctx                The initialized LMS public context from which the
+ *                           public key will be read.
+ * \param msg                The buffer from which the message will be read.
+ * \param msg_size           The size of the message that will be read.
+ * \param sig                The buf from which the signature will be read.
+ *                           #MBEDTLS_LMS_SIG_LEN bytes will be read from
+ *                           this.
+ * \param sig_size           The size of the signature to be verified.
+ *
+ * \return         \c 0 on successful verification.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_verify(const mbedtls_lms_public_t *ctx,
+                       const unsigned char *msg, size_t msg_size,
+                       const unsigned char *sig, size_t sig_size);
+
+#if defined(MBEDTLS_LMS_PRIVATE)
+/**
+ * \brief                    This function initializes an LMS private context
+ *
+ * \param ctx                The uninitialized LMS private context that will
+ *                           then be initialized. */
+void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx);
+
+/**
+ * \brief                    This function uninitializes an LMS private context
+ *
+ * \param ctx                The initialized LMS private context that will then
+ *                           be uninitialized.
+ */
+void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx);
+
+/**
+ * \brief                    This function generates an LMS private key, and
+ *                           stores in into an LMS private context.
+ *
+ * \warning                  This function is **not intended for use in
+ *                           production**, due to as-yet unsolved problems with
+ *                           handling stateful keys. The API for this function
+ *                           may change considerably in future versions.
+ *
+ * \note                     The seed must have at least 256 bits of entropy.
+ *
+ * \param ctx                The initialized LMOTS context to generate the key
+ *                           into.
+ * \param type               The LMS parameter set identifier.
+ * \param otstype            The LMOTS parameter set identifier.
+ * \param f_rng              The RNG function to be used to generate the key ID.
+ * \param p_rng              The RNG context to be passed to f_rng
+ * \param seed               The seed used to deterministically generate the
+ *                           key.
+ * \param seed_size          The length of the seed.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_generate_private_key(mbedtls_lms_private_t *ctx,
+                                     mbedtls_lms_algorithm_type_t type,
+                                     mbedtls_lmots_algorithm_type_t otstype,
+                                     mbedtls_f_rng_t *f_rng,
+                                     void *p_rng, const unsigned char *seed,
+                                     size_t seed_size);
+
+/**
+ * \brief                    This function calculates an LMS public key from a
+ *                           LMS context that already contains a private key.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and the context must contain
+ *                           a private key.
+ *
+ * \param ctx                The initialized LMS public context to calculate the key
+ *                           from and store it into.
+ *
+ * \param priv_ctx           The LMS private context to read the private key
+ *                           from. This must have been initialized and contain a
+ *                           private key.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_calculate_public_key(mbedtls_lms_public_t *ctx,
+                                     const mbedtls_lms_private_t *priv_ctx);
+
+/**
+ * \brief                    This function creates a LMS signature, using a
+ *                           LMS context that contains unused private keys.
+ *
+ * \warning                  This function is **not intended for use in
+ *                           production**, due to as-yet unsolved problems with
+ *                           handling stateful keys. The API for this function
+ *                           may change considerably in future versions.
+ *
+ * \note                     Before this function is called, the context must
+ *                           have been initialized and must contain a private
+ *                           key.
+ *
+ * \note                     Each of the LMOTS private keys inside a LMS private
+ *                           key can only be used once. If they are reused, then
+ *                           attackers may be able to forge signatures with that
+ *                           key. This is all handled transparently, but it is
+ *                           important to not perform copy operations on LMS
+ *                           contexts that contain private key material.
+ *
+ * \param ctx                The initialized LMS private context from which the
+ *                           private key will be read.
+ * \param f_rng              The RNG function to be used for signature
+ *                           generation.
+ * \param p_rng              The RNG context to be passed to f_rng
+ * \param msg                The buffer from which the message will be read.
+ * \param msg_size           The size of the message that will be read.
+ * \param sig                The buf into which the signature will be stored.
+ *                           Must be at least #MBEDTLS_LMS_SIG_LEN in size.
+ * \param sig_size           The size of the buffer the signature will be
+ *                           written into.
+ * \param sig_len            If not NULL, will be written with the size of the
+ *                           signature.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_lms_sign(mbedtls_lms_private_t *ctx,
+                     mbedtls_f_rng_t *f_rng,
+                     void *p_rng, const unsigned char *msg,
+                     unsigned int msg_size, unsigned char *sig, size_t sig_size,
+                     size_t *sig_len);
+#endif /* defined(MBEDTLS_LMS_PRIVATE) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_LMS_H */

Tiedoston diff-näkymää rajattu, sillä se on liian suuri
+ 233 - 355
thirdparty/mbedtls/include/mbedtls/mbedtls_config.h


+ 138 - 93
thirdparty/mbedtls/include/mbedtls/md.h

@@ -1,7 +1,8 @@
 /**
  * \file md.h
  *
- * \brief This file contains the generic message-digest wrapper.
+ * \brief   This file contains the generic functions for message-digest
+ *          (hashing) and HMAC.
  *
  * \author Adriaan de Jong <[email protected]>
  */
@@ -12,14 +13,11 @@
 
 #ifndef MBEDTLS_MD_H
 #define MBEDTLS_MD_H
+#include "mbedtls/private_access.h"
 
 #include <stddef.h>
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 #include "mbedtls/platform_util.h"
 
 /** The selected feature is not available. */
@@ -31,10 +29,6 @@
 /** Opening or reading of file failed. */
 #define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200
 
-/* MBEDTLS_ERR_MD_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** MD hardware accelerator failed. */
-#define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -42,79 +36,107 @@ extern "C" {
 /**
  * \brief     Supported message digests.
  *
- * \warning   MD2, MD4, MD5 and SHA-1 are considered weak message digests and
+ * \warning   MD5 and SHA-1 are considered weak message digests and
  *            their use constitutes a security risk. We recommend considering
  *            stronger message digests instead.
  *
  */
+/* Note: these are aligned with the definitions of PSA_ALG_ macros for hashes,
+ * in order to enable an efficient implementation of conversion functions.
+ * This is tested by md_to_from_psa() in test_suite_md. */
 typedef enum {
     MBEDTLS_MD_NONE=0,    /**< None. */
-    MBEDTLS_MD_MD2,       /**< The MD2 message digest. */
-    MBEDTLS_MD_MD4,       /**< The MD4 message digest. */
-    MBEDTLS_MD_MD5,       /**< The MD5 message digest. */
-    MBEDTLS_MD_SHA1,      /**< The SHA-1 message digest. */
-    MBEDTLS_MD_SHA224,    /**< The SHA-224 message digest. */
-    MBEDTLS_MD_SHA256,    /**< The SHA-256 message digest. */
-    MBEDTLS_MD_SHA384,    /**< The SHA-384 message digest. */
-    MBEDTLS_MD_SHA512,    /**< The SHA-512 message digest. */
-    MBEDTLS_MD_RIPEMD160, /**< The RIPEMD-160 message digest. */
+    MBEDTLS_MD_MD5=0x03,       /**< The MD5 message digest. */
+    MBEDTLS_MD_RIPEMD160=0x04, /**< The RIPEMD-160 message digest. */
+    MBEDTLS_MD_SHA1=0x05,      /**< The SHA-1 message digest. */
+    MBEDTLS_MD_SHA224=0x08,    /**< The SHA-224 message digest. */
+    MBEDTLS_MD_SHA256=0x09,    /**< The SHA-256 message digest. */
+    MBEDTLS_MD_SHA384=0x0a,    /**< The SHA-384 message digest. */
+    MBEDTLS_MD_SHA512=0x0b,    /**< The SHA-512 message digest. */
+    MBEDTLS_MD_SHA3_224=0x10,  /**< The SHA3-224 message digest. */
+    MBEDTLS_MD_SHA3_256=0x11,  /**< The SHA3-256 message digest. */
+    MBEDTLS_MD_SHA3_384=0x12,  /**< The SHA3-384 message digest. */
+    MBEDTLS_MD_SHA3_512=0x13,  /**< The SHA3-512 message digest. */
 } mbedtls_md_type_t;
 
-#if defined(MBEDTLS_SHA512_C)
+/* Note: this should always be >= PSA_HASH_MAX_SIZE
+ * in all builds with both CRYPTO_C and MD_LIGHT.
+ *
+ * This is to make things easier for modules such as TLS that may define a
+ * buffer size using MD_MAX_SIZE in a part of the code that's common to PSA
+ * and legacy, then assume the buffer's size is PSA_HASH_MAX_SIZE in another
+ * part of the code based on PSA.
+ */
+#if defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA3_512)
 #define MBEDTLS_MD_MAX_SIZE         64  /* longest known is SHA512 */
+#elif defined(MBEDTLS_MD_CAN_SHA384) || defined(MBEDTLS_MD_CAN_SHA3_384)
+#define MBEDTLS_MD_MAX_SIZE         48  /* longest known is SHA384 */
+#elif defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA3_256)
+#define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 */
+#elif defined(MBEDTLS_MD_CAN_SHA224) || defined(MBEDTLS_MD_CAN_SHA3_224)
+#define MBEDTLS_MD_MAX_SIZE         28  /* longest known is SHA224 */
 #else
-#define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 or less */
+#define MBEDTLS_MD_MAX_SIZE         20  /* longest known is SHA1 or RIPE MD-160
+                                           or smaller (MD5 and earlier) */
 #endif
 
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_MD_CAN_SHA3_224)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         144 /* the longest known is SHA3-224 */
+#elif defined(MBEDTLS_MD_CAN_SHA3_256)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         136
+#elif defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_MD_CAN_SHA384)
 #define MBEDTLS_MD_MAX_BLOCK_SIZE         128
+#elif defined(MBEDTLS_MD_CAN_SHA3_384)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         104
+#elif defined(MBEDTLS_MD_CAN_SHA3_512)
+#define MBEDTLS_MD_MAX_BLOCK_SIZE         72
 #else
 #define MBEDTLS_MD_MAX_BLOCK_SIZE         64
 #endif
 
 /**
- * Opaque struct defined in md_internal.h.
+ * Opaque struct.
+ *
+ * Constructed using either #mbedtls_md_info_from_string or
+ * #mbedtls_md_info_from_type.
+ *
+ * Fields can be accessed with #mbedtls_md_get_size,
+ * #mbedtls_md_get_type and #mbedtls_md_get_name.
  */
+/* Defined internally in library/md_wrap.h. */
 typedef struct mbedtls_md_info_t mbedtls_md_info_t;
 
+/**
+ * Used internally to indicate whether a context uses legacy or PSA.
+ *
+ * Internal use only.
+ */
+typedef enum {
+    MBEDTLS_MD_ENGINE_LEGACY = 0,
+    MBEDTLS_MD_ENGINE_PSA,
+} mbedtls_md_engine_t;
+
 /**
  * The generic message-digest context.
  */
 typedef struct mbedtls_md_context_t {
     /** Information about the associated message digest. */
-    const mbedtls_md_info_t *md_info;
+    const mbedtls_md_info_t *MBEDTLS_PRIVATE(md_info);
+
+#if defined(MBEDTLS_MD_SOME_PSA)
+    /** Are hash operations dispatched to PSA or legacy? */
+    mbedtls_md_engine_t MBEDTLS_PRIVATE(engine);
+#endif
 
-    /** The digest-specific context. */
-    void *md_ctx;
+    /** The digest-specific context (legacy) or the PSA operation. */
+    void *MBEDTLS_PRIVATE(md_ctx);
 
+#if defined(MBEDTLS_MD_C)
     /** The HMAC part of the context. */
-    void *hmac_ctx;
+    void *MBEDTLS_PRIVATE(hmac_ctx);
+#endif
 } mbedtls_md_context_t;
 
-/**
- * \brief           This function returns the list of digests supported by the
- *                  generic digest module.
- *
- * \note            The list starts with the strongest available hashes.
- *
- * \return          A statically allocated array of digests. Each element
- *                  in the returned list is an integer belonging to the
- *                  message-digest enumeration #mbedtls_md_type_t.
- *                  The last entry is 0.
- */
-const int *mbedtls_md_list(void);
-
-/**
- * \brief           This function returns the message-digest information
- *                  associated with the given digest name.
- *
- * \param md_name   The name of the digest to search for.
- *
- * \return          The message-digest information associated with \p md_name.
- * \return          NULL if the associated message-digest information is not found.
- */
-const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name);
-
 /**
  * \brief           This function returns the message-digest information
  *                  associated with the given digest type.
@@ -151,34 +173,6 @@ void mbedtls_md_init(mbedtls_md_context_t *ctx);
  */
 void mbedtls_md_free(mbedtls_md_context_t *ctx);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief           This function selects the message digest algorithm to use,
- *                  and allocates internal structures.
- *
- *                  It should be called after mbedtls_md_init() or mbedtls_md_free().
- *                  Makes it necessary to call mbedtls_md_free() later.
- *
- * \deprecated      Superseded by mbedtls_md_setup() in 2.0.0
- *
- * \param ctx       The context to set up.
- * \param md_info   The information structure of the message-digest algorithm
- *                  to use.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
- *                  failure.
- * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
- */
-int mbedtls_md_init_ctx(mbedtls_md_context_t *ctx,
-                        const mbedtls_md_info_t *md_info) MBEDTLS_DEPRECATED;
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
 
 /**
  * \brief           This function selects the message digest algorithm to use,
@@ -220,6 +214,10 @@ int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info
  *
  * \return          \c 0 on success.
  * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure.
+ * \return          #MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE if both contexts are
+ *                  not using the same engine. This can be avoided by moving
+ *                  the call to psa_crypto_init() before the first call to
+ *                  mbedtls_md_setup().
  */
 MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_md_clone(mbedtls_md_context_t *dst,
@@ -237,26 +235,29 @@ int mbedtls_md_clone(mbedtls_md_context_t *dst,
 unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info);
 
 /**
- * \brief           This function extracts the message-digest type from the
- *                  message-digest information structure.
+ * \brief           This function gives the message-digest size associated to
+ *                  message-digest type.
  *
- * \param md_info   The information structure of the message-digest algorithm
- *                  to use.
+ * \param md_type   The message-digest type.
  *
- * \return          The type of the message digest.
+ * \return          The size of the message-digest output in Bytes,
+ *                  or 0 if the message-digest type is not known.
  */
-mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info);
+static inline unsigned char mbedtls_md_get_size_from_type(mbedtls_md_type_t md_type)
+{
+    return mbedtls_md_get_size(mbedtls_md_info_from_type(md_type));
+}
 
 /**
- * \brief           This function extracts the message-digest name from the
+ * \brief           This function extracts the message-digest type from the
  *                  message-digest information structure.
  *
  * \param md_info   The information structure of the message-digest algorithm
  *                  to use.
  *
- * \return          The name of the message digest.
+ * \return          The type of the message digest.
  */
-const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info);
+mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info);
 
 /**
  * \brief           This function starts a message-digest computation.
@@ -336,6 +337,54 @@ MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
                unsigned char *output);
 
+/**
+ * \brief           This function returns the list of digests supported by the
+ *                  generic digest module.
+ *
+ * \note            The list starts with the strongest available hashes.
+ *
+ * \return          A statically allocated array of digests. Each element
+ *                  in the returned list is an integer belonging to the
+ *                  message-digest enumeration #mbedtls_md_type_t.
+ *                  The last entry is 0.
+ */
+const int *mbedtls_md_list(void);
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest name.
+ *
+ * \param md_name   The name of the digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_name.
+ * \return          NULL if the associated message-digest information is not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name);
+
+/**
+ * \brief           This function returns the name of the message digest for
+ *                  the message-digest information structure given.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The name of the message digest.
+ */
+const char *mbedtls_md_get_name(const mbedtls_md_info_t *md_info);
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  from the given context.
+ *
+ * \param ctx       The context from which to extract the information.
+ *                  This must be initialized (or \c NULL).
+ *
+ * \return          The message-digest information associated with \p ctx.
+ * \return          \c NULL if \p ctx is \c NULL.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_ctx(
+    const mbedtls_md_context_t *ctx);
+
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief          This function calculates the message-digest checksum
@@ -470,10 +519,6 @@ int mbedtls_md_hmac(const mbedtls_md_info_t *md_info, const unsigned char *key,
                     const unsigned char *input, size_t ilen,
                     unsigned char *output);
 
-/* Internal use */
-MBEDTLS_CHECK_RETURN_TYPICAL
-int mbedtls_md_process(mbedtls_md_context_t *ctx, const unsigned char *data);
-
 #ifdef __cplusplus
 }
 #endif

+ 0 - 292
thirdparty/mbedtls/include/mbedtls/md2.h

@@ -1,292 +0,0 @@
-/**
- * \file md2.h
- *
- * \brief MD2 message digest algorithm (hash function)
- *
- * \warning MD2 is considered a weak message digest and its use constitutes a
- *          security risk. We recommend considering stronger message digests
- *          instead.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- *
- */
-#ifndef MBEDTLS_MD2_H
-#define MBEDTLS_MD2_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include <stddef.h>
-
-/* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** MD2 hardware accelerator failed */
-#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_MD2_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          MD2 context structure
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-typedef struct mbedtls_md2_context {
-    unsigned char cksum[16];    /*!< checksum of the data block */
-    unsigned char state[48];    /*!< intermediate digest state  */
-    unsigned char buffer[16];   /*!< data block being processed */
-    size_t left;                /*!< amount of data in buffer   */
-}
-mbedtls_md2_context;
-
-#else  /* MBEDTLS_MD2_ALT */
-#include "md2_alt.h"
-#endif /* MBEDTLS_MD2_ALT */
-
-/**
- * \brief          Initialize MD2 context
- *
- * \param ctx      MD2 context to be initialized
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md2_init(mbedtls_md2_context *ctx);
-
-/**
- * \brief          Clear MD2 context
- *
- * \param ctx      MD2 context to be cleared
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md2_free(mbedtls_md2_context *ctx);
-
-/**
- * \brief          Clone (the state of) an MD2 context
- *
- * \param dst      The destination context
- * \param src      The context to be cloned
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md2_clone(mbedtls_md2_context *dst,
-                       const mbedtls_md2_context *src);
-
-/**
- * \brief          MD2 context setup
- *
- * \param ctx      context to be initialized
- *
- * \return         0 if successful
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md2_starts_ret(mbedtls_md2_context *ctx);
-
-/**
- * \brief          MD2 process buffer
- *
- * \param ctx      MD2 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- *
- * \return         0 if successful
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md2_update_ret(mbedtls_md2_context *ctx,
-                           const unsigned char *input,
-                           size_t ilen);
-
-/**
- * \brief          MD2 final digest
- *
- * \param ctx      MD2 context
- * \param output   MD2 checksum result
- *
- * \return         0 if successful
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md2_finish_ret(mbedtls_md2_context *ctx,
-                           unsigned char output[16]);
-
-/**
- * \brief          MD2 process data block (internal use only)
- *
- * \param ctx      MD2 context
- *
- * \return         0 if successful
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_internal_md2_process(mbedtls_md2_context *ctx);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          MD2 context setup
- *
- * \deprecated     Superseded by mbedtls_md2_starts_ret() in 2.7.0
- *
- * \param ctx      context to be initialized
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md2_starts(mbedtls_md2_context *ctx);
-
-/**
- * \brief          MD2 process buffer
- *
- * \deprecated     Superseded by mbedtls_md2_update_ret() in 2.7.0
- *
- * \param ctx      MD2 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md2_update(mbedtls_md2_context *ctx,
-                                           const unsigned char *input,
-                                           size_t ilen);
-
-/**
- * \brief          MD2 final digest
- *
- * \deprecated     Superseded by mbedtls_md2_finish_ret() in 2.7.0
- *
- * \param ctx      MD2 context
- * \param output   MD2 checksum result
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md2_finish(mbedtls_md2_context *ctx,
-                                           unsigned char output[16]);
-
-/**
- * \brief          MD2 process data block (internal use only)
- *
- * \deprecated     Superseded by mbedtls_internal_md2_process() in 2.7.0
- *
- * \param ctx      MD2 context
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md2_process(mbedtls_md2_context *ctx);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-/**
- * \brief          Output = MD2( input buffer )
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   MD2 checksum result
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md2_ret(const unsigned char *input,
-                    size_t ilen,
-                    unsigned char output[16]);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          Output = MD2( input buffer )
- *
- * \deprecated     Superseded by mbedtls_md2_ret() in 2.7.0
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   MD2 checksum result
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md2(const unsigned char *input,
-                                    size_t ilen,
-                                    unsigned char output[16]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- *
- * \warning        MD2 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md2_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_md2.h */

+ 0 - 297
thirdparty/mbedtls/include/mbedtls/md4.h

@@ -1,297 +0,0 @@
-/**
- * \file md4.h
- *
- * \brief MD4 message digest algorithm (hash function)
- *
- * \warning MD4 is considered a weak message digest and its use constitutes a
- *          security risk. We recommend considering stronger message digests
- *          instead.
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- *
- */
-#ifndef MBEDTLS_MD4_H
-#define MBEDTLS_MD4_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include <stddef.h>
-#include <stdint.h>
-
-/* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** MD4 hardware accelerator failed */
-#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_MD4_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          MD4 context structure
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-typedef struct mbedtls_md4_context {
-    uint32_t total[2];          /*!< number of bytes processed  */
-    uint32_t state[4];          /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
-}
-mbedtls_md4_context;
-
-#else  /* MBEDTLS_MD4_ALT */
-#include "md4_alt.h"
-#endif /* MBEDTLS_MD4_ALT */
-
-/**
- * \brief          Initialize MD4 context
- *
- * \param ctx      MD4 context to be initialized
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md4_init(mbedtls_md4_context *ctx);
-
-/**
- * \brief          Clear MD4 context
- *
- * \param ctx      MD4 context to be cleared
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md4_free(mbedtls_md4_context *ctx);
-
-/**
- * \brief          Clone (the state of) an MD4 context
- *
- * \param dst      The destination context
- * \param src      The context to be cloned
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-void mbedtls_md4_clone(mbedtls_md4_context *dst,
-                       const mbedtls_md4_context *src);
-
-/**
- * \brief          MD4 context setup
- *
- * \param ctx      context to be initialized
- *
- * \return         0 if successful
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- */
-int mbedtls_md4_starts_ret(mbedtls_md4_context *ctx);
-
-/**
- * \brief          MD4 process buffer
- *
- * \param ctx      MD4 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- *
- * \return         0 if successful
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md4_update_ret(mbedtls_md4_context *ctx,
-                           const unsigned char *input,
-                           size_t ilen);
-
-/**
- * \brief          MD4 final digest
- *
- * \param ctx      MD4 context
- * \param output   MD4 checksum result
- *
- * \return         0 if successful
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md4_finish_ret(mbedtls_md4_context *ctx,
-                           unsigned char output[16]);
-
-/**
- * \brief          MD4 process data block (internal use only)
- *
- * \param ctx      MD4 context
- * \param data     buffer holding one block of data
- *
- * \return         0 if successful
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_internal_md4_process(mbedtls_md4_context *ctx,
-                                 const unsigned char data[64]);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          MD4 context setup
- *
- * \deprecated     Superseded by mbedtls_md4_starts_ret() in 2.7.0
- *
- * \param ctx      context to be initialized
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md4_starts(mbedtls_md4_context *ctx);
-
-/**
- * \brief          MD4 process buffer
- *
- * \deprecated     Superseded by mbedtls_md4_update_ret() in 2.7.0
- *
- * \param ctx      MD4 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md4_update(mbedtls_md4_context *ctx,
-                                           const unsigned char *input,
-                                           size_t ilen);
-
-/**
- * \brief          MD4 final digest
- *
- * \deprecated     Superseded by mbedtls_md4_finish_ret() in 2.7.0
- *
- * \param ctx      MD4 context
- * \param output   MD4 checksum result
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md4_finish(mbedtls_md4_context *ctx,
-                                           unsigned char output[16]);
-
-/**
- * \brief          MD4 process data block (internal use only)
- *
- * \deprecated     Superseded by mbedtls_internal_md4_process() in 2.7.0
- *
- * \param ctx      MD4 context
- * \param data     buffer holding one block of data
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md4_process(mbedtls_md4_context *ctx,
-                                            const unsigned char data[64]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-/**
- * \brief          Output = MD4( input buffer )
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   MD4 checksum result
- *
- * \return         0 if successful
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md4_ret(const unsigned char *input,
-                    size_t ilen,
-                    unsigned char output[16]);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          Output = MD4( input buffer )
- *
- * \deprecated     Superseded by mbedtls_md4_ret() in 2.7.0
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   MD4 checksum result
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md4(const unsigned char *input,
-                                    size_t ilen,
-                                    unsigned char output[16]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- *
- * \warning        MD4 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-int mbedtls_md4_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* mbedtls_md4.h */

+ 14 - 121
thirdparty/mbedtls/include/mbedtls/md5.h

@@ -13,20 +13,13 @@
  */
 #ifndef MBEDTLS_MD5_H
 #define MBEDTLS_MD5_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
-/* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** MD5 hardware accelerator failed */
-#define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -44,9 +37,9 @@ extern "C" {
  *
  */
 typedef struct mbedtls_md5_context {
-    uint32_t total[2];          /*!< number of bytes processed  */
-    uint32_t state[4];          /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< number of bytes processed  */
+    uint32_t MBEDTLS_PRIVATE(state)[4];          /*!< intermediate digest state  */
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< data block being processed */
 }
 mbedtls_md5_context;
 
@@ -104,7 +97,7 @@ void mbedtls_md5_clone(mbedtls_md5_context *dst,
  *                 stronger message digests instead.
  *
  */
-int mbedtls_md5_starts_ret(mbedtls_md5_context *ctx);
+int mbedtls_md5_starts(mbedtls_md5_context *ctx);
 
 /**
  * \brief          MD5 process buffer
@@ -120,9 +113,9 @@ int mbedtls_md5_starts_ret(mbedtls_md5_context *ctx);
  *                 stronger message digests instead.
  *
  */
-int mbedtls_md5_update_ret(mbedtls_md5_context *ctx,
-                           const unsigned char *input,
-                           size_t ilen);
+int mbedtls_md5_update(mbedtls_md5_context *ctx,
+                       const unsigned char *input,
+                       size_t ilen);
 
 /**
  * \brief          MD5 final digest
@@ -137,8 +130,8 @@ int mbedtls_md5_update_ret(mbedtls_md5_context *ctx,
  *                 stronger message digests instead.
  *
  */
-int mbedtls_md5_finish_ret(mbedtls_md5_context *ctx,
-                           unsigned char output[16]);
+int mbedtls_md5_finish(mbedtls_md5_context *ctx,
+                       unsigned char output[16]);
 
 /**
  * \brief          MD5 process data block (internal use only)
@@ -156,79 +149,6 @@ int mbedtls_md5_finish_ret(mbedtls_md5_context *ctx,
 int mbedtls_internal_md5_process(mbedtls_md5_context *ctx,
                                  const unsigned char data[64]);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          MD5 context setup
- *
- * \deprecated     Superseded by mbedtls_md5_starts_ret() in 2.7.0
- *
- * \param ctx      context to be initialized
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md5_starts(mbedtls_md5_context *ctx);
-
-/**
- * \brief          MD5 process buffer
- *
- * \deprecated     Superseded by mbedtls_md5_update_ret() in 2.7.0
- *
- * \param ctx      MD5 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md5_update(mbedtls_md5_context *ctx,
-                                           const unsigned char *input,
-                                           size_t ilen);
-
-/**
- * \brief          MD5 final digest
- *
- * \deprecated     Superseded by mbedtls_md5_finish_ret() in 2.7.0
- *
- * \param ctx      MD5 context
- * \param output   MD5 checksum result
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md5_finish(mbedtls_md5_context *ctx,
-                                           unsigned char output[16]);
-
-/**
- * \brief          MD5 process data block (internal use only)
- *
- * \deprecated     Superseded by mbedtls_internal_md5_process() in 2.7.0
- *
- * \param ctx      MD5 context
- * \param data     buffer holding one block of data
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md5_process(mbedtls_md5_context *ctx,
-                                            const unsigned char data[64]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief          Output = MD5( input buffer )
  *
@@ -243,36 +163,9 @@ MBEDTLS_DEPRECATED void mbedtls_md5_process(mbedtls_md5_context *ctx,
  *                 stronger message digests instead.
  *
  */
-int mbedtls_md5_ret(const unsigned char *input,
-                    size_t ilen,
-                    unsigned char output[16]);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          Output = MD5( input buffer )
- *
- * \deprecated     Superseded by mbedtls_md5_ret() in 2.7.0
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   MD5 checksum result
- *
- * \warning        MD5 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_md5(const unsigned char *input,
-                                    size_t ilen,
-                                    unsigned char output[16]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+int mbedtls_md5(const unsigned char *input,
+                size_t ilen,
+                unsigned char output[16]);
 
 #if defined(MBEDTLS_SELF_TEST)
 

+ 0 - 77
thirdparty/mbedtls/include/mbedtls/md_internal.h

@@ -1,77 +0,0 @@
-/**
- * \file md_internal.h
- *
- * \brief Message digest wrappers.
- *
- * \warning This in an internal header. Do not include directly.
- *
- * \author Adriaan de Jong <[email protected]>
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_MD_WRAP_H
-#define MBEDTLS_MD_WRAP_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include "mbedtls/md.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * Message digest information.
- * Allows message digest functions to be called in a generic way.
- */
-struct mbedtls_md_info_t {
-    /** Name of the message digest */
-    const char *name;
-
-    /** Digest identifier */
-    mbedtls_md_type_t type;
-
-    /** Output length of the digest function in bytes */
-    unsigned char size;
-
-    /** Block length of the digest function in bytes */
-    unsigned char block_size;
-};
-
-#if defined(MBEDTLS_MD2_C)
-extern const mbedtls_md_info_t mbedtls_md2_info;
-#endif
-#if defined(MBEDTLS_MD4_C)
-extern const mbedtls_md_info_t mbedtls_md4_info;
-#endif
-#if defined(MBEDTLS_MD5_C)
-extern const mbedtls_md_info_t mbedtls_md5_info;
-#endif
-#if defined(MBEDTLS_RIPEMD160_C)
-extern const mbedtls_md_info_t mbedtls_ripemd160_info;
-#endif
-#if defined(MBEDTLS_SHA1_C)
-extern const mbedtls_md_info_t mbedtls_sha1_info;
-#endif
-#if defined(MBEDTLS_SHA256_C)
-extern const mbedtls_md_info_t mbedtls_sha224_info;
-extern const mbedtls_md_info_t mbedtls_sha256_info;
-#endif
-#if defined(MBEDTLS_SHA512_C)
-#if !defined(MBEDTLS_SHA512_NO_SHA384)
-extern const mbedtls_md_info_t mbedtls_sha384_info;
-#endif
-extern const mbedtls_md_info_t mbedtls_sha512_info;
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_MD_WRAP_H */

+ 10 - 6
thirdparty/mbedtls/include/mbedtls/memory_buffer_alloc.h

@@ -10,11 +10,7 @@
 #ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
 #define MBEDTLS_MEMORY_BUFFER_ALLOC_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 
@@ -22,7 +18,7 @@
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
  * \{
  */
 
@@ -83,6 +79,14 @@ void mbedtls_memory_buffer_set_verify(int verify);
  */
 void mbedtls_memory_buffer_alloc_status(void);
 
+/**
+ * \brief   Get the number of alloc/free so far.
+ *
+ * \param alloc_count   Number of allocations.
+ * \param free_count    Number of frees.
+ */
+void mbedtls_memory_buffer_alloc_count_get(size_t *alloc_count, size_t *free_count);
+
 /**
  * \brief   Get the peak heap usage so far
  *

+ 0 - 23
thirdparty/mbedtls/include/mbedtls/net.h

@@ -1,23 +0,0 @@
-/**
- * \file net.h
- *
- * \brief Deprecated header file that includes net_sockets.h
- *
- * \deprecated Superseded by mbedtls/net_sockets.h
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#include "mbedtls/net_sockets.h"
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
-#endif /* MBEDTLS_DEPRECATED_WARNING */
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */

+ 9 - 6
thirdparty/mbedtls/include/mbedtls/net_sockets.h

@@ -25,12 +25,9 @@
  */
 #ifndef MBEDTLS_NET_SOCKETS_H
 #define MBEDTLS_NET_SOCKETS_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/ssl.h"
 
@@ -84,7 +81,13 @@ extern "C" {
  * structures for hand-made UDP demultiplexing).
  */
 typedef struct mbedtls_net_context {
-    int fd;             /**< The underlying file descriptor                 */
+    /** The underlying file descriptor.
+     *
+     * This field is only guaranteed to be present on POSIX/Unix-like platforms.
+     * On other platforms, it may have a different type, have a different
+     * meaning, or be absent altogether.
+     */
+    int fd;
 }
 mbedtls_net_context;
 

+ 3 - 6
thirdparty/mbedtls/include/mbedtls/nist_kw.h

@@ -22,12 +22,9 @@
 
 #ifndef MBEDTLS_NIST_KW_H
 #define MBEDTLS_NIST_KW_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/cipher.h"
 
@@ -52,7 +49,7 @@ typedef enum {
  *           Don't make any assumptions on this context!
  */
 typedef struct {
-    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+    mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx);    /*!< The cipher context used. */
 } mbedtls_nist_kw_context;
 
 #else  /* MBEDTLS_NIST_key wrapping_ALT */

+ 116 - 31
thirdparty/mbedtls/include/mbedtls/oid.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_OID_H
 #define MBEDTLS_OID_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/asn1.h"
 #include "mbedtls/pk.h"
@@ -25,9 +22,7 @@
 #include "mbedtls/cipher.h"
 #endif
 
-#if defined(MBEDTLS_MD_C)
 #include "mbedtls/md.h"
-#endif
 
 /** OID is not found. */
 #define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E
@@ -56,6 +51,11 @@
 #define MBEDTLS_OID_X509_EXT_FRESHEST_CRL                (1 << 14)
 #define MBEDTLS_OID_X509_EXT_NS_CERT_TYPE                (1 << 16)
 
+/*
+ * Maximum number of OID components allowed
+ */
+#define MBEDTLS_OID_MAX_COMPONENTS              128
+
 /*
  * Top level OID tuples
  */
@@ -83,6 +83,9 @@
 #define MBEDTLS_OID_OIW_SECSIG                  MBEDTLS_OID_ORG_OIW "\x03"
 #define MBEDTLS_OID_OIW_SECSIG_ALG              MBEDTLS_OID_OIW_SECSIG "\x02"
 #define MBEDTLS_OID_OIW_SECSIG_SHA1             MBEDTLS_OID_OIW_SECSIG_ALG "\x1a"
+#define MBEDTLS_OID_ORG_THAWTE                  "\x65"          /* thawte(101) */
+#define MBEDTLS_OID_THAWTE                      MBEDTLS_OID_ISO_IDENTIFIED_ORG \
+        MBEDTLS_OID_ORG_THAWTE
 #define MBEDTLS_OID_ORG_CERTICOM                "\x81\x04"  /* certicom(132) */
 #define MBEDTLS_OID_CERTICOM                    MBEDTLS_OID_ISO_IDENTIFIED_ORG \
         MBEDTLS_OID_ORG_CERTICOM
@@ -139,6 +142,7 @@
 #define MBEDTLS_OID_AT_DN_QUALIFIER             MBEDTLS_OID_AT "\x2E" /**< id-at-dnQualifier AttributeType:= {id-at 46} */
 #define MBEDTLS_OID_AT_PSEUDONYM                MBEDTLS_OID_AT "\x41" /**< id-at-pseudonym AttributeType:= {id-at 65} */
 
+#define MBEDTLS_OID_UID                         "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x01" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) uid(1)} */
 #define MBEDTLS_OID_DOMAIN_COMPONENT            "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) domainComponent(25)} */
 
 /*
@@ -216,6 +220,7 @@
 #define MBEDTLS_OID_PKCS                MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
 #define MBEDTLS_OID_PKCS1               MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
 #define MBEDTLS_OID_PKCS5               MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
+#define MBEDTLS_OID_PKCS7               MBEDTLS_OID_PKCS "\x07" /**< pkcs-7 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 7 } */
 #define MBEDTLS_OID_PKCS9               MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
 #define MBEDTLS_OID_PKCS12              MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
 
@@ -223,8 +228,6 @@
  * PKCS#1 OIDs
  */
 #define MBEDTLS_OID_PKCS1_RSA           MBEDTLS_OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
-#define MBEDTLS_OID_PKCS1_MD2           MBEDTLS_OID_PKCS1 "\x02" /**< md2WithRSAEncryption ::= { pkcs-1 2 } */
-#define MBEDTLS_OID_PKCS1_MD4           MBEDTLS_OID_PKCS1 "\x03" /**< md4WithRSAEncryption ::= { pkcs-1 3 } */
 #define MBEDTLS_OID_PKCS1_MD5           MBEDTLS_OID_PKCS1 "\x04" /**< md5WithRSAEncryption ::= { pkcs-1 4 } */
 #define MBEDTLS_OID_PKCS1_SHA1          MBEDTLS_OID_PKCS1 "\x05" /**< sha1WithRSAEncryption ::= { pkcs-1 5 } */
 #define MBEDTLS_OID_PKCS1_SHA224        MBEDTLS_OID_PKCS1 "\x0e" /**< sha224WithRSAEncryption ::= { pkcs-1 14 } */
@@ -243,8 +246,6 @@
 /*
  * Digest algorithms
  */
-#define MBEDTLS_OID_DIGEST_ALG_MD2              MBEDTLS_OID_RSA_COMPANY "\x02\x02" /**< id-mbedtls_md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } */
-#define MBEDTLS_OID_DIGEST_ALG_MD4              MBEDTLS_OID_RSA_COMPANY "\x02\x04" /**< id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
 #define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
 #define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG \
         MBEDTLS_OID_OIW_SECSIG_SHA1                                                                        /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
@@ -257,6 +258,15 @@
 
 #define MBEDTLS_OID_DIGEST_ALG_RIPEMD160        MBEDTLS_OID_TELETRUST "\x03\x02\x01" /**< id-ripemd160 OBJECT IDENTIFIER :: { iso(1) identified-organization(3) teletrust(36) algorithm(3) hashAlgorithm(2) ripemd160(1) } */
 
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_224         MBEDTLS_OID_NIST_ALG "\x02\x07" /**< id-sha3-224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-224(7) } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_256         MBEDTLS_OID_NIST_ALG "\x02\x08" /**< id-sha3-256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-256(8) } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_384         MBEDTLS_OID_NIST_ALG "\x02\x09" /**< id-sha3-384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-384(9) } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA3_512         MBEDTLS_OID_NIST_ALG "\x02\x0a" /**< id-sha3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) sha3-512(10) } */
+
+
 #define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
 
 #define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
@@ -267,13 +277,28 @@
 
 #define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
 
+#define MBEDTLS_OID_HMAC_SHA3_224               MBEDTLS_OID_NIST_ALG "\x02\x0d" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-224(13) } */
+
+#define MBEDTLS_OID_HMAC_SHA3_256               MBEDTLS_OID_NIST_ALG "\x02\x0e" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-256(14) } */
+
+#define MBEDTLS_OID_HMAC_SHA3_384               MBEDTLS_OID_NIST_ALG "\x02\x0f" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-384(15) } */
+
+#define MBEDTLS_OID_HMAC_SHA3_512               MBEDTLS_OID_NIST_ALG "\x02\x10" /**< id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) hashalgs(2) hmacWithSHA3-512(16) } */
+
+#define MBEDTLS_OID_HMAC_RIPEMD160              MBEDTLS_OID_INTERNET "\x05\x05\x08\x01\x04" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= {iso(1) iso-identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) ipsec(8) isakmpOakley(1) hmacRIPEMD160(4)} */
+
 /*
- * Encryption algorithms
+ * Encryption algorithms,
+ * the following standardized object identifiers are specified at
+ * https://datatracker.ietf.org/doc/html/rfc8018#appendix-C.
  */
 #define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG \
         MBEDTLS_OID_OIW_SECSIG_ALG "\x07"                                                                        /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
 #define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
 #define MBEDTLS_OID_AES                         MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
+#define MBEDTLS_OID_AES_128_CBC                 MBEDTLS_OID_AES "\x02" /** aes128-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes128-CBC-PAD(2) } */
+#define MBEDTLS_OID_AES_192_CBC                 MBEDTLS_OID_AES "\x16" /** aes192-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes192-CBC-PAD(22) } */
+#define MBEDTLS_OID_AES_256_CBC                 MBEDTLS_OID_AES "\x2a" /** aes256-cbc-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithms(4) aes(1) aes256-CBC-PAD(42) } */
 
 /*
  * Key Wrapping algorithms
@@ -297,13 +322,21 @@
 /*
  * PKCS#5 PBES1 algorithms
  */
-#define MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC       MBEDTLS_OID_PKCS5 "\x01" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */
-#define MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC       MBEDTLS_OID_PKCS5 "\x04" /**< pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} */
 #define MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC       MBEDTLS_OID_PKCS5 "\x03" /**< pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} */
 #define MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC       MBEDTLS_OID_PKCS5 "\x06" /**< pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} */
 #define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC      MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
 #define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC      MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
 
+/*
+ * PKCS#7 OIDs
+ */
+#define MBEDTLS_OID_PKCS7_DATA                        MBEDTLS_OID_PKCS7 "\x01" /**< Content type is Data OBJECT IDENTIFIER ::= {pkcs-7 1} */
+#define MBEDTLS_OID_PKCS7_SIGNED_DATA                 MBEDTLS_OID_PKCS7 "\x02" /**< Content type is Signed Data OBJECT IDENTIFIER ::= {pkcs-7 2} */
+#define MBEDTLS_OID_PKCS7_ENVELOPED_DATA              MBEDTLS_OID_PKCS7 "\x03" /**< Content type is Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 3} */
+#define MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA   MBEDTLS_OID_PKCS7 "\x04" /**< Content type is Signed and Enveloped Data OBJECT IDENTIFIER ::= {pkcs-7 4} */
+#define MBEDTLS_OID_PKCS7_DIGESTED_DATA               MBEDTLS_OID_PKCS7 "\x05" /**< Content type is Digested Data OBJECT IDENTIFIER ::= {pkcs-7 5} */
+#define MBEDTLS_OID_PKCS7_ENCRYPTED_DATA              MBEDTLS_OID_PKCS7 "\x06" /**< Content type is Encrypted Data OBJECT IDENTIFIER ::= {pkcs-7 6} */
+
 /*
  * PKCS#8 OIDs
  */
@@ -314,8 +347,6 @@
  */
 #define MBEDTLS_OID_PKCS12_PBE                      MBEDTLS_OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
 
-#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128         MBEDTLS_OID_PKCS12_PBE "\x01" /**< pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1} */
-#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40          MBEDTLS_OID_PKCS12_PBE "\x02" /**< pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2} */
 #define MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
 #define MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
 #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
@@ -426,6 +457,15 @@
  *   ecdsa-with-SHA2(3) 4 } */
 #define MBEDTLS_OID_ECDSA_SHA512            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x04"
 
+/*
+ * EC key algorithms from RFC 8410
+ */
+
+#define MBEDTLS_OID_X25519                  MBEDTLS_OID_THAWTE "\x6e" /**< id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 } */
+#define MBEDTLS_OID_X448                    MBEDTLS_OID_THAWTE "\x6f" /**< id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 } */
+#define MBEDTLS_OID_ED25519                 MBEDTLS_OID_THAWTE "\x70" /**< id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 } */
+#define MBEDTLS_OID_ED448                   MBEDTLS_OID_THAWTE "\x71" /**< id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 } */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -434,10 +474,12 @@ extern "C" {
  * \brief Base OID descriptor structure
  */
 typedef struct mbedtls_oid_descriptor_t {
-    const char *asn1;               /*!< OID ASN.1 representation       */
-    size_t asn1_len;                /*!< length of asn1                 */
-    const char *name;               /*!< official name (e.g. from RFC)  */
-    const char *description;        /*!< human friendly description     */
+    const char *MBEDTLS_PRIVATE(asn1);               /*!< OID ASN.1 representation       */
+    size_t MBEDTLS_PRIVATE(asn1_len);                /*!< length of asn1                 */
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+    const char *MBEDTLS_PRIVATE(name);               /*!< official name (e.g. from RFC)  */
+    const char *MBEDTLS_PRIVATE(description);        /*!< human friendly description     */
+#endif
 } mbedtls_oid_descriptor_t;
 
 /**
@@ -453,6 +495,25 @@ typedef struct mbedtls_oid_descriptor_t {
  */
 int mbedtls_oid_get_numeric_string(char *buf, size_t size, const mbedtls_asn1_buf *oid);
 
+/**
+ * \brief           Translate a string containing a dotted-decimal
+ *                  representation of an ASN.1 OID into its encoded form
+ *                  (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D").
+ *                  On success, this function allocates oid->buf from the
+ *                  heap. It must be freed by the caller using mbedtls_free().
+ *
+ * \param oid       #mbedtls_asn1_buf to populate with the DER-encoded OID
+ * \param oid_str   string representation of the OID to parse
+ * \param size      length of the OID string, not including any null terminator
+ *
+ * \return          0 if successful
+ * \return          #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not
+ *                  represent a valid OID
+ * \return          #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to
+ *                  allocate oid->buf
+ */
+int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid, const char *oid_str, size_t size);
+
 /**
  * \brief          Translate an X.509 extension OID into local values
  *
@@ -496,7 +557,7 @@ int mbedtls_oid_get_pk_alg(const mbedtls_asn1_buf *oid, mbedtls_pk_type_t *pk_al
 int mbedtls_oid_get_oid_by_pk_alg(mbedtls_pk_type_t pk_alg,
                                   const char **oid, size_t *olen);
 
-#if defined(MBEDTLS_ECP_C)
+#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
 /**
  * \brief          Translate NamedCurve OID into an EC group identifier
  *
@@ -518,9 +579,32 @@ int mbedtls_oid_get_ec_grp(const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *gr
  */
 int mbedtls_oid_get_oid_by_ec_grp(mbedtls_ecp_group_id grp_id,
                                   const char **oid, size_t *olen);
-#endif /* MBEDTLS_ECP_C */
 
-#if defined(MBEDTLS_MD_C)
+/**
+ * \brief          Translate AlgorithmIdentifier OID into an EC group identifier,
+ *                 for curves that are directly encoded at this level
+ *
+ * \param oid      OID to use
+ * \param grp_id   place to store group id
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_ec_grp_algid(const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id);
+
+/**
+ * \brief          Translate EC group identifier into AlgorithmIdentifier OID,
+ *                 for curves that are directly encoded at this level
+ *
+ * \param grp_id   EC group identifier
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_ec_grp_algid(mbedtls_ecp_group_id grp_id,
+                                        const char **oid, size_t *olen);
+#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
+
 /**
  * \brief          Translate SignatureAlgorithm OID into md_type and pk_type
  *
@@ -557,26 +641,26 @@ int mbedtls_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_type_t m
                                    const char **oid, size_t *olen);
 
 /**
- * \brief          Translate hash algorithm OID into md_type
+ * \brief          Translate hmac algorithm OID into md_type
  *
  * \param oid      OID to use
- * \param md_alg   place to store message digest algorithm
+ * \param md_hmac  place to store message hmac algorithm
  *
  * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
  */
-int mbedtls_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg);
+int mbedtls_oid_get_md_hmac(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac);
 
 /**
- * \brief          Translate hmac algorithm OID into md_type
+ * \brief          Translate hash algorithm OID into md_type
  *
  * \param oid      OID to use
- * \param md_hmac  place to store message hmac algorithm
+ * \param md_alg   place to store message digest algorithm
  *
  * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
  */
-int mbedtls_oid_get_md_hmac(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac);
-#endif /* MBEDTLS_MD_C */
+int mbedtls_oid_get_md_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg);
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
  * \brief          Translate Extended Key Usage OID into description
  *
@@ -586,6 +670,7 @@ int mbedtls_oid_get_md_hmac(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_h
  * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
  */
 int mbedtls_oid_get_extended_key_usage(const mbedtls_asn1_buf *oid, const char **desc);
+#endif
 
 /**
  * \brief          Translate certificate policies OID into description
@@ -618,7 +703,6 @@ int mbedtls_oid_get_oid_by_md(mbedtls_md_type_t md_alg, const char **oid, size_t
  * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
  */
 int mbedtls_oid_get_cipher_alg(const mbedtls_asn1_buf *oid, mbedtls_cipher_type_t *cipher_alg);
-#endif /* MBEDTLS_CIPHER_C */
 
 #if defined(MBEDTLS_PKCS12_C)
 /**
@@ -634,6 +718,7 @@ int mbedtls_oid_get_cipher_alg(const mbedtls_asn1_buf *oid, mbedtls_cipher_type_
 int mbedtls_oid_get_pkcs12_pbe_alg(const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg,
                                    mbedtls_cipher_type_t *cipher_alg);
 #endif /* MBEDTLS_PKCS12_C */
+#endif /* MBEDTLS_CIPHER_C */
 
 #ifdef __cplusplus
 }

+ 31 - 11
thirdparty/mbedtls/include/mbedtls/pem.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_PEM_H
 #define MBEDTLS_PEM_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 
@@ -53,9 +50,9 @@ extern "C" {
  * \brief       PEM context structure
  */
 typedef struct mbedtls_pem_context {
-    unsigned char *buf;     /*!< buffer for decoded data             */
-    size_t buflen;          /*!< length of the buffer                */
-    unsigned char *info;    /*!< buffer for extra header information */
+    unsigned char *MBEDTLS_PRIVATE(buf);     /*!< buffer for decoded data             */
+    size_t MBEDTLS_PRIVATE(buflen);          /*!< length of the buffer                */
+    unsigned char *MBEDTLS_PRIVATE(info);    /*!< buffer for extra header information */
 }
 mbedtls_pem_context;
 
@@ -76,16 +73,20 @@ void mbedtls_pem_init(mbedtls_pem_context *ctx);
  * \param data      source data to look in (must be nul-terminated)
  * \param pwd       password for decryption (can be NULL)
  * \param pwdlen    length of password
- * \param use_len   destination for total length used (set after header is
- *                  correctly read, so unless you get
+ * \param use_len   destination for total length used from data buffer. It is
+ *                  set after header is correctly read, so unless you get
  *                  MBEDTLS_ERR_PEM_BAD_INPUT_DATA or
  *                  MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
- *                  the length to skip)
+ *                  the length to skip.
  *
  * \note            Attempts to check password correctness by verifying if
  *                  the decrypted text starts with an ASN.1 sequence of
  *                  appropriate length
  *
+ * \note            \c mbedtls_pem_free must be called on PEM context before
+ *                  the PEM context can be reused in another call to
+ *                  \c mbedtls_pem_read_buffer
+ *
  * \return          0 on success, or a specific PEM error code
  */
 int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const char *footer,
@@ -93,6 +94,25 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const
                             const unsigned char *pwd,
                             size_t pwdlen, size_t *use_len);
 
+/**
+ * \brief       Get the pointer to the decoded binary data in a PEM context.
+ *
+ * \param ctx       PEM context to access.
+ * \param buflen    On success, this will contain the length of the binary data.
+ *                  This must be a valid (non-null) pointer.
+ *
+ * \return          A pointer to the decoded binary data.
+ *
+ * \note            The returned pointer remains valid only until \p ctx is
+                    modified or freed.
+ */
+static inline const unsigned char *mbedtls_pem_get_buffer(mbedtls_pem_context *ctx, size_t *buflen)
+{
+    *buflen = ctx->MBEDTLS_PRIVATE(buflen);
+    return ctx->MBEDTLS_PRIVATE(buf);
+}
+
+
 /**
  * \brief       PEM context memory freeing
  *

+ 525 - 135
thirdparty/mbedtls/include/mbedtls/pk.h

@@ -10,12 +10,9 @@
 
 #ifndef MBEDTLS_PK_H
 #define MBEDTLS_PK_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/md.h"
 
@@ -31,15 +28,10 @@
 #include "mbedtls/ecdsa.h"
 #endif
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
 #include "psa/crypto.h"
 #endif
 
-#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
-    !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
 /** Memory allocation failed. */
 #define MBEDTLS_ERR_PK_ALLOC_FAILED        -0x3F80
 /** Type mismatch, eg attempt to encrypt with an ECDSA key */
@@ -68,10 +60,8 @@
 #define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980
 /** The buffer contains a valid signature followed by more data. */
 #define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900
-
-/* MBEDTLS_ERR_PK_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** PK hardware accelerator failed. */
-#define MBEDTLS_ERR_PK_HW_ACCEL_FAILED     -0x3880
+/** The output buffer is too small. */
+#define MBEDTLS_ERR_PK_BUFFER_TOO_SMALL    -0x3880
 
 #ifdef __cplusplus
 extern "C" {
@@ -96,7 +86,23 @@ typedef enum {
  *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
  */
 typedef struct mbedtls_pk_rsassa_pss_options {
+    /** The digest to use for MGF1 in PSS.
+     *
+     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled and #MBEDTLS_RSA_C is
+     *       disabled, this must be equal to the \c md_alg argument passed
+     *       to mbedtls_pk_verify_ext(). In a future version of the library,
+     *       this constraint may apply whenever #MBEDTLS_USE_PSA_CRYPTO is
+     *       enabled regardless of the status of #MBEDTLS_RSA_C.
+     */
     mbedtls_md_type_t mgf1_hash_id;
+
+    /** The expected length of the salt, in bytes. This may be
+     * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+     *
+     * \note When #MBEDTLS_USE_PSA_CRYPTO is enabled, only
+     *       #MBEDTLS_RSA_SALT_LEN_ANY is valid. Any other value may be
+     *       ignored (allowing any salt length).
+     */
     int expected_salt_len;
 
 } mbedtls_pk_rsassa_pss_options;
@@ -120,7 +126,7 @@ typedef struct mbedtls_pk_rsassa_pss_options {
 /* For RSA, the signature can be as large as the bignum module allows.
  * For RSA_ALT, the signature size is not necessarily tied to what the
  * bignum module can do, but in the absence of any specific setting,
- * we use that (rsa_alt_sign_wrap in pk_wrap will check). */
+ * we use that (rsa_alt_sign_wrap in library/pk_wrap.h will check). */
 #undef MBEDTLS_PK_SIGNATURE_MAX_SIZE
 #define MBEDTLS_PK_SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
 #endif
@@ -153,6 +159,28 @@ typedef struct mbedtls_pk_rsassa_pss_options {
 #endif
 #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
 
+/* Internal helper to define which fields in the pk_context structure below
+ * should be used for EC keys: legacy ecp_keypair or the raw (PSA friendly)
+ * format. It should be noted that this only affects how data is stored, not
+ * which functions are used for various operations. The overall picture looks
+ * like this:
+ * - if USE_PSA is not defined and ECP_C is defined then use ecp_keypair data
+ *   structure and legacy functions
+ * - if USE_PSA is defined and
+ *     - if ECP_C then use ecp_keypair structure, convert data to a PSA friendly
+ *       format and use PSA functions
+ *     - if !ECP_C then use new raw data and PSA functions directly.
+ *
+ * The main reason for the "intermediate" (USE_PSA + ECP_C) above is that as long
+ * as ECP_C is defined mbedtls_pk_ec() gives the user a read/write access to the
+ * ecp_keypair structure inside the pk_context so they can modify it using
+ * ECP functions which are not under PK module's control.
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
+    !defined(MBEDTLS_ECP_C)
+#define MBEDTLS_PK_USE_PSA_EC_DATA
+#endif
+
 /**
  * \brief           Types for interfacing with the debug module
  */
@@ -160,15 +188,16 @@ typedef enum {
     MBEDTLS_PK_DEBUG_NONE = 0,
     MBEDTLS_PK_DEBUG_MPI,
     MBEDTLS_PK_DEBUG_ECP,
+    MBEDTLS_PK_DEBUG_PSA_EC,
 } mbedtls_pk_debug_type;
 
 /**
  * \brief           Item to send to the debug module
  */
 typedef struct mbedtls_pk_debug_item {
-    mbedtls_pk_debug_type type;
-    const char *name;
-    void *value;
+    mbedtls_pk_debug_type MBEDTLS_PRIVATE(type);
+    const char *MBEDTLS_PRIVATE(name);
+    void *MBEDTLS_PRIVATE(value);
 } mbedtls_pk_debug_item;
 
 /** Maximum number of item send for debugging, plus 1 */
@@ -176,15 +205,63 @@ typedef struct mbedtls_pk_debug_item {
 
 /**
  * \brief           Public key information and operations
+ *
+ * \note        The library does not support custom pk info structures,
+ *              only built-in structures returned by
+ *              mbedtls_cipher_info_from_type().
  */
 typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
 
+#define MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN \
+    PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
 /**
  * \brief           Public key container
  */
 typedef struct mbedtls_pk_context {
-    const mbedtls_pk_info_t *pk_info;    /**< Public key information         */
-    void *pk_ctx;                        /**< Underlying public key context  */
+    const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
+    void *MBEDTLS_PRIVATE(pk_ctx);                        /**< Underlying public key context  */
+    /* The following field is used to store the ID of a private key in the
+     * following cases:
+     * - opaque key when MBEDTLS_USE_PSA_CRYPTO is defined
+     * - normal key when MBEDTLS_PK_USE_PSA_EC_DATA is defined. In this case:
+     *    - the pk_ctx above is not not used to store the private key anymore.
+     *      Actually that field not populated at all in this case because also
+     *      the public key will be stored in raw format as explained below
+     *    - this ID is used for all private key operations (ex: sign, check
+     *      key pair, key write, etc) using PSA functions
+     *
+     * Note: this private key storing solution only affects EC keys, not the
+     *       other ones. The latters still use the pk_ctx to store their own
+     *       context. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id);      /**< Key ID for opaque keys */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+    /* The following fields are meant for storing the public key in raw format
+     * which is handy for:
+     * - easily importing it into the PSA context
+     * - reducing the ECP module dependencies in the PK one.
+     *
+     * When MBEDTLS_PK_USE_PSA_EC_DATA is enabled:
+     * - the pk_ctx above is not used anymore for storing the public key
+     *   inside the ecp_keypair structure
+     * - the following fields are used for all public key operations: signature
+     *   verify, key pair check and key write.
+     * - For a key pair, priv_id contains the private key. For a public key,
+     *   priv_id is null.
+     * Of course, when MBEDTLS_PK_USE_PSA_EC_DATA is not enabled, the legacy
+     * ecp_keypair structure is used for storing the public key and performing
+     * all the operations.
+     *
+     * Note: This new public key storing solution only works for EC keys, not
+     *       other ones. The latters still use pk_ctx to store their own
+     *       context.
+     */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+    uint8_t MBEDTLS_PRIVATE(pub_raw)[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN]; /**< Raw public key   */
+    size_t MBEDTLS_PRIVATE(pub_raw_len);            /**< Valid bytes in "pub_raw" */
+    psa_ecc_family_t MBEDTLS_PRIVATE(ec_family);    /**< EC family of pk */
+    size_t MBEDTLS_PRIVATE(ec_bits);                /**< Curve's bits of pk */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
 } mbedtls_pk_context;
 
 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@@ -192,8 +269,8 @@ typedef struct mbedtls_pk_context {
  * \brief           Context for resuming operations
  */
 typedef struct {
-    const mbedtls_pk_info_t *pk_info;    /**< Public key information         */
-    void *rs_ctx;                        /**< Underlying restart context     */
+    const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info);    /**< Public key information         */
+    void *MBEDTLS_PRIVATE(rs_ctx);                        /**< Underlying restart context     */
 } mbedtls_pk_restart_ctx;
 #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 /* Now we can declare functions that take a pointer to that */
@@ -204,14 +281,13 @@ typedef void mbedtls_pk_restart_ctx;
 /**
  * \brief           Types for RSA-alt abstraction
  */
-typedef int (*mbedtls_pk_rsa_alt_decrypt_func)(void *ctx, int mode, size_t *olen,
+typedef int (*mbedtls_pk_rsa_alt_decrypt_func)(void *ctx, size_t *olen,
                                                const unsigned char *input, unsigned char *output,
                                                size_t output_max_len);
 typedef int (*mbedtls_pk_rsa_alt_sign_func)(void *ctx,
-                                            int (*f_rng)(void *, unsigned char *, size_t),
+                                            mbedtls_f_rng_t *f_rng,
                                             void *p_rng,
-                                            int mode, mbedtls_md_type_t md_alg,
-                                            unsigned int hashlen,
+                                            mbedtls_md_type_t md_alg, unsigned int hashlen,
                                             const unsigned char *hash, unsigned char *sig);
 typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)(void *ctx);
 #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
@@ -283,35 +359,43 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 /**
- * \brief           Initialize a PK context to wrap a PSA key.
- *
- * \note            This function replaces mbedtls_pk_setup() for contexts
- *                  that wrap a (possibly opaque) PSA key instead of
- *                  storing and manipulating the key material directly.
- *
- * \param ctx       The context to initialize. It must be empty (type NONE).
- * \param key       The PSA key to wrap, which must hold an ECC key pair
- *                  (see notes below).
- *
- * \note            The wrapped key must remain valid as long as the
- *                  wrapping PK context is in use, that is at least between
- *                  the point this function is called and the point
- *                  mbedtls_pk_free() is called on this context. The wrapped
- *                  key might then be independently used or destroyed.
- *
- * \note            This function is currently only available for ECC key
- *                  pairs (that is, ECC keys containing private key material).
- *                  Support for other key types may be added later.
- *
- * \return          \c 0 on success.
- * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input
- *                  (context already used, invalid key identifier).
- * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an
- *                  ECC key pair.
- * \return          #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
+ * \brief Initialize a PK context to wrap a PSA key.
+ *
+ * This function creates a PK context which wraps a PSA key. The PSA wrapped
+ * key must be an EC or RSA key pair (DH is not suported in the PK module).
+ *
+ * Under the hood PSA functions will be used to perform the required
+ * operations and, based on the key type, used algorithms will be:
+ * * EC:
+ *     * verify, verify_ext, sign, sign_ext: ECDSA.
+ * * RSA:
+ *     * sign, decrypt: use the primary algorithm in the wrapped PSA key;
+ *     * sign_ext: RSA PSS if the pk_type is #MBEDTLS_PK_RSASSA_PSS, otherwise
+ *       it falls back to the sign() case;
+ *     * verify, verify_ext, encrypt: not supported.
+ *
+ * In order for the above operations to succeed, the policy of the wrapped PSA
+ * key must allow the specified algorithm.
+ *
+ * Opaque PK contexts wrapping an EC keys also support \c mbedtls_pk_check_pair(),
+ * whereas RSA ones do not.
+ *
+ * \warning The PSA wrapped key must remain valid as long as the wrapping PK
+ *          context is in use, that is at least between the point this function
+ *          is called and the point mbedtls_pk_free() is called on this context.
+ *
+ * \param ctx The context to initialize. It must be empty (type NONE).
+ * \param key The PSA key to wrap, which must hold an ECC or RSA key pair.
+ *
+ * \return    \c 0 on success.
+ * \return    #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input (context already
+ *            used, invalid key identifier).
+ * \return    #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an ECC or
+ *            RSA key pair.
+ * \return    #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
  */
 int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
-                            const psa_key_id_t key);
+                            const mbedtls_svc_key_id_t key);
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
@@ -371,34 +455,298 @@ static inline size_t mbedtls_pk_get_len(const mbedtls_pk_context *ctx)
  */
 int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type);
 
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * \brief           Tell if context can do the operation given by PSA algorithm
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ * \param alg       PSA algorithm to check against, the following are allowed:
+ *                  PSA_ALG_RSA_PKCS1V15_SIGN(hash),
+ *                  PSA_ALG_RSA_PSS(hash),
+ *                  PSA_ALG_RSA_PKCS1V15_CRYPT,
+ *                  PSA_ALG_ECDSA(hash),
+ *                  PSA_ALG_ECDH, where hash is a specific hash.
+ * \param usage     PSA usage flag to check against, must be composed of:
+ *                  PSA_KEY_USAGE_SIGN_HASH
+ *                  PSA_KEY_USAGE_DECRYPT
+ *                  PSA_KEY_USAGE_DERIVE.
+ *                  Context key must match all passed usage flags.
+ *
+ * \warning         Since the set of allowed algorithms and usage flags may be
+ *                  expanded in the future, the return value \c 0 should not
+ *                  be taken in account for non-allowed algorithms and usage
+ *                  flags.
+ *
+ * \return          1 if the context can do operations on the given type.
+ * \return          0 if the context cannot do the operations on the given
+ *                  type, for non-allowed algorithms and usage flags, or
+ *                  for a context that has been initialized but not set up
+ *                  or that has been cleared with mbedtls_pk_free().
+ */
+int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
+                          psa_key_usage_t usage);
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+/**
+ * \brief           Determine valid PSA attributes that can be used to
+ *                  import a key into PSA.
+ *
+ * The attributes determined by this function are suitable
+ * for calling mbedtls_pk_import_into_psa() to create
+ * a PSA key with the same key material.
+ *
+ * The typical flow of operations involving this function is
+ * ```
+ * psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ * int ret = mbedtls_pk_get_psa_attributes(pk, &attributes);
+ * if (ret != 0) ...; // error handling omitted
+ * // Tweak attributes if desired
+ * psa_key_id_t key_id = 0;
+ * ret = mbedtls_pk_import_into_psa(pk, &attributes, &key_id);
+ * if (ret != 0) ...; // error handling omitted
+ * ```
+ *
+ * \note            This function does not support RSA-alt contexts
+ *                  (set up with mbedtls_pk_setup_rsa_alt()).
+ *
+ * \param[in] pk    The PK context to use. It must have been set up.
+ *                  It can either contain a key pair or just a public key.
+ * \param usage     A single `PSA_KEY_USAGE_xxx` flag among the following:
+ *                  - #PSA_KEY_USAGE_DECRYPT: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type, and the usage policy will allow
+ *                    #PSA_KEY_USAGE_ENCRYPT as well as
+ *                    #PSA_KEY_USAGE_DECRYPT.
+ *                  - #PSA_KEY_USAGE_DERIVE: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type.
+ *                  - #PSA_KEY_USAGE_ENCRYPT: The output
+ *                    \p attributes will contain a public key type.
+ *                  - #PSA_KEY_USAGE_SIGN_HASH: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type, and the usage policy will allow
+ *                    #PSA_KEY_USAGE_VERIFY_HASH as well as
+ *                    #PSA_KEY_USAGE_SIGN_HASH.
+ *                  - #PSA_KEY_USAGE_SIGN_MESSAGE: \p pk must contain a
+ *                    key pair. The output \p attributes will contain a
+ *                    key pair type, and the usage policy will allow
+ *                    #PSA_KEY_USAGE_VERIFY_MESSAGE as well as
+ *                    #PSA_KEY_USAGE_SIGN_MESSAGE.
+ *                  - #PSA_KEY_USAGE_VERIFY_HASH: The output
+ *                    \p attributes will contain a public key type.
+ *                  - #PSA_KEY_USAGE_VERIFY_MESSAGE: The output
+ *                    \p attributes will contain a public key type.
+ * \param[out] attributes
+ *                  On success, valid attributes to import the key into PSA.
+ *                  - The lifetime and key identifier are unchanged. If the
+ *                    attribute structure was initialized or reset before
+ *                    calling this function, this will result in a volatile
+ *                    key. Call psa_set_key_identifier() before or after this
+ *                    function if you wish to create a persistent key. Call
+ *                    psa_set_key_lifetime() before or after this function if
+ *                    you wish to import the key in a secure element.
+ *                  - The key type and bit-size are determined by the contents
+ *                    of the PK context. If the PK context contains a key
+ *                    pair, the key type can be either a key pair type or
+ *                    the corresponding public key type, depending on
+ *                    \p usage. If the PK context contains a public key,
+ *                    the key type is a public key type.
+ *                  - The key's policy is determined by the key type and
+ *                    the \p usage parameter. The usage always allows
+ *                    \p usage, exporting and copying the key, and
+ *                    possibly other permissions as documented for the
+ *                    \p usage parameter.
+ *                    The permitted algorithm policy is determined as follows
+ *                    based on the #mbedtls_pk_type_t type of \p pk,
+ *                    the chosen \p usage and other factors:
+ *                      - #MBEDTLS_PK_RSA whose underlying
+ *                        #mbedtls_rsa_context has the padding mode
+ *                        #MBEDTLS_RSA_PKCS_V15:
+ *                        #PSA_ALG_RSA_PKCS1V15_SIGN(#PSA_ALG_ANY_HASH)
+ *                        if \p usage is SIGN/VERIFY, and
+ *                        #PSA_ALG_RSA_PKCS1V15_CRYPT
+ *                        if \p usage is ENCRYPT/DECRYPT.
+ *                      - #MBEDTLS_PK_RSA whose underlying
+ *                        #mbedtls_rsa_context has the padding mode
+ *                        #MBEDTLS_RSA_PKCS_V21 and the digest type
+ *                        corresponding to the PSA algorithm \c hash:
+ *                        #PSA_ALG_RSA_PSS_ANY_SALT(#PSA_ALG_ANY_HASH)
+ *                        if \p usage is SIGN/VERIFY, and
+ *                        #PSA_ALG_RSA_OAEP(\c hash)
+ *                        if \p usage is ENCRYPT/DECRYPT.
+ *                      - #MBEDTLS_PK_RSA_ALT: not supported.
+ *                      - #MBEDTLS_PK_ECDSA or #MBEDTLS_PK_ECKEY
+ *                        if \p usage is SIGN/VERIFY:
+ *                        #PSA_ALG_DETERMINISTIC_ECDSA(#PSA_ALG_ANY_HASH)
+ *                        if #MBEDTLS_ECDSA_DETERMINISTIC is enabled,
+ *                        otherwise #PSA_ALG_ECDSA(#PSA_ALG_ANY_HASH).
+ *                      - #MBEDTLS_PK_ECKEY_DH or #MBEDTLS_PK_ECKEY
+ *                        if \p usage is DERIVE:
+ *                        #PSA_ALG_ECDH.
+ *                      - #MBEDTLS_PK_OPAQUE: same as the primary algorithm
+ *                        set for the underlying PSA key, except that
+ *                        sign/decrypt flags are removed if the type is
+ *                        set to a public key type.
+ *                        The underlying key must allow \p usage.
+ *                        Note that the enrollment algorithm set with
+ *                        psa_set_key_enrollment_algorithm() is not copied.
+ *
+ * \return          0 on success.
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain
+ *                  a key of the type identified in \p attributes.
+ *                  Another error code on other failures.
+ */
+int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
+                                  psa_key_usage_t usage,
+                                  psa_key_attributes_t *attributes);
+
+/**
+ * \brief           Import a key into the PSA key store.
+ *
+ * This function is equivalent to calling psa_import_key()
+ * with the key material from \p pk.
+ *
+ * The typical way to use this function is:
+ * -# Call mbedtls_pk_get_psa_attributes() to obtain
+ *    attributes for the given key.
+ * -# If desired, modify the attributes, for example:
+ *     - To create a persistent key, call
+ *       psa_set_key_identifier() and optionally
+ *       psa_set_key_lifetime().
+ *     - To import only the public part of a key pair:
+ *
+ *           psa_set_key_type(&attributes,
+ *                            PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(
+ *                                psa_get_key_type(&attributes)));
+ *     - Restrict the key usage if desired.
+ * -# Call mbedtls_pk_import_into_psa().
+ *
+ * \note            This function does not support RSA-alt contexts
+ *                  (set up with mbedtls_pk_setup_rsa_alt()).
+ *
+ * \param[in] pk    The PK context to use. It must have been set up.
+ *                  It can either contain a key pair or just a public key.
+ * \param[in] attributes
+ *                  The attributes to use for the new key. They must be
+ *                  compatible with \p pk. In particular, the key type
+ *                  must match the content of \p pk.
+ *                  If \p pk contains a key pair, the key type in
+ *                  attributes can be either the key pair type or the
+ *                  corresponding public key type (to import only the
+ *                  public part).
+ * \param[out] key_id
+ *                  On success, the identifier of the newly created key.
+ *                  On error, this is #MBEDTLS_SVC_KEY_ID_INIT.
+ *
+ * \return          0 on success.
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if \p pk does not contain
+ *                  a key of the type identified in \p attributes.
+ *                  Another error code on other failures.
+ */
+int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
+                               const psa_key_attributes_t *attributes,
+                               mbedtls_svc_key_id_t *key_id);
+
+/**
+ * \brief           Create a PK context starting from a key stored in PSA.
+ *                  This key:
+ *                  - must be exportable and
+ *                  - must be an RSA or EC key pair or public key (FFDH is not supported in PK).
+ *
+ *                  The resulting PK object will be a transparent type:
+ *                  - #MBEDTLS_PK_RSA for RSA keys or
+ *                  - #MBEDTLS_PK_ECKEY for EC keys.
+ *
+ *                  Once this functions returns the PK object will be completely
+ *                  independent from the original PSA key that it was generated
+ *                  from.
+ *                  Calling mbedtls_pk_sign(), mbedtls_pk_verify(),
+ *                  mbedtls_pk_encrypt(), mbedtls_pk_decrypt() on the resulting
+ *                  PK context will perform the corresponding algorithm for that
+ *                  PK context type.
+ *                  * For ECDSA, the choice of deterministic vs randomized will
+ *                    be based on the compile-time setting #MBEDTLS_ECDSA_DETERMINISTIC.
+ *                  * For an RSA key, the output PK context will allow both
+ *                    encrypt/decrypt and sign/verify regardless of the original
+ *                    key's policy.
+ *                    The original key's policy determines the output key's padding
+ *                    mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
+ *                    otherwise PKCS1 v1.5 is set.
+ *
+ * \param key_id    The key identifier of the key stored in PSA.
+ * \param pk        The PK context that will be filled. It must be initialized,
+ *                  but not set up.
+ *
+ * \return          0 on success.
+ * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
+ *                  parameters are not correct.
+ */
+int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
+
+/**
+ * \brief           Create a PK context for the public key of a PSA key.
+ *
+ *                  The key must be an RSA or ECC key. It can be either a
+ *                  public key or a key pair, and only the public key is copied.
+ *                  The resulting PK object will be a transparent type:
+ *                  - #MBEDTLS_PK_RSA for RSA keys or
+ *                  - #MBEDTLS_PK_ECKEY for EC keys.
+ *
+ *                  Once this functions returns the PK object will be completely
+ *                  independent from the original PSA key that it was generated
+ *                  from.
+ *                  Calling mbedtls_pk_verify() or
+ *                  mbedtls_pk_encrypt() on the resulting
+ *                  PK context will perform the corresponding algorithm for that
+ *                  PK context type.
+ *
+ *                  For an RSA key, the output PK context will allow both
+ *                  encrypt and verify regardless of the original key's policy.
+ *                  The original key's policy determines the output key's padding
+ *                  mode: PCKS1 v2.1 is set if the PSA key policy is OAEP or PSS,
+ *                  otherwise PKCS1 v1.5 is set.
+ *
+ * \param key_id    The key identifier of the key stored in PSA.
+ * \param pk        The PK context that will be filled. It must be initialized,
+ *                  but not set up.
+ *
+ * \return          0 on success.
+ * \return          MBEDTLS_ERR_PK_BAD_INPUT_DATA in case the provided input
+ *                  parameters are not correct.
+ */
+int mbedtls_pk_copy_public_from_psa(mbedtls_svc_key_id_t key_id, mbedtls_pk_context *pk);
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
 /**
  * \brief           Verify signature (including padding if relevant).
  *
  * \param ctx       The PK context to use. It must have been set up.
- * \param md_alg    Hash algorithm used (see notes)
+ * \param md_alg    Hash algorithm used.
+ *                  This can be #MBEDTLS_MD_NONE if the signature algorithm
+ *                  does not rely on a hash algorithm (non-deterministic
+ *                  ECDSA, RSA PKCS#1 v1.5).
+ *                  For PKCS#1 v1.5, if \p md_alg is #MBEDTLS_MD_NONE, then
+ *                  \p hash is the DigestInfo structure used by RFC 8017
+ *                  &sect;9.2 steps 3&ndash;6. If \p md_alg is a valid hash
+ *                  algorithm then \p hash is the digest itself, and this
+ *                  function calculates the DigestInfo encoding internally.
  * \param hash      Hash of the message to sign
- * \param hash_len  Hash length or 0 (see notes)
+ * \param hash_len  Hash length
  * \param sig       Signature to verify
  * \param sig_len   Signature length
  *
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or PSS (accepting any salt length),
+ *                  depending on the padding mode in the underlying RSA context.
+ *                  For a pk object constructed by parsing, this is PKCS#1 v1.5
+ *                  by default. Use mbedtls_pk_verify_ext() to explicitly select
+ *                  a different algorithm.
+ *
  * \return          0 on success (signature is valid),
  *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
  *                  signature in \p sig but its length is less than \p sig_len,
  *                  or a specific error code.
- *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
- *                  Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... )
- *                  to verify RSASSA_PSS signatures.
- *
- * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
- *                  subsystem must have been initialized by calling
- *                  psa_crypto_init() before calling this function,
- *                  if the key might be an ECC (ECDSA) key.
- *
- * \note            If hash_len is 0, then the length associated with md_alg
- *                  is used instead, or an error returned if it is invalid.
- *
- * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
  */
 int mbedtls_pk_verify(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                       const unsigned char *hash, size_t hash_len,
@@ -457,7 +805,9 @@ int mbedtls_pk_verify_restartable(mbedtls_pk_context *ctx,
  *
  * \note            If type is MBEDTLS_PK_RSASSA_PSS, then options must point
  *                  to a mbedtls_pk_rsassa_pss_options structure,
- *                  otherwise it must be NULL.
+ *                  otherwise it must be NULL. Note that if
+ *                  #MBEDTLS_USE_PSA_CRYPTO is defined, the salt length is not
+ *                  verified as PSA_ALG_RSA_PSS_ANY_SALT is used.
  */
 int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
                           mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
@@ -471,33 +821,72 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
  *                  with a private key.
  * \param md_alg    Hash algorithm used (see notes)
  * \param hash      Hash of the message to sign
- * \param hash_len  Hash length or 0 (see notes)
+ * \param hash_len  Hash length
  * \param sig       Place to write the signature.
  *                  It must have enough room for the signature.
  *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
  *                  You may use a smaller buffer if it is large enough
  *                  given the key type.
+ * \param sig_size  The size of the \p sig buffer in bytes.
  * \param sig_len   On successful return,
  *                  the number of bytes written to \p sig.
- * \param f_rng     RNG function
+ * \param f_rng     RNG function, must not be \c NULL.
  * \param p_rng     RNG parameter
  *
- * \return          0 on success, or a specific error code.
- *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
- *                  There is no interface in the PK module to make RSASSA-PSS
- *                  signatures yet.
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or PSS (using the largest possible salt
+ *                  length up to the hash length), depending on the padding mode
+ *                  in the underlying RSA context. For a pk object constructed
+ *                  by parsing, this is PKCS#1 v1.5 by default. Use
+ *                  mbedtls_pk_verify_ext() to explicitly select a different
+ *                  algorithm.
  *
- * \note            If hash_len is 0, then the length associated with md_alg
- *                  is used instead, or an error returned if it is invalid.
+ * \return          0 on success, or a specific error code.
  *
  * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
  *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
  */
 int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
                     const unsigned char *hash, size_t hash_len,
-                    unsigned char *sig, size_t *sig_len,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+                    unsigned char *sig, size_t sig_size, size_t *sig_len,
+                    mbedtls_f_rng_t *f_rng, void *p_rng);
+
+/**
+ * \brief           Make signature given a signature type.
+ *
+ * \param pk_type   Signature type.
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length
+ * \param sig       Place to write the signature.
+ *                  It must have enough room for the signature.
+ *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
+ *                  You may use a smaller buffer if it is large enough
+ *                  given the key type.
+ * \param sig_size  The size of the \p sig buffer in bytes.
+ * \param sig_len   On successful return,
+ *                  the number of bytes written to \p sig.
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 on success, or a specific error code.
+ *
+ * \note            When \p pk_type is #MBEDTLS_PK_RSASSA_PSS,
+ *                  see #PSA_ALG_RSA_PSS for a description of PSS options used.
+ *
+ * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
+ *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
+ *
+ */
+int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
+                        mbedtls_pk_context *ctx,
+                        mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        unsigned char *sig, size_t sig_size, size_t *sig_len,
+                        mbedtls_f_rng_t *f_rng,
+                        void *p_rng);
 
 /**
  * \brief           Restartable version of \c mbedtls_pk_sign()
@@ -511,15 +900,16 @@ int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
  *                  with a private key.
  * \param md_alg    Hash algorithm used (see notes for mbedtls_pk_sign())
  * \param hash      Hash of the message to sign
- * \param hash_len  Hash length or 0 (see notes for mbedtls_pk_sign())
+ * \param hash_len  Hash length
  * \param sig       Place to write the signature.
  *                  It must have enough room for the signature.
  *                  #MBEDTLS_PK_SIGNATURE_MAX_SIZE is always enough.
  *                  You may use a smaller buffer if it is large enough
  *                  given the key type.
+ * \param sig_size  The size of the \p sig buffer in bytes.
  * \param sig_len   On successful return,
  *                  the number of bytes written to \p sig.
- * \param f_rng     RNG function
+ * \param f_rng     RNG function, must not be \c NULL.
  * \param p_rng     RNG parameter
  * \param rs_ctx    Restart context (NULL to disable restart)
  *
@@ -530,8 +920,8 @@ int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
 int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
                                 mbedtls_md_type_t md_alg,
                                 const unsigned char *hash, size_t hash_len,
-                                unsigned char *sig, size_t *sig_len,
-                                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                                unsigned char *sig, size_t sig_size, size_t *sig_len,
+                                mbedtls_f_rng_t *f_rng, void *p_rng,
                                 mbedtls_pk_restart_ctx *rs_ctx);
 
 /**
@@ -544,17 +934,20 @@ int mbedtls_pk_sign_restartable(mbedtls_pk_context *ctx,
  * \param output    Decrypted output
  * \param olen      Decrypted message length
  * \param osize     Size of the output buffer
- * \param f_rng     RNG function
+ * \param f_rng     RNG function, must not be \c NULL.
  * \param p_rng     RNG parameter
  *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or OAEP, depending on the padding mode in
+ *                  the underlying RSA context. For a pk object constructed by
+ *                  parsing, this is PKCS#1 v1.5 by default.
  *
  * \return          0 on success, or a specific error code.
  */
 int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
                        const unsigned char *input, size_t ilen,
                        unsigned char *output, size_t *olen, size_t osize,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+                       mbedtls_f_rng_t *f_rng, void *p_rng);
 
 /**
  * \brief           Encrypt message (including padding if relevant).
@@ -565,23 +958,30 @@ int mbedtls_pk_decrypt(mbedtls_pk_context *ctx,
  * \param output    Encrypted output
  * \param olen      Encrypted output length
  * \param osize     Size of the output buffer
- * \param f_rng     RNG function
+ * \param f_rng     RNG function, must not be \c NULL.
  * \param p_rng     RNG parameter
  *
- * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ * \note            For keys of type #MBEDTLS_PK_RSA, the signature algorithm is
+ *                  either PKCS#1 v1.5 or OAEP, depending on the padding mode in
+ *                  the underlying RSA context. For a pk object constructed by
+ *                  parsing, this is PKCS#1 v1.5 by default.
+ *
+ * \note            \p f_rng is used for padding generation.
  *
  * \return          0 on success, or a specific error code.
  */
 int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
                        const unsigned char *input, size_t ilen,
                        unsigned char *output, size_t *olen, size_t osize,
-                       int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
+                       mbedtls_f_rng_t *f_rng, void *p_rng);
 
 /**
  * \brief           Check if a public-private pair of keys matches.
  *
  * \param pub       Context holding a public key.
  * \param prv       Context holding a private (and public) key.
+ * \param f_rng     RNG function, must not be \c NULL.
+ * \param p_rng     RNG parameter
  *
  * \return          \c 0 on success (keys were checked and match each other).
  * \return          #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the keys could not
@@ -589,7 +989,10 @@ int mbedtls_pk_encrypt(mbedtls_pk_context *ctx,
  * \return          #MBEDTLS_ERR_PK_BAD_INPUT_DATA if a context is invalid.
  * \return          Another non-zero value if the keys do not match.
  */
-int mbedtls_pk_check_pair(const mbedtls_pk_context *pub, const mbedtls_pk_context *prv);
+int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
+                          const mbedtls_pk_context *prv,
+                          mbedtls_f_rng_t *f_rng,
+                          void *p_rng);
 
 /**
  * \brief           Export debug information
@@ -635,7 +1038,7 @@ static inline mbedtls_rsa_context *mbedtls_pk_rsa(const mbedtls_pk_context pk)
 {
     switch (mbedtls_pk_get_type(&pk)) {
         case MBEDTLS_PK_RSA:
-            return (mbedtls_rsa_context *) (pk).pk_ctx;
+            return (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx);
         default:
             return NULL;
     }
@@ -660,7 +1063,7 @@ static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
         case MBEDTLS_PK_ECKEY:
         case MBEDTLS_PK_ECKEY_DH:
         case MBEDTLS_PK_ECDSA:
-            return (mbedtls_ecp_keypair *) (pk).pk_ctx;
+            return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
         default:
             return NULL;
     }
@@ -672,6 +1075,10 @@ static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
 /**
  * \brief           Parse a private key in PEM or DER format
  *
+ * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                  subsystem must have been initialized by calling
+ *                  psa_crypto_init() before calling this function.
+ *
  * \param ctx       The PK context to fill. It must have been initialized
  *                  but not set up.
  * \param key       Input buffer to parse.
@@ -688,6 +1095,8 @@ static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
  *                  The empty password is not supported.
  * \param pwdlen    Size of the password in bytes.
  *                  Ignored if \p pwd is \c NULL.
+ * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
+ * \param p_rng     RNG parameter
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -699,12 +1108,17 @@ static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk)
  */
 int mbedtls_pk_parse_key(mbedtls_pk_context *ctx,
                          const unsigned char *key, size_t keylen,
-                         const unsigned char *pwd, size_t pwdlen);
+                         const unsigned char *pwd, size_t pwdlen,
+                         mbedtls_f_rng_t *f_rng, void *p_rng);
 
 /** \ingroup pk_module */
 /**
  * \brief           Parse a public key in PEM or DER format
  *
+ * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                  subsystem must have been initialized by calling
+ *                  psa_crypto_init() before calling this function.
+ *
  * \param ctx       The PK context to fill. It must have been initialized
  *                  but not set up.
  * \param key       Input buffer to parse.
@@ -719,6 +1133,9 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *ctx,
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
  *                  specific key type, check the result with mbedtls_pk_can_do().
  *
+ * \note            For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ *                  limitations.
+ *
  * \note            The key is also checked for correctness.
  *
  * \return          0 if successful, or a specific PK or PEM error code
@@ -731,6 +1148,10 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
 /**
  * \brief           Load and parse a private key
  *
+ * \note            If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                  subsystem must have been initialized by calling
+ *                  psa_crypto_init() before calling this function.
+ *
  * \param ctx       The PK context to fill. It must have been initialized
  *                  but not set up.
  * \param path      filename to read the private key from
@@ -739,6 +1160,8 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
  *                  Pass a null-terminated string if expecting an encrypted
  *                  key; a non-encrypted key will also be accepted.
  *                  The empty password is not supported.
+ * \param f_rng     RNG function, must not be \c NULL. Used for blinding.
+ * \param p_rng     RNG parameter
  *
  * \note            On entry, ctx must be empty, either freshly initialised
  *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
@@ -749,7 +1172,8 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
  * \return          0 if successful, or a specific PK or PEM error code
  */
 int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx,
-                             const char *path, const char *password);
+                             const char *path, const char *password,
+                             mbedtls_f_rng_t *f_rng, void *p_rng);
 
 /** \ingroup pk_module */
 /**
@@ -786,7 +1210,7 @@ int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path);
  * \return          length of data written if successful, or a specific
  *                  error code
  */
-int mbedtls_pk_write_key_der(mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+int mbedtls_pk_write_key_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
 
 /**
  * \brief           Write a public key to a SubjectPublicKeyInfo DER structure
@@ -801,7 +1225,7 @@ int mbedtls_pk_write_key_der(mbedtls_pk_context *ctx, unsigned char *buf, size_t
  * \return          length of data written if successful, or a specific
  *                  error code
  */
-int mbedtls_pk_write_pubkey_der(mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
 
 #if defined(MBEDTLS_PEM_WRITE_C)
 /**
@@ -814,7 +1238,7 @@ int mbedtls_pk_write_pubkey_der(mbedtls_pk_context *ctx, unsigned char *buf, siz
  *
  * \return          0 if successful, or a specific error code
  */
-int mbedtls_pk_write_pubkey_pem(mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+int mbedtls_pk_write_pubkey_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
 
 /**
  * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
@@ -826,7 +1250,7 @@ int mbedtls_pk_write_pubkey_pem(mbedtls_pk_context *ctx, unsigned char *buf, siz
  *
  * \return          0 if successful, or a specific error code
  */
-int mbedtls_pk_write_key_pem(mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
+int mbedtls_pk_write_key_pem(const mbedtls_pk_context *ctx, unsigned char *buf, size_t size);
 #endif /* MBEDTLS_PEM_WRITE_C */
 #endif /* MBEDTLS_PK_WRITE_C */
 
@@ -865,40 +1289,6 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
                             const mbedtls_pk_context *key);
 #endif /* MBEDTLS_PK_WRITE_C */
 
-/*
- * Internal module functions. You probably do not want to use these unless you
- * know you do.
- */
-#if defined(MBEDTLS_FS_IO)
-int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n);
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/**
- * \brief           Turn an EC key into an opaque one.
- *
- * \warning         This is a temporary utility function for tests. It might
- *                  change or be removed at any time without notice.
- *
- * \note            Only ECDSA keys are supported so far. Signing with the
- *                  specified hash is the only allowed use of that key.
- *
- * \param pk        Input: the EC key to import to a PSA key.
- *                  Output: a PK context wrapping that PSA key.
- * \param key       Output: a PSA key identifier.
- *                  It's the caller's responsibility to call
- *                  psa_destroy_key() on that key identifier after calling
- *                  mbedtls_pk_free() on the PK context.
- * \param hash_alg  The hash algorithm to allow for use with that key.
- *
- * \return          \c 0 if successful.
- * \return          An Mbed TLS error code otherwise.
- */
-int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
-                              psa_key_id_t *key,
-                              psa_algorithm_t hash_alg);
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
 #ifdef __cplusplus
 }
 #endif

+ 0 - 241
thirdparty/mbedtls/include/mbedtls/pkcs11.h

@@ -1,241 +0,0 @@
-/**
- * \file pkcs11.h
- *
- * \brief Wrapper for PKCS#11 library libpkcs11-helper
- *
- * \author Adriaan de Jong <[email protected]>
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_PKCS11_H
-#define MBEDTLS_PKCS11_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if defined(MBEDTLS_PKCS11_C)
-
-#include "mbedtls/x509_crt.h"
-
-#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
-
-#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
-    !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(MBEDTLS_DEPRECATED_REMOVED)
-
-/**
- * Context for PKCS #11 private keys.
- */
-typedef struct mbedtls_pkcs11_context {
-    pkcs11h_certificate_t pkcs11h_cert;
-    int len;
-} mbedtls_pkcs11_context;
-
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-
-/**
- * Initialize a mbedtls_pkcs11_context.
- * (Just making memory references valid.)
- *
- * \deprecated          This function is deprecated and will be removed in a
- *                      future version of the library.
- */
-MBEDTLS_DEPRECATED void mbedtls_pkcs11_init(mbedtls_pkcs11_context *ctx);
-
-/**
- * Fill in a Mbed TLS certificate, based on the given PKCS11 helper certificate.
- *
- * \deprecated          This function is deprecated and will be removed in a
- *                      future version of the library.
- *
- * \param cert          X.509 certificate to fill
- * \param pkcs11h_cert  PKCS #11 helper certificate
- *
- * \return              0 on success.
- */
-MBEDTLS_DEPRECATED int mbedtls_pkcs11_x509_cert_bind(mbedtls_x509_crt *cert,
-                                                     pkcs11h_certificate_t pkcs11h_cert);
-
-/**
- * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
- * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
- * done.
- *
- * \deprecated          This function is deprecated and will be removed in a
- *                      future version of the library.
- *
- * \param priv_key      Private key structure to fill.
- * \param pkcs11_cert   PKCS #11 helper certificate
- *
- * \return              0 on success
- */
-MBEDTLS_DEPRECATED int mbedtls_pkcs11_priv_key_bind(
-    mbedtls_pkcs11_context *priv_key,
-    pkcs11h_certificate_t pkcs11_cert);
-
-/**
- * Free the contents of the given private key context. Note that the structure
- * itself is not freed.
- *
- * \deprecated          This function is deprecated and will be removed in a
- *                      future version of the library.
- *
- * \param priv_key      Private key structure to cleanup
- */
-MBEDTLS_DEPRECATED void mbedtls_pkcs11_priv_key_free(
-    mbedtls_pkcs11_context *priv_key);
-
-/**
- * \brief          Do an RSA private key decrypt, then remove the message
- *                 padding
- *
- * \deprecated     This function is deprecated and will be removed in a future
- *                 version of the library.
- *
- * \param ctx      PKCS #11 context
- * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
- * \param input    buffer holding the encrypted data
- * \param output   buffer that will hold the plaintext
- * \param olen     will contain the plaintext length
- * \param output_max_len    maximum length of the output buffer
- *
- * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- *                 an error is thrown.
- */
-MBEDTLS_DEPRECATED int mbedtls_pkcs11_decrypt(mbedtls_pkcs11_context *ctx,
-                                              int mode, size_t *olen,
-                                              const unsigned char *input,
-                                              unsigned char *output,
-                                              size_t output_max_len);
-
-/**
- * \brief          Do a private RSA to sign a message digest
- *
- * \deprecated     This function is deprecated and will be removed in a future
- *                 version of the library.
- *
- * \param ctx      PKCS #11 context
- * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
- * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
- * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer that will hold the ciphertext
- *
- * \return         0 if the signing operation was successful,
- *                 or an MBEDTLS_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-MBEDTLS_DEPRECATED int mbedtls_pkcs11_sign(mbedtls_pkcs11_context *ctx,
-                                           int mode,
-                                           mbedtls_md_type_t md_alg,
-                                           unsigned int hashlen,
-                                           const unsigned char *hash,
-                                           unsigned char *sig);
-
-/**
- * SSL/TLS wrappers for PKCS#11 functions
- *
- * \deprecated     This function is deprecated and will be removed in a future
- *                 version of the library.
- */
-MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_decrypt(void *ctx,
-                                                                int mode,
-                                                                size_t *olen,
-                                                                const unsigned char *input,
-                                                                unsigned char *output,
-                                                                size_t output_max_len)
-{
-    return mbedtls_pkcs11_decrypt((mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
-                                  output_max_len);
-}
-
-/**
- * \brief          This function signs a message digest using RSA.
- *
- * \deprecated     This function is deprecated and will be removed in a future
- *                 version of the library.
- *
- * \param ctx      The PKCS #11 context.
- * \param f_rng    The RNG function. This parameter is unused.
- * \param p_rng    The RNG context. This parameter is unused.
- * \param mode     The operation to run. This must be set to
- *                 MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's
- *                 signature.
- * \param md_alg   The message digest algorithm. One of the MBEDTLS_MD_XXX
- *                 must be passed to this function and MBEDTLS_MD_NONE can be
- *                 used for signing raw data.
- * \param hashlen  The message digest length (for MBEDTLS_MD_NONE only).
- * \param hash     The buffer holding the message digest.
- * \param sig      The buffer that will hold the ciphertext.
- *
- * \return         \c 0 if the signing operation was successful.
- * \return         A non-zero error code on failure.
- *
- * \note           The \p sig buffer must be as large as the size of
- *                 <code>ctx->N</code>. For example, 128 bytes if RSA-1024 is
- *                 used.
- */
-MBEDTLS_DEPRECATED static inline int mbedtls_ssl_pkcs11_sign(void *ctx,
-                                                             int (*f_rng)(void *,
-                                                                          unsigned char *,
-                                                                          size_t),
-                                                             void *p_rng,
-                                                             int mode,
-                                                             mbedtls_md_type_t md_alg,
-                                                             unsigned int hashlen,
-                                                             const unsigned char *hash,
-                                                             unsigned char *sig)
-{
-    ((void) f_rng);
-    ((void) p_rng);
-    return mbedtls_pkcs11_sign((mbedtls_pkcs11_context *) ctx, mode, md_alg,
-                               hashlen, hash, sig);
-}
-
-/**
- * This function gets the length of the private key.
- *
- * \deprecated     This function is deprecated and will be removed in a future
- *                 version of the library.
- *
- * \param ctx      The PKCS #11 context.
- *
- * \return         The length of the private key.
- */
-MBEDTLS_DEPRECATED static inline size_t mbedtls_ssl_pkcs11_key_len(void *ctx)
-{
-    return ((mbedtls_pkcs11_context *) ctx)->len;
-}
-
-#undef MBEDTLS_DEPRECATED
-
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* MBEDTLS_PKCS11_C */
-
-#endif /* MBEDTLS_PKCS11_H */

+ 18 - 34
thirdparty/mbedtls/include/mbedtls/pkcs12.h

@@ -10,11 +10,7 @@
 #ifndef MBEDTLS_PKCS12_H
 #define MBEDTLS_PKCS12_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/md.h"
 #include "mbedtls/cipher.h"
@@ -35,34 +31,16 @@
 #define MBEDTLS_PKCS12_DERIVE_IV        2   /**< initialization vector     */
 #define MBEDTLS_PKCS12_DERIVE_MAC_KEY   3   /**< integrity / MAC key       */
 
-#define MBEDTLS_PKCS12_PBE_DECRYPT      0
-#define MBEDTLS_PKCS12_PBE_ENCRYPT      1
+#define MBEDTLS_PKCS12_PBE_DECRYPT      MBEDTLS_DECRYPT
+#define MBEDTLS_PKCS12_PBE_ENCRYPT      MBEDTLS_ENCRYPT
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#if defined(MBEDTLS_ASN1_PARSE_C)
-
-/**
- * \brief            PKCS12 Password Based function (encryption / decryption)
- *                   for pbeWithSHAAnd128BitRC4
- *
- * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
- * \param mode       either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT
- * \param pwd        the password used (may be NULL if no password is used)
- * \param pwdlen     length of the password (may be 0)
- * \param input      the input data
- * \param len        data length
- * \param output     the output buffer
- *
- * \return           0 if successful, or a MBEDTLS_ERR_XXX code
- */
-int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
-                                    const unsigned char *pwd,  size_t pwdlen,
-                                    const unsigned char *input, size_t len,
-                                    unsigned char *output);
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief            PKCS12 Password Based function (encryption / decryption)
  *                   for cipher-based and mbedtls_md-based PBE's
@@ -70,6 +48,10 @@ int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
  * \note             When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
  *                   be enabled at compile time.
  *
+ * \deprecated       This function is deprecated and will be removed in a
+ *                   future version of the library.
+ *                   Please use mbedtls_pkcs12_pbe_ext() instead.
+ *
  * \warning          When decrypting:
  *                   - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
  *                     time, this function validates the CBC padding and returns
@@ -104,11 +86,13 @@ int mbedtls_pkcs12_pbe_sha1_rc4_128(mbedtls_asn1_buf *pbe_params, int mode,
  *
  * \return           0 if successful, or a MBEDTLS_ERR_XXX code
  */
-int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
-                       mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
-                       const unsigned char *pwd,  size_t pwdlen,
-                       const unsigned char *data, size_t len,
-                       unsigned char *output);
+int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
+                                          mbedtls_cipher_type_t cipher_type,
+                                          mbedtls_md_type_t md_type,
+                                          const unsigned char *pwd,  size_t pwdlen,
+                                          const unsigned char *data, size_t len,
+                                          unsigned char *output);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
 
 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
 
@@ -161,7 +145,7 @@ int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
 
 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
 
-#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */
 
 /**
  * \brief            The PKCS#12 derivation function uses a password and a salt
@@ -179,7 +163,7 @@ int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
  *                   no byte order mark and with a null terminator (i.e. the
  *                   last two bytes should be 0x00 0x00).
  * \param pwdlen     length of the password (may be 0).
- * \param salt       Salt buffer to use This may only be \c NULL when
+ * \param salt       Salt buffer to use. This may only be \c NULL when
  *                   \p saltlen is 0.
  * \param saltlen    length of the salt (may be zero)
  * \param mbedtls_md mbedtls_md type to use during the derivation

+ 51 - 18
thirdparty/mbedtls/include/mbedtls/pkcs5.h

@@ -12,14 +12,12 @@
 #ifndef MBEDTLS_PKCS5_H
 #define MBEDTLS_PKCS5_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
 
 #include "mbedtls/asn1.h"
 #include "mbedtls/md.h"
+#include "mbedtls/cipher.h"
 
 #include <stddef.h>
 #include <stdint.h>
@@ -33,21 +31,26 @@
 /** Given private key password does not allow for correct decryption. */
 #define MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH               -0x2e00
 
-#define MBEDTLS_PKCS5_DECRYPT      0
-#define MBEDTLS_PKCS5_ENCRYPT      1
+#define MBEDTLS_PKCS5_DECRYPT      MBEDTLS_DECRYPT
+#define MBEDTLS_PKCS5_ENCRYPT      MBEDTLS_ENCRYPT
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#if defined(MBEDTLS_ASN1_PARSE_C)
+#if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C)
 
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief          PKCS#5 PBES2 function
  *
  * \note           When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
  *                 be enabled at compile time.
  *
+ * \deprecated     This function is deprecated and will be removed in a
+ *                 future version of the library.
+ *                 Please use mbedtls_pkcs5_pbes2_ext() instead.
+ *
  * \warning        When decrypting:
  *                 - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
  *                   time, this function validates the CBC padding and returns
@@ -78,10 +81,11 @@ extern "C" {
  *
  * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
  */
-int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
-                        const unsigned char *pwd,  size_t pwdlen,
-                        const unsigned char *data, size_t datalen,
-                        unsigned char *output);
+int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
+                                           const unsigned char *pwd,  size_t pwdlen,
+                                           const unsigned char *data, size_t datalen,
+                                           unsigned char *output);
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
 
 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
 
@@ -126,11 +130,35 @@ int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
 
 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
 
-#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C*/
 
+/**
+ * \brief          PKCS#5 PBKDF2 using HMAC without using the HMAC context
+ *
+ * \param md_type  Hash algorithm used
+ * \param password Password to use when generating key
+ * \param plen     Length of password
+ * \param salt     Salt to use when generating key
+ * \param slen     Length of salt
+ * \param iteration_count       Iteration count
+ * \param key_length            Length of generated key in bytes
+ * \param output   Generated key. Must be at least as big as key_length
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbkdf2_hmac_ext(mbedtls_md_type_t md_type,
+                                  const unsigned char *password,
+                                  size_t plen, const unsigned char *salt, size_t slen,
+                                  unsigned int iteration_count,
+                                  uint32_t key_length, unsigned char *output);
+
+#if defined(MBEDTLS_MD_C)
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief          PKCS#5 PBKDF2 using HMAC
  *
+ * \deprecated     Superseded by mbedtls_pkcs5_pbkdf2_hmac_ext().
+ *
  * \param ctx      Generic HMAC context
  * \param password Password to use when generating key
  * \param plen     Length of password
@@ -142,11 +170,16 @@ int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
  *
  * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
  */
-int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx, const unsigned char *password,
-                              size_t plen, const unsigned char *salt, size_t slen,
-                              unsigned int iteration_count,
-                              uint32_t key_length, unsigned char *output);
-
+int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *ctx,
+                                                 const unsigned char *password,
+                                                 size_t plen,
+                                                 const unsigned char *salt,
+                                                 size_t slen,
+                                                 unsigned int iteration_count,
+                                                 uint32_t key_length,
+                                                 unsigned char *output);
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_MD_C */
 #if defined(MBEDTLS_SELF_TEST)
 
 /**

+ 240 - 0
thirdparty/mbedtls/include/mbedtls/pkcs7.h

@@ -0,0 +1,240 @@
+/**
+ * \file pkcs7.h
+ *
+ * \brief PKCS #7 generic defines and structures
+ *  https://tools.ietf.org/html/rfc2315
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+/**
+ * Note: For the time being, this implementation of the PKCS #7 cryptographic
+ * message syntax is a partial implementation of RFC 2315.
+ * Differences include:
+ *  - The RFC specifies 6 different content types. The only type currently
+ *    supported in Mbed TLS is the signed-data content type.
+ *  - The only supported PKCS #7 Signed Data syntax version is version 1
+ *  - The RFC specifies support for BER. This implementation is limited to
+ *    DER only.
+ *  - The RFC specifies that multiple digest algorithms can be specified
+ *    in the Signed Data type. Only one digest algorithm is supported in Mbed TLS.
+ *  - The RFC specifies the Signed Data type can contain multiple X.509 or PKCS #6 extended
+ *    certificates. In Mbed TLS, this list can only contain 0 or 1 certificates
+ *    and they must be in X.509 format.
+ *  - The RFC specifies the Signed Data type can contain
+ *    certificate-revocation lists (CRLs). This implementation has no support
+ *    for CRLs so it is assumed to be an empty list.
+ *  - The RFC allows for SignerInfo structure to optionally contain
+ *    unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is
+ *    assumed these fields are empty.
+ *  - The RFC allows for the signed Data type to contain contentInfo. This
+ *    implementation assumes the type is DATA and the content is empty.
+ */
+
+#ifndef MBEDTLS_PKCS7_H
+#define MBEDTLS_PKCS7_H
+
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/x509_crt.h"
+
+/**
+ * \name PKCS #7 Module Error codes
+ * \{
+ */
+#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT                   -0x5300  /**< The format is invalid, e.g. different type expected. */
+#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE              -0x5380  /**< Unavailable feature, e.g. anything other than signed data. */
+#define MBEDTLS_ERR_PKCS7_INVALID_VERSION                  -0x5400  /**< The PKCS #7 version element is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO             -0x5480  /**< The PKCS #7 content info is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_ALG                      -0x5500  /**< The algorithm tag or value is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_CERT                     -0x5580  /**< The certificate tag or value is invalid or cannot be parsed. */
+#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE                -0x5600  /**< Error parsing the signature */
+#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO              -0x5680  /**< Error parsing the signer's info */
+#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA                   -0x5700  /**< Input invalid. */
+#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED                     -0x5780  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL                      -0x5800  /**< Verification Failed */
+#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID                -0x5880  /**< The PKCS #7 date issued/expired dates are invalid */
+/* \} name */
+
+/**
+ * \name PKCS #7 Supported Version
+ * \{
+ */
+#define MBEDTLS_PKCS7_SUPPORTED_VERSION                           0x01
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Type-length-value structure that allows for ASN.1 using DER.
+ */
+typedef mbedtls_asn1_buf mbedtls_pkcs7_buf;
+
+/**
+ * Container for ASN.1 named information objects.
+ * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
+ */
+typedef mbedtls_asn1_named_data mbedtls_pkcs7_name;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence;
+
+/**
+ * PKCS #7 types
+ */
+typedef enum {
+    MBEDTLS_PKCS7_NONE=0,
+    MBEDTLS_PKCS7_DATA,
+    MBEDTLS_PKCS7_SIGNED_DATA,
+    MBEDTLS_PKCS7_ENVELOPED_DATA,
+    MBEDTLS_PKCS7_SIGNED_AND_ENVELOPED_DATA,
+    MBEDTLS_PKCS7_DIGESTED_DATA,
+    MBEDTLS_PKCS7_ENCRYPTED_DATA,
+}
+mbedtls_pkcs7_type;
+
+/**
+ * Structure holding PKCS #7 signer info
+ */
+typedef struct mbedtls_pkcs7_signer_info {
+    int MBEDTLS_PRIVATE(version);
+    mbedtls_x509_buf MBEDTLS_PRIVATE(serial);
+    mbedtls_x509_name MBEDTLS_PRIVATE(issuer);
+    mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw);
+    mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier);
+    mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier);
+    mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
+    struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next);
+}
+mbedtls_pkcs7_signer_info;
+
+/**
+ * Structure holding the signed data section
+ */
+typedef struct mbedtls_pkcs7_signed_data {
+    int MBEDTLS_PRIVATE(version);
+    mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers);
+    int MBEDTLS_PRIVATE(no_of_certs);
+    mbedtls_x509_crt MBEDTLS_PRIVATE(certs);
+    int MBEDTLS_PRIVATE(no_of_crls);
+    mbedtls_x509_crl MBEDTLS_PRIVATE(crl);
+    int MBEDTLS_PRIVATE(no_of_signers);
+    mbedtls_pkcs7_signer_info MBEDTLS_PRIVATE(signers);
+}
+mbedtls_pkcs7_signed_data;
+
+/**
+ * Structure holding PKCS #7 structure, only signed data for now
+ */
+typedef struct mbedtls_pkcs7 {
+    mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
+    mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
+}
+mbedtls_pkcs7;
+
+/**
+ * \brief          Initialize mbedtls_pkcs7 structure.
+ *
+ * \param pkcs7    mbedtls_pkcs7 structure.
+ */
+void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7);
+
+/**
+ * \brief          Parse a single DER formatted PKCS #7 detached signature.
+ *
+ * \param pkcs7    The mbedtls_pkcs7 structure to be filled by the parser.
+ * \param buf      The buffer holding only the DER encoded PKCS #7 content.
+ * \param buflen   The size in bytes of \p buf. The size must be exactly the
+ *                 length of the DER encoded PKCS #7 content.
+ *
+ * \note           This function makes an internal copy of the PKCS #7 buffer
+ *                 \p buf. In particular, \p buf may be destroyed or reused
+ *                 after this call returns.
+ * \note           Signatures with internal data are not supported.
+ *
+ * \return         The \c mbedtls_pkcs7_type of \p buf, if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
+                            const size_t buflen);
+
+/**
+ * \brief          Verification of PKCS #7 signature against a caller-supplied
+ *                 certificate.
+ *
+ *                 For each signer in the PKCS structure, this function computes
+ *                 a signature over the supplied data, using the supplied
+ *                 certificate and the same digest algorithm as specified by the
+ *                 signer. It then compares this signature against the
+ *                 signer's signature; verification succeeds if any comparison
+ *                 matches.
+ *
+ *                 This function does not use the certificates held within the
+ *                 PKCS #7 structure itself, and does not check that the
+ *                 certificate is signed by a trusted certification authority.
+ *
+ * \param pkcs7    mbedtls_pkcs7 structure containing signature.
+ * \param cert     Certificate containing key to verify signature.
+ * \param data     Plain data on which signature has to be verified.
+ * \param datalen  Length of the data.
+ *
+ * \note           This function internally calculates the hash on the supplied
+ *                 plain data for signature verification.
+ *
+ * \return         0 if the signature verifies, or a negative error code on failure.
+ */
+int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7,
+                                     const mbedtls_x509_crt *cert,
+                                     const unsigned char *data,
+                                     size_t datalen);
+
+/**
+ * \brief          Verification of PKCS #7 signature against a caller-supplied
+ *                 certificate.
+ *
+ *                 For each signer in the PKCS structure, this function
+ *                 validates a signature over the supplied hash, using the
+ *                 supplied certificate and the same digest algorithm as
+ *                 specified by the signer. Verification succeeds if any
+ *                 signature is good.
+ *
+ *                 This function does not use the certificates held within the
+ *                 PKCS #7 structure itself, and does not check that the
+ *                 certificate is signed by a trusted certification authority.
+ *
+ * \param pkcs7    PKCS #7 structure containing signature.
+ * \param cert     Certificate containing key to verify signature.
+ * \param hash     Hash of the plain data on which signature has to be verified.
+ * \param hashlen  Length of the hash.
+ *
+ * \note           This function is different from mbedtls_pkcs7_signed_data_verify()
+ *                 in that it is directly passed the hash of the data.
+ *
+ * \return         0 if the signature verifies, or a negative error code on failure.
+ */
+int mbedtls_pkcs7_signed_hash_verify(mbedtls_pkcs7 *pkcs7,
+                                     const mbedtls_x509_crt *cert,
+                                     const unsigned char *hash, size_t hashlen);
+
+/**
+ * \brief          Unallocate all PKCS #7 data and zeroize the memory.
+ *                 It doesn't free \p pkcs7 itself. This should be done by the caller.
+ *
+ * \param pkcs7    mbedtls_pkcs7 structure to free.
+ */
+void mbedtls_pkcs7_free(mbedtls_pkcs7 *pkcs7);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs7.h */

+ 60 - 12
thirdparty/mbedtls/include/mbedtls/platform.h

@@ -25,22 +25,14 @@
  */
 #ifndef MBEDTLS_PLATFORM_H
 #define MBEDTLS_PLATFORM_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #if defined(MBEDTLS_HAVE_TIME)
 #include "mbedtls/platform_time.h"
 #endif
 
-/** Hardware accelerator failed */
-#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070
-/** The requested feature is not supported by the platform */
-#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -49,7 +41,7 @@ extern "C" {
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
  * \{
  */
 
@@ -94,6 +86,9 @@ extern "C" {
 #if !defined(MBEDTLS_PLATFORM_STD_FREE)
 #define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
 #endif
+#if !defined(MBEDTLS_PLATFORM_STD_SETBUF)
+#define MBEDTLS_PLATFORM_STD_SETBUF   setbuf /**< The default \c setbuf function to use. */
+#endif
 #if !defined(MBEDTLS_PLATFORM_STD_EXIT)
 #define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
 #endif
@@ -298,6 +293,59 @@ int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
 #endif /* MBEDTLS_PLATFORM_VSNPRINTF_MACRO */
 #endif /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
 
+/*
+ * The function pointers for setbuf
+ */
+#if defined(MBEDTLS_PLATFORM_SETBUF_ALT)
+#include <stdio.h>
+/**
+ * \brief                  Function pointer to call for `setbuf()` functionality
+ *                         (changing the internal buffering on stdio calls).
+ *
+ * \note                   The library calls this function to disable
+ *                         buffering when reading or writing sensitive data,
+ *                         to avoid having extra copies of sensitive data
+ *                         remaining in stdio buffers after the file is
+ *                         closed. If this is not a concern, for example if
+ *                         your platform's stdio doesn't have any buffering,
+ *                         you can set mbedtls_setbuf to a function that
+ *                         does nothing.
+ *
+ *                         The library always calls this function with
+ *                         `buf` equal to `NULL`.
+ */
+extern void (*mbedtls_setbuf)(FILE *stream, char *buf);
+
+/**
+ * \brief                  Dynamically configure the function that is called
+ *                         when the mbedtls_setbuf() function is called by the
+ *                         library.
+ *
+ * \param   setbuf_func   The \c setbuf function implementation
+ *
+ * \return                 \c 0
+ */
+int mbedtls_platform_set_setbuf(void (*setbuf_func)(
+                                    FILE *stream, char *buf));
+#else
+#undef mbedtls_setbuf
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
+/**
+ * \brief                  Macro defining the function for the library to
+ *                         call for `setbuf` functionality (changing the
+ *                         internal buffering on stdio calls).
+ *
+ * \note                   See extra comments on the mbedtls_setbuf() function
+ *                         pointer above.
+ *
+ * \return                 \c 0 on success, negative on error.
+ */
+#define mbedtls_setbuf    MBEDTLS_PLATFORM_SETBUF_MACRO
+#else
+#define mbedtls_setbuf    setbuf
+#endif /* MBEDTLS_PLATFORM_SETBUF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
+
 /*
  * The function pointers for exit
  */
@@ -390,7 +438,7 @@ int mbedtls_platform_set_nv_seed(
  *          setup or teardown operations.
  */
 typedef struct mbedtls_platform_context {
-    char dummy; /**< A placeholder member, as empty structs are not portable. */
+    char MBEDTLS_PRIVATE(dummy); /**< A placeholder member, as empty structs are not portable. */
 }
 mbedtls_platform_context;
 

+ 24 - 5
thirdparty/mbedtls/include/mbedtls/platform_time.h

@@ -10,11 +10,7 @@
 #ifndef MBEDTLS_PLATFORM_TIME_H
 #define MBEDTLS_PLATFORM_TIME_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -31,6 +27,29 @@ typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
 typedef time_t mbedtls_time_t;
 #endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
 
+#if defined(MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO mbedtls_ms_time_t;
+#else
+#include <stdint.h>
+#include <inttypes.h>
+typedef int64_t mbedtls_ms_time_t;
+#endif /* MBEDTLS_PLATFORM_MS_TIME_TYPE_MACRO */
+
+/**
+ * \brief   Get time in milliseconds.
+ *
+ * \return Monotonically-increasing current time in milliseconds.
+ *
+ * \note Define MBEDTLS_PLATFORM_MS_TIME_ALT to be able to provide an
+ *       alternative implementation
+ *
+ * \warning This function returns a monotonically-increasing time value from a
+ *          start time that will differ from platform to platform, and possibly
+ *          from run to run of the process.
+ *
+ */
+mbedtls_ms_time_t mbedtls_ms_time(void);
+
 /*
  * The function pointers for time
  */

+ 53 - 83
thirdparty/mbedtls/include/mbedtls/platform_util.h

@@ -11,11 +11,7 @@
 #ifndef MBEDTLS_PLATFORM_UTIL_H
 #define MBEDTLS_PLATFORM_UTIL_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #if defined(MBEDTLS_HAVE_TIME_DATE)
@@ -27,85 +23,9 @@
 extern "C" {
 #endif
 
-#if defined(MBEDTLS_CHECK_PARAMS)
-
-#if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
-/* Allow the user to define MBEDTLS_PARAM_FAILED to something like assert
- * (which is what our config.h suggests). */
-#include <assert.h>
-#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
-
-#if defined(MBEDTLS_PARAM_FAILED)
-/** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h.
- *
- * This flag can be used to check whether it is safe to assume that
- * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed().
- */
-#define MBEDTLS_PARAM_FAILED_ALT
-
-#elif defined(MBEDTLS_CHECK_PARAMS_ASSERT)
-#define MBEDTLS_PARAM_FAILED(cond) assert(cond)
-#define MBEDTLS_PARAM_FAILED_ALT
-
-#else /* MBEDTLS_PARAM_FAILED */
-#define MBEDTLS_PARAM_FAILED(cond) \
-    mbedtls_param_failed( #cond, __FILE__, __LINE__)
-
-/**
- * \brief       User supplied callback function for parameter validation failure.
- *              See #MBEDTLS_CHECK_PARAMS for context.
- *
- *              This function will be called unless an alternative treatment
- *              is defined through the #MBEDTLS_PARAM_FAILED macro.
- *
- *              This function can return, and the operation will be aborted, or
- *              alternatively, through use of setjmp()/longjmp() can resume
- *              execution in the application code.
- *
- * \param failure_condition The assertion that didn't hold.
- * \param file  The file where the assertion failed.
- * \param line  The line in the file where the assertion failed.
- */
-void mbedtls_param_failed(const char *failure_condition,
-                          const char *file,
-                          int line);
-#endif /* MBEDTLS_PARAM_FAILED */
-
-/* Internal macro meant to be called only from within the library. */
-#define MBEDTLS_INTERNAL_VALIDATE_RET(cond, ret)  \
-    do {                                            \
-        if (!(cond))                               \
-        {                                           \
-            MBEDTLS_PARAM_FAILED(cond);           \
-            return ret;                          \
-        }                                           \
-    } while (0)
-
-/* Internal macro meant to be called only from within the library. */
-#define MBEDTLS_INTERNAL_VALIDATE(cond)           \
-    do {                                            \
-        if (!(cond))                               \
-        {                                           \
-            MBEDTLS_PARAM_FAILED(cond);           \
-            return;                                 \
-        }                                           \
-    } while (0)
-
-#else /* MBEDTLS_CHECK_PARAMS */
-
-/* Internal macros meant to be called only from within the library. */
-#define MBEDTLS_INTERNAL_VALIDATE_RET(cond, ret)  do { } while (0)
-#define MBEDTLS_INTERNAL_VALIDATE(cond)           do { } while (0)
-
-#endif /* MBEDTLS_CHECK_PARAMS */
-
 /* Internal helper macros for deprecating API constants. */
 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
 #if defined(MBEDTLS_DEPRECATED_WARNING)
-/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
- * to avoid conflict with other headers which define and use
- * it, too. We might want to move all these definitions here at
- * some point for uniformity. */
 #define MBEDTLS_DEPRECATED __attribute__((deprecated))
 MBEDTLS_DEPRECATED typedef char const *mbedtls_deprecated_string_constant_t;
 #define MBEDTLS_DEPRECATED_STRING_CONSTANT(VAL)       \
@@ -113,15 +33,15 @@ MBEDTLS_DEPRECATED typedef char const *mbedtls_deprecated_string_constant_t;
 MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
 #define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(VAL)       \
     ((mbedtls_deprecated_numeric_constant_t) (VAL))
-#undef MBEDTLS_DEPRECATED
 #else /* MBEDTLS_DEPRECATED_WARNING */
+#define MBEDTLS_DEPRECATED
 #define MBEDTLS_DEPRECATED_STRING_CONSTANT(VAL) VAL
 #define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT(VAL) VAL
 #endif /* MBEDTLS_DEPRECATED_WARNING */
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
 
 /* Implementation of the check-return facility.
- * See the user documentation in config.h.
+ * See the user documentation in mbedtls_config.h.
  *
  * Do not use this macro directly to annotate function: instead,
  * use one of MBEDTLS_CHECK_RETURN_CRITICAL or MBEDTLS_CHECK_RETURN_TYPICAL
@@ -239,6 +159,56 @@ MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
 void mbedtls_platform_zeroize(void *buf, size_t len);
 #endif
 
+/** \brief              The type of custom random generator (RNG) callbacks.
+ *
+ *                      Many Mbed TLS functions take two parameters
+ *                      `mbedtls_f_rng_t *f_rng, void *p_rng`. The
+ *                      library will call \c f_rng to generate
+ *                      random values.
+ *
+ * \note                This is typically one of the following:
+ *                      - mbedtls_ctr_drbg_random() with \c p_rng
+ *                        pointing to a #mbedtls_ctr_drbg_context;
+ *                      - mbedtls_hmac_drbg_random() with \c p_rng
+ *                        pointing to a #mbedtls_hmac_drbg_context;
+ *                      - mbedtls_psa_get_random() with
+ *                        `prng = MBEDTLS_PSA_RANDOM_STATE`.
+ *
+ * \note                Generally, given a call
+ *                      `mbedtls_foo(f_rng, p_rng, ....)`, the RNG callback
+ *                      and the context only need to remain valid until
+ *                      the call to `mbedtls_foo` returns. However, there
+ *                      are a few exceptions where the callback is stored
+ *                      in for future use. Check the documentation of
+ *                      the calling function.
+ *
+ * \warning             In a multithreaded environment, calling the
+ *                      function should be thread-safe. The standard
+ *                      functions provided by the library are thread-safe
+ *                      when #MBEDTLS_THREADING_C is enabled.
+ *
+ * \warning             This function must either provide as many
+ *                      bytes as requested of **cryptographic quality**
+ *                      random data, or return a negative error code.
+ *
+ * \param p_rng         The \c p_rng argument that was passed along \c f_rng.
+ *                      The library always passes \c p_rng unchanged.
+ *                      This is typically a pointer to the random generator
+ *                      state, or \c NULL if the custom random generator
+ *                      doesn't need a context-specific state.
+ * \param[out] output   On success, this must be filled with \p output_size
+ *                      bytes of cryptographic-quality random data.
+ * \param output_size   The number of bytes to output.
+ *
+ * \return              \c 0 on success, or a negative error code on failure.
+ *                      Library functions will generally propagate this
+ *                      error code, so \c MBEDTLS_ERR_xxx values are
+ *                      recommended. #MBEDTLS_ERR_ENTROPY_SOURCE_FAILED is
+ *                      typically sensible for RNG failures.
+ */
+typedef int mbedtls_f_rng_t(void *p_rng,
+                            unsigned char *output, size_t output_size);
+
 #if defined(MBEDTLS_HAVE_TIME_DATE)
 /**
  * \brief      Platform-specific implementation of gmtime_r()

+ 7 - 20
thirdparty/mbedtls/include/mbedtls/poly1305.h

@@ -19,12 +19,9 @@
 
 #ifndef MBEDTLS_POLY1305_H
 #define MBEDTLS_POLY1305_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stdint.h>
 #include <stddef.h>
@@ -32,16 +29,6 @@
 /** Invalid input parameter(s). */
 #define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057
 
-/* MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE is deprecated and should not be
- * used. */
-/** Feature not available. For example, s part of the API is not implemented. */
-#define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE    -0x0059
-
-/* MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED is deprecated and should not be used.
- */
-/** Poly1305 hardware accelerator failed. */
-#define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED        -0x005B
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -49,11 +36,11 @@ extern "C" {
 #if !defined(MBEDTLS_POLY1305_ALT)
 
 typedef struct mbedtls_poly1305_context {
-    uint32_t r[4];      /** The value for 'r' (low 128 bits of the key). */
-    uint32_t s[4];      /** The value for 's' (high 128 bits of the key). */
-    uint32_t acc[5];    /** The accumulator number. */
-    uint8_t queue[16];  /** The current partial block of data. */
-    size_t queue_len;   /** The number of bytes stored in 'queue'. */
+    uint32_t MBEDTLS_PRIVATE(r)[4];      /** The value for 'r' (low 128 bits of the key). */
+    uint32_t MBEDTLS_PRIVATE(s)[4];      /** The value for 's' (high 128 bits of the key). */
+    uint32_t MBEDTLS_PRIVATE(acc)[5];    /** The accumulator number. */
+    uint8_t MBEDTLS_PRIVATE(queue)[16];  /** The current partial block of data. */
+    size_t MBEDTLS_PRIVATE(queue_len);   /** The number of bytes stored in 'queue'. */
 }
 mbedtls_poly1305_context;
 

+ 20 - 0
thirdparty/mbedtls/include/mbedtls/private_access.h

@@ -0,0 +1,20 @@
+/**
+ * \file private_access.h
+ *
+ * \brief Macro wrapper for struct's members.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PRIVATE_ACCESS_H
+#define MBEDTLS_PRIVATE_ACCESS_H
+
+#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
+#define MBEDTLS_PRIVATE(member) private_##member
+#else
+#define MBEDTLS_PRIVATE(member) member
+#endif
+
+#endif /* MBEDTLS_PRIVATE_ACCESS_H */

+ 207 - 0
thirdparty/mbedtls/include/mbedtls/psa_util.h

@@ -0,0 +1,207 @@
+/**
+ * \file psa_util.h
+ *
+ * \brief Utility functions for the use of the PSA Crypto library.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_PSA_UTIL_H
+#define MBEDTLS_PSA_UTIL_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include "psa/crypto.h"
+
+/* ASN1 defines used in the ECDSA conversion functions.
+ * Note: intentionally not adding MBEDTLS_ASN1_[PARSE|WRITE]_C guards here
+ * otherwise error codes would be unknown in test_suite_psa_crypto_util.data.*/
+#include <mbedtls/asn1write.h>
+
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+
+/** The random generator function for the PSA subsystem.
+ *
+ * This function is suitable as the `f_rng` random generator function
+ * parameter of many `mbedtls_xxx` functions.
+ *
+ * The implementation of this function depends on the configuration of the
+ * library.
+ *
+ * \note This function may only be used if the PSA crypto subsystem is active.
+ *       This means that you must call psa_crypto_init() before any call to
+ *       this function, and you must not call this function after calling
+ *       mbedtls_psa_crypto_free().
+ *
+ * \param p_rng         This parameter is only kept for backward compatibility
+ *                      reasons with legacy `f_rng` functions and it's ignored.
+ *                      Set to #MBEDTLS_PSA_RANDOM_STATE or NULL.
+ * \param output        The buffer to fill. It must have room for
+ *                      \c output_size bytes.
+ * \param output_size   The number of bytes to write to \p output.
+ *                      This function may fail if \p output_size is too
+ *                      large. It is guaranteed to accept any output size
+ *                      requested by Mbed TLS library functions. The
+ *                      maximum request size depends on the library
+ *                      configuration.
+ *
+ * \return              \c 0 on success.
+ * \return              An `MBEDTLS_ERR_ENTROPY_xxx`,
+ *                      `MBEDTLS_ERR_PLATFORM_xxx,
+ *                      `MBEDTLS_ERR_CTR_DRBG_xxx` or
+ *                      `MBEDTLS_ERR_HMAC_DRBG_xxx` on error.
+ */
+int mbedtls_psa_get_random(void *p_rng,
+                           unsigned char *output,
+                           size_t output_size);
+
+/** The random generator state for the PSA subsystem.
+ *
+ * This macro always expands to NULL because the `p_rng` parameter is unused
+ * in mbedtls_psa_get_random(), but it's kept for interface's backward
+ * compatibility.
+ */
+#define MBEDTLS_PSA_RANDOM_STATE    NULL
+
+/** \defgroup psa_tls_helpers TLS helper functions
+ * @{
+ */
+#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#include <mbedtls/ecp.h>
+
+/** Convert an ECC curve identifier from the Mbed TLS encoding to PSA.
+ *
+ * \param grpid         An Mbed TLS elliptic curve identifier
+ *                      (`MBEDTLS_ECP_DP_xxx`).
+ * \param[out] bits     On success the bit size of the curve; 0 on failure.
+ *
+ * \return              If the curve is supported in the PSA API, this function
+ *                      returns the proper PSA curve identifier
+ *                      (`PSA_ECC_FAMILY_xxx`). This holds even if the curve is
+ *                      not supported by the ECP module.
+ * \return              \c 0 if the curve is not supported in the PSA API.
+ */
+psa_ecc_family_t mbedtls_ecc_group_to_psa(mbedtls_ecp_group_id grpid,
+                                          size_t *bits);
+
+/** Convert an ECC curve identifier from the PSA encoding to Mbed TLS.
+ *
+ * \param family        A PSA elliptic curve family identifier
+ *                      (`PSA_ECC_FAMILY_xxx`).
+ * \param bits          The bit-length of a private key on \p curve.
+ *
+ * \return              If the curve is supported in the PSA API, this function
+ *                      returns the corresponding Mbed TLS elliptic curve
+ *                      identifier (`MBEDTLS_ECP_DP_xxx`).
+ * \return              #MBEDTLS_ECP_DP_NONE if the combination of \c curve
+ *                      and \p bits is not supported.
+ */
+mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
+                                                size_t bits);
+#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+
+/**
+ * \brief           This function returns the PSA algorithm identifier
+ *                  associated with the given digest type.
+ *
+ * \param md_type   The type of digest to search for. Must not be NONE.
+ *
+ * \warning         If \p md_type is \c MBEDTLS_MD_NONE, this function will
+ *                  not return \c PSA_ALG_NONE, but an invalid algorithm.
+ *
+ * \warning         This function does not check if the algorithm is
+ *                  supported, it always returns the corresponding identifier.
+ *
+ * \return          The PSA algorithm identifier associated with \p md_type,
+ *                  regardless of whether it is supported or not.
+ */
+static inline psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type)
+{
+    return PSA_ALG_CATEGORY_HASH | (psa_algorithm_t) md_type;
+}
+
+/**
+ * \brief           This function returns the given digest type
+ *                  associated with the PSA algorithm identifier.
+ *
+ * \param psa_alg   The PSA algorithm identifier to search for.
+ *
+ * \warning         This function does not check if the algorithm is
+ *                  supported, it always returns the corresponding identifier.
+ *
+ * \return          The MD type associated with \p psa_alg,
+ *                  regardless of whether it is supported or not.
+ */
+static inline mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg)
+{
+    return (mbedtls_md_type_t) (psa_alg & PSA_ALG_HASH_MASK);
+}
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+
+#if defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
+
+/** Convert an ECDSA signature from raw format to DER ASN.1 format.
+ *
+ * \param       bits        Size of each coordinate in bits.
+ * \param       raw         Buffer that contains the signature in raw format.
+ * \param       raw_len     Length of \p raw in bytes. This must be
+ *                          PSA_BITS_TO_BYTES(bits) bytes.
+ * \param[out]  der         Buffer that will be filled with the converted DER
+ *                          output. It can overlap with raw buffer.
+ * \param       der_size    Size of \p der in bytes. It is enough if \p der_size
+ *                          is at least the size of the actual output. (The size
+ *                          of the output can vary depending on the presence of
+ *                          leading zeros in the data.) You can use
+ *                          #MBEDTLS_ECDSA_MAX_SIG_LEN(\p bits) to determine a
+ *                          size that is large enough for all signatures for a
+ *                          given value of \p bits.
+ * \param[out]  der_len     On success it contains the amount of valid data
+ *                          (in bytes) written to \p der. It's undefined
+ *                          in case of failure.
+ *
+ * \note                    The behavior is undefined if \p der is null,
+ *                          even if \p der_size is 0.
+ *
+ * \return                  0 if successful.
+ * \return                  #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p der_size
+ *                          is too small or if \p bits is larger than the
+ *                          largest supported curve.
+ * \return                  #MBEDTLS_ERR_ASN1_INVALID_DATA if one of the
+ *                          numbers in the signature is 0.
+ */
+int mbedtls_ecdsa_raw_to_der(size_t bits, const unsigned char *raw, size_t raw_len,
+                             unsigned char *der, size_t der_size, size_t *der_len);
+
+/** Convert an ECDSA signature from DER ASN.1 format to raw format.
+ *
+ * \param       bits        Size of each coordinate in bits.
+ * \param       der         Buffer that contains the signature in DER format.
+ * \param       der_len     Size of \p der in bytes.
+ * \param[out]  raw         Buffer that will be filled with the converted raw
+ *                          signature. It can overlap with der buffer.
+ * \param       raw_size    Size of \p raw in bytes. Must be at least
+ *                          2 * PSA_BITS_TO_BYTES(bits) bytes.
+ * \param[out]  raw_len     On success it is updated with the amount of valid
+ *                          data (in bytes) written to \p raw. It's undefined
+ *                          in case of failure.
+ *
+ * \return                  0 if successful.
+ * \return                  #MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if \p raw_size
+ *                          is too small or if \p bits is larger than the
+ *                          largest supported curve.
+ * \return                  #MBEDTLS_ERR_ASN1_INVALID_DATA if the data in
+ *                          \p der is inconsistent with \p bits.
+ * \return                  An \c MBEDTLS_ERR_ASN1_xxx error code if
+ *                          \p der is malformed.
+ */
+int mbedtls_ecdsa_der_to_raw(size_t bits, const unsigned char *der, size_t der_len,
+                             unsigned char *raw, size_t raw_size, size_t *raw_len);
+
+#endif /* MBEDTLS_PSA_UTIL_HAVE_ECDSA */
+
+/**@}*/
+
+#endif /* MBEDTLS_PSA_UTIL_H */

+ 14 - 101
thirdparty/mbedtls/include/mbedtls/ripemd160.h

@@ -9,21 +9,13 @@
  */
 #ifndef MBEDTLS_RIPEMD160_H
 #define MBEDTLS_RIPEMD160_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
-/* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
- */
-/** RIPEMD160 hardware accelerator failed */
-#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED             -0x0031
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -36,9 +28,9 @@ extern "C" {
  * \brief          RIPEMD-160 context structure
  */
 typedef struct mbedtls_ripemd160_context {
-    uint32_t total[2];          /*!< number of bytes processed  */
-    uint32_t state[5];          /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< number of bytes processed  */
+    uint32_t MBEDTLS_PRIVATE(state)[5];          /*!< intermediate digest state  */
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< data block being processed */
 }
 mbedtls_ripemd160_context;
 
@@ -76,7 +68,7 @@ void mbedtls_ripemd160_clone(mbedtls_ripemd160_context *dst,
  *
  * \return         0 if successful
  */
-int mbedtls_ripemd160_starts_ret(mbedtls_ripemd160_context *ctx);
+int mbedtls_ripemd160_starts(mbedtls_ripemd160_context *ctx);
 
 /**
  * \brief          RIPEMD-160 process buffer
@@ -87,9 +79,9 @@ int mbedtls_ripemd160_starts_ret(mbedtls_ripemd160_context *ctx);
  *
  * \return         0 if successful
  */
-int mbedtls_ripemd160_update_ret(mbedtls_ripemd160_context *ctx,
-                                 const unsigned char *input,
-                                 size_t ilen);
+int mbedtls_ripemd160_update(mbedtls_ripemd160_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen);
 
 /**
  * \brief          RIPEMD-160 final digest
@@ -99,8 +91,8 @@ int mbedtls_ripemd160_update_ret(mbedtls_ripemd160_context *ctx,
  *
  * \return         0 if successful
  */
-int mbedtls_ripemd160_finish_ret(mbedtls_ripemd160_context *ctx,
-                                 unsigned char output[20]);
+int mbedtls_ripemd160_finish(mbedtls_ripemd160_context *ctx,
+                             unsigned char output[20]);
 
 /**
  * \brief          RIPEMD-160 process data block (internal use only)
@@ -113,63 +105,6 @@ int mbedtls_ripemd160_finish_ret(mbedtls_ripemd160_context *ctx,
 int mbedtls_internal_ripemd160_process(mbedtls_ripemd160_context *ctx,
                                        const unsigned char data[64]);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          RIPEMD-160 context setup
- *
- * \deprecated     Superseded by mbedtls_ripemd160_starts_ret() in 2.7.0
- *
- * \param ctx      context to be initialized
- */
-MBEDTLS_DEPRECATED void mbedtls_ripemd160_starts(
-    mbedtls_ripemd160_context *ctx);
-
-/**
- * \brief          RIPEMD-160 process buffer
- *
- * \deprecated     Superseded by mbedtls_ripemd160_update_ret() in 2.7.0
- *
- * \param ctx      RIPEMD-160 context
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- */
-MBEDTLS_DEPRECATED void mbedtls_ripemd160_update(
-    mbedtls_ripemd160_context *ctx,
-    const unsigned char *input,
-    size_t ilen);
-
-/**
- * \brief          RIPEMD-160 final digest
- *
- * \deprecated     Superseded by mbedtls_ripemd160_finish_ret() in 2.7.0
- *
- * \param ctx      RIPEMD-160 context
- * \param output   RIPEMD-160 checksum result
- */
-MBEDTLS_DEPRECATED void mbedtls_ripemd160_finish(
-    mbedtls_ripemd160_context *ctx,
-    unsigned char output[20]);
-
-/**
- * \brief          RIPEMD-160 process data block (internal use only)
- *
- * \deprecated     Superseded by mbedtls_internal_ripemd160_process() in 2.7.0
- *
- * \param ctx      RIPEMD-160 context
- * \param data     buffer holding one block of data
- */
-MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
-    mbedtls_ripemd160_context *ctx,
-    const unsigned char data[64]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief          Output = RIPEMD-160( input buffer )
  *
@@ -179,31 +114,9 @@ MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
  *
  * \return         0 if successful
  */
-int mbedtls_ripemd160_ret(const unsigned char *input,
-                          size_t ilen,
-                          unsigned char output[20]);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          Output = RIPEMD-160( input buffer )
- *
- * \deprecated     Superseded by mbedtls_ripemd160_ret() in 2.7.0
- *
- * \param input    buffer holding the data
- * \param ilen     length of the input data
- * \param output   RIPEMD-160 checksum result
- */
-MBEDTLS_DEPRECATED void mbedtls_ripemd160(const unsigned char *input,
-                                          size_t ilen,
-                                          unsigned char output[20]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+int mbedtls_ripemd160(const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20]);
 
 #if defined(MBEDTLS_SELF_TEST)
 

+ 183 - 366
thirdparty/mbedtls/include/mbedtls/rsa.h

@@ -15,12 +15,9 @@
  */
 #ifndef MBEDTLS_RSA_H
 #define MBEDTLS_RSA_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/bignum.h"
 #include "mbedtls/md.h"
@@ -51,20 +48,9 @@
 /** The random generator failed to generate non-zeros. */
 #define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480
 
-/* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used.
- */
-/** The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
-#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION             -0x4500
-
-/* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** RSA hardware accelerator failed. */
-#define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED                   -0x4580
-
 /*
  * RSA constants
  */
-#define MBEDTLS_RSA_PUBLIC      0 /**< Request private key operation. */
-#define MBEDTLS_RSA_PRIVATE     1 /**< Request public key operation. */
 
 #define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS#1 v1.5 encoding. */
 #define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS#1 v2.1 encoding. */
@@ -87,49 +73,51 @@ extern "C" {
 // Regular implementation
 //
 
+#if !defined(MBEDTLS_RSA_GEN_KEY_MIN_BITS)
+#define MBEDTLS_RSA_GEN_KEY_MIN_BITS 1024
+#elif MBEDTLS_RSA_GEN_KEY_MIN_BITS < 128
+#error "MBEDTLS_RSA_GEN_KEY_MIN_BITS must be at least 128 bits"
+#endif
+
 /**
  * \brief   The RSA context structure.
- *
- * \note    Direct manipulation of the members of this structure
- *          is deprecated. All manipulation should instead be done through
- *          the public interface functions.
  */
 typedef struct mbedtls_rsa_context {
-    int ver;                    /*!<  Reserved for internal purposes.
-                                 *    Do not set this field in application
-                                 *    code. Its meaning might change without
-                                 *    notice. */
-    size_t len;                 /*!<  The size of \p N in Bytes. */
+    int MBEDTLS_PRIVATE(ver);                    /*!<  Reserved for internal purposes.
+                                                  *    Do not set this field in application
+                                                  *    code. Its meaning might change without
+                                                  *    notice. */
+    size_t MBEDTLS_PRIVATE(len);                 /*!<  The size of \p N in Bytes. */
 
-    mbedtls_mpi N;              /*!<  The public modulus. */
-    mbedtls_mpi E;              /*!<  The public exponent. */
+    mbedtls_mpi MBEDTLS_PRIVATE(N);              /*!<  The public modulus. */
+    mbedtls_mpi MBEDTLS_PRIVATE(E);              /*!<  The public exponent. */
 
-    mbedtls_mpi D;              /*!<  The private exponent. */
-    mbedtls_mpi P;              /*!<  The first prime factor. */
-    mbedtls_mpi Q;              /*!<  The second prime factor. */
+    mbedtls_mpi MBEDTLS_PRIVATE(D);              /*!<  The private exponent. */
+    mbedtls_mpi MBEDTLS_PRIVATE(P);              /*!<  The first prime factor. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Q);              /*!<  The second prime factor. */
 
-    mbedtls_mpi DP;             /*!<  <code>D % (P - 1)</code>. */
-    mbedtls_mpi DQ;             /*!<  <code>D % (Q - 1)</code>. */
-    mbedtls_mpi QP;             /*!<  <code>1 / (Q % P)</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(DP);             /*!<  <code>D % (P - 1)</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(DQ);             /*!<  <code>D % (Q - 1)</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(QP);             /*!<  <code>1 / (Q % P)</code>. */
 
-    mbedtls_mpi RN;             /*!<  cached <code>R^2 mod N</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(RN);             /*!<  cached <code>R^2 mod N</code>. */
 
-    mbedtls_mpi RP;             /*!<  cached <code>R^2 mod P</code>. */
-    mbedtls_mpi RQ;             /*!<  cached <code>R^2 mod Q</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(RP);             /*!<  cached <code>R^2 mod P</code>. */
+    mbedtls_mpi MBEDTLS_PRIVATE(RQ);             /*!<  cached <code>R^2 mod Q</code>. */
 
-    mbedtls_mpi Vi;             /*!<  The cached blinding value. */
-    mbedtls_mpi Vf;             /*!<  The cached un-blinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Vi);             /*!<  The cached blinding value. */
+    mbedtls_mpi MBEDTLS_PRIVATE(Vf);             /*!<  The cached un-blinding value. */
 
-    int padding;                /*!< Selects padding mode:
-                                 #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
-                                 #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
-    int hash_id;                /*!< Hash identifier of mbedtls_md_type_t type,
-                                     as specified in md.h for use in the MGF
-                                     mask generating function used in the
-                                     EME-OAEP and EMSA-PSS encodings. */
+    int MBEDTLS_PRIVATE(padding);                /*!< Selects padding mode:
+                                                  #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
+                                                  #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
+    int MBEDTLS_PRIVATE(hash_id);                /*!< Hash identifier of mbedtls_md_type_t type,
+                                                    as specified in md.h for use in the MGF
+                                                    mask generating function used in the
+                                                    EME-OAEP and EMSA-PSS encodings. */
 #if defined(MBEDTLS_THREADING_C)
     /* Invariant: the mutex is initialized iff ver != 0. */
-    mbedtls_threading_mutex_t mutex;    /*!<  Thread-safety mutex. */
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);    /*!<  Thread-safety mutex. */
 #endif
 }
 mbedtls_rsa_context;
@@ -141,33 +129,73 @@ mbedtls_rsa_context;
 /**
  * \brief          This function initializes an RSA context.
  *
+ * \note           This function initializes the padding and the hash
+ *                 identifier to respectively #MBEDTLS_RSA_PKCS_V15 and
+ *                 #MBEDTLS_MD_NONE. See mbedtls_rsa_set_padding() for more
+ *                 information about those parameters.
+ *
+ * \param ctx      The RSA context to initialize. This must not be \c NULL.
+ */
+void mbedtls_rsa_init(mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function sets padding for an already initialized RSA
+ *                 context.
+ *
  * \note           Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
  *                 encryption scheme and the RSASSA-PSS signature scheme.
  *
  * \note           The \p hash_id parameter is ignored when using
  *                 #MBEDTLS_RSA_PKCS_V15 padding.
  *
- * \note           The choice of padding mode is strictly enforced for private key
- *                 operations, since there might be security concerns in
+ * \note           The choice of padding mode is strictly enforced for private
+ *                 key operations, since there might be security concerns in
  *                 mixing padding modes. For public key operations it is
  *                 a default value, which can be overridden by calling specific
- *                 \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
+ *                 \c mbedtls_rsa_rsaes_xxx or \c mbedtls_rsa_rsassa_xxx
+ *                 functions.
  *
  * \note           The hash selected in \p hash_id is always used for OEAP
  *                 encryption. For PSS signatures, it is always used for
  *                 making signatures, but can be overridden for verifying them.
  *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
  *
- * \param ctx      The RSA context to initialize. This must not be \c NULL.
+ * \param ctx      The initialized RSA context to be configured.
  * \param padding  The padding mode to use. This must be either
  *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
- * \param hash_id  The hash identifier of ::mbedtls_md_type_t type, if
- *                 \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused
- *                 otherwise.
+ * \param hash_id  The hash identifier for PSS or OAEP, if \p padding is
+ *                 #MBEDTLS_RSA_PKCS_V21. #MBEDTLS_MD_NONE is accepted by this
+ *                 function but may be not suitable for some operations.
+ *                 Ignored if \p padding is #MBEDTLS_RSA_PKCS_V15.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_RSA_INVALID_PADDING failure:
+ *                 \p padding or \p hash_id is invalid.
  */
-void mbedtls_rsa_init(mbedtls_rsa_context *ctx,
-                      int padding,
-                      int hash_id);
+int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
+                            mbedtls_md_type_t hash_id);
+
+/**
+ * \brief          This function retrieves padding mode of initialized
+ *                 RSA context.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         RSA padding mode.
+ *
+ */
+int mbedtls_rsa_get_padding_mode(const mbedtls_rsa_context *ctx);
+
+/**
+ * \brief          This function retrieves hash identifier of mbedtls_md_type_t
+ *                 type.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         Hash identifier of mbedtls_md_type_t type.
+ *
+ */
+int mbedtls_rsa_get_md_alg(const mbedtls_rsa_context *ctx);
 
 /**
  * \brief          This function imports a set of core parameters into an
@@ -226,7 +254,7 @@ int mbedtls_rsa_import(mbedtls_rsa_context *ctx,
  * \param N        The RSA modulus. This may be \c NULL.
  * \param N_len    The Byte length of \p N; it is ignored if \p N == NULL.
  * \param P        The first prime factor of \p N. This may be \c NULL.
- * \param P_len    The Byte length of \p P; it ns ignored if \p P == NULL.
+ * \param P_len    The Byte length of \p P; it is ignored if \p P == NULL.
  * \param Q        The second prime factor of \p N. This may be \c NULL.
  * \param Q_len    The Byte length of \p Q; it is ignored if \p Q == NULL.
  * \param D        The private exponent. This may be \c NULL.
@@ -399,16 +427,14 @@ int mbedtls_rsa_export_crt(const mbedtls_rsa_context *ctx,
                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP);
 
 /**
- * \brief          This function sets padding for an already initialized RSA
- *                 context. See mbedtls_rsa_init() for details.
+ * \brief          This function retrieves the length of the RSA modulus in bits.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         The length of the RSA modulus in bits.
  *
- * \param ctx      The initialized RSA context to be configured.
- * \param padding  The padding mode to use. This must be either
- *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
- * \param hash_id  The #MBEDTLS_RSA_PKCS_V21 hash identifier.
  */
-void mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
-                             int hash_id);
+size_t mbedtls_rsa_get_bitlen(const mbedtls_rsa_context *ctx);
 
 /**
  * \brief          This function retrieves the length of RSA modulus in Bytes.
@@ -428,7 +454,7 @@ size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx);
  *
  * \param ctx      The initialized RSA context used to hold the key.
  * \param f_rng    The RNG function to be used for key generation.
- *                 This must not be \c NULL.
+ *                 This is mandatory and must not be \c NULL.
  * \param p_rng    The RNG context to be passed to \p f_rng.
  *                 This may be \c NULL if \p f_rng doesn't need a context.
  * \param nbits    The size of the public key in bits.
@@ -439,7 +465,7 @@ size_t mbedtls_rsa_get_len(const mbedtls_rsa_context *ctx);
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_gen_key(mbedtls_rsa_context *ctx,
-                        int (*f_rng)(void *, unsigned char *, size_t),
+                        mbedtls_f_rng_t *f_rng,
                         void *p_rng,
                         unsigned int nbits, int exponent);
 
@@ -549,11 +575,9 @@ int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
  *                 of a PRNG.
  *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function, used for blinding. It is discouraged
- *                 and deprecated to pass \c NULL here, in which case
- *                 blinding will be omitted.
+ * \param f_rng    The RNG function, used for blinding. It is mandatory.
  * \param p_rng    The RNG context to pass to \p f_rng. This may be \c NULL
- *                 if \p f_rng is \c NULL or if \p f_rng doesn't need a context.
+ *                 if \p f_rng doesn't need a context.
  * \param input    The input buffer. This must be a readable buffer
  *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
  *                 for an 2048-bit RSA modulus.
@@ -566,7 +590,7 @@ int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
  *
  */
 int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
-                        int (*f_rng)(void *, unsigned char *, size_t),
+                        mbedtls_f_rng_t *f_rng,
                         void *p_rng,
                         const unsigned char *input,
                         unsigned char *output);
@@ -576,29 +600,13 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
  *                 operation.
  *
  *                 It is the generic wrapper for performing a PKCS#1 encryption
- *                 operation using the \p mode from the context.
- *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *                 operation.
  *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG to use. It is mandatory for PKCS#1 v2.1 padding
- *                 encoding, and for PKCS#1 v1.5 padding encoding when used
- *                 with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5
- *                 padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE,
- *                 it is used for blinding and should be provided in this
- *                 case; see mbedtls_rsa_private() for more.
+ * \param f_rng    The RNG to use. It is used for padding generation
+ *                 and it is mandatory.
  * \param p_rng    The RNG context to be passed to \p f_rng. May be
- *                 \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't
- *                 need a context argument.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ *                 \c NULL if \p f_rng doesn't need a context argument.
  * \param ilen     The length of the plaintext in Bytes.
  * \param input    The input data to encrypt. This must be a readable
  *                 buffer of size \p ilen Bytes. It may be \c NULL if
@@ -611,9 +619,9 @@ int mbedtls_rsa_private(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
-                              int (*f_rng)(void *, unsigned char *, size_t),
+                              mbedtls_f_rng_t *f_rng,
                               void *p_rng,
-                              int mode, size_t ilen,
+                              size_t ilen,
                               const unsigned char *input,
                               unsigned char *output);
 
@@ -621,25 +629,11 @@ int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 encryption operation
  *                 (RSAES-PKCS1-v1_5-ENCRYPT).
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function to use. It is needed for padding generation
- *                 if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is
- *                 #MBEDTLS_RSA_PRIVATE (discouraged), it is used for
- *                 blinding and should be provided; see mbedtls_rsa_private().
+ * \param f_rng    The RNG function to use. It is mandatory and used for
+ *                 padding generation.
  * \param p_rng    The RNG context to be passed to \p f_rng. This may
- *                 be \c NULL if \p f_rng is \c NULL or if \p f_rng
- *                 doesn't need a context argument.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ *                 be \c NULL if \p f_rng doesn't need a context argument.
  * \param ilen     The length of the plaintext in Bytes.
  * \param input    The input data to encrypt. This must be a readable
  *                 buffer of size \p ilen Bytes. It may be \c NULL if
@@ -652,9 +646,9 @@ int mbedtls_rsa_pkcs1_encrypt(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
+                                        mbedtls_f_rng_t *f_rng,
                                         void *p_rng,
-                                        int mode, size_t ilen,
+                                        size_t ilen,
                                         const unsigned char *input,
                                         unsigned char *output);
 
@@ -665,22 +659,11 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
  * \note             The output buffer must be as large as the size
  *                   of ctx->N. For example, 128 Bytes if RSA-1024 is used.
  *
- * \deprecated       It is deprecated and discouraged to call this function
- *                   in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
- *                   are likely to remove the \p mode argument and have it
- *                   implicitly set to #MBEDTLS_RSA_PUBLIC.
- *
- * \note             Alternative implementations of RSA need not support
- *                   mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx        The initialized RSA context to use.
  * \param f_rng      The RNG function to use. This is needed for padding
- *                   generation and must be provided.
+ *                   generation and is mandatory.
  * \param p_rng      The RNG context to be passed to \p f_rng. This may
  *                   be \c NULL if \p f_rng doesn't need a context argument.
- * \param mode       The mode of operation. This must be either
- *                   #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param label      The buffer holding the custom label to use.
  *                   This must be a readable buffer of length \p label_len
  *                   Bytes. It may be \c NULL if \p label_len is \c 0.
@@ -697,9 +680,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt(mbedtls_rsa_context *ctx,
  * \return           An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
-                                   int (*f_rng)(void *, unsigned char *, size_t),
+                                   mbedtls_f_rng_t *f_rng,
                                    void *p_rng,
-                                   int mode,
                                    const unsigned char *label, size_t label_len,
                                    size_t ilen,
                                    const unsigned char *input,
@@ -710,7 +692,7 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
  *                 message padding.
  *
  *                 It is the generic wrapper for performing a PKCS#1 decryption
- *                 operation using the \p mode from the context.
+ *                 operation.
  *
  * \warning        When \p ctx->padding is set to #MBEDTLS_RSA_PKCS_V15,
  *                 mbedtls_rsa_rsaes_pkcs1_v15_decrypt() is called, which is an
@@ -723,24 +705,11 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
  *                 hold the decryption of the particular ciphertext provided,
  *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                 this is used for blinding and should be provided; see
- *                 mbedtls_rsa_private() for more. If \p mode is
- *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param f_rng    The RNG function. This is used for blinding and is
+ *                 mandatory; see mbedtls_rsa_private() for more.
  * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ *                 \c NULL if \p f_rng doesn't need a context.
  * \param olen     The address at which to store the length of
  *                 the plaintext. This must not be \c NULL.
  * \param input    The ciphertext buffer. This must be a readable buffer
@@ -754,9 +723,9 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
-                              int (*f_rng)(void *, unsigned char *, size_t),
+                              mbedtls_f_rng_t *f_rng,
                               void *p_rng,
-                              int mode, size_t *olen,
+                              size_t *olen,
                               const unsigned char *input,
                               unsigned char *output,
                               size_t output_max_len);
@@ -777,24 +746,11 @@ int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
  *                 hold the decryption of the particular ciphertext provided,
  *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                 this is used for blinding and should be provided; see
- *                 mbedtls_rsa_private() for more. If \p mode is
- *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param f_rng    The RNG function. This is used for blinding and is
+ *                 mandatory; see mbedtls_rsa_private() for more.
  * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ *                 \c NULL if \p f_rng doesn't need a context.
  * \param olen     The address at which to store the length of
  *                 the plaintext. This must not be \c NULL.
  * \param input    The ciphertext buffer. This must be a readable buffer
@@ -809,9 +765,9 @@ int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
  *
  */
 int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
+                                        mbedtls_f_rng_t *f_rng,
                                         void *p_rng,
-                                        int mode, size_t *olen,
+                                        size_t *olen,
                                         const unsigned char *input,
                                         unsigned char *output,
                                         size_t output_max_len);
@@ -828,24 +784,11 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
  *                   ciphertext provided, the function returns
  *                   #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
  *
- * \deprecated       It is deprecated and discouraged to call this function
- *                   in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
- *                   are likely to remove the \p mode argument and have it
- *                   implicitly set to #MBEDTLS_RSA_PRIVATE.
- *
- * \note             Alternative implementations of RSA need not support
- *                   mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx        The initialized RSA context to use.
- * \param f_rng      The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                   this is used for blinding and should be provided; see
- *                   mbedtls_rsa_private() for more. If \p mode is
- *                   #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param f_rng      The RNG function. This is used for blinding and is
+ *                   mandatory.
  * \param p_rng      The RNG context to be passed to \p f_rng. This may be
- *                   \c NULL if \p f_rng is \c NULL or doesn't need a context.
- * \param mode       The mode of operation. This must be either
- *                   #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ *                   \c NULL if \p f_rng doesn't need a context.
  * \param label      The buffer holding the custom label to use.
  *                   This must be a readable buffer of length \p label_len
  *                   Bytes. It may be \c NULL if \p label_len is \c 0.
@@ -863,9 +806,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
-                                   int (*f_rng)(void *, unsigned char *, size_t),
+                                   mbedtls_f_rng_t *f_rng,
                                    void *p_rng,
-                                   int mode,
                                    const unsigned char *label, size_t label_len,
                                    size_t *olen,
                                    const unsigned char *input,
@@ -877,7 +819,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
  *                 a message digest using PKCS#1.
  *
  *                 It is the generic wrapper for performing a PKCS#1
- *                 signature using the \p mode from the context.
+ *                 signature.
  *
  * \note           The \p sig buffer must be as large as the size
  *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
@@ -886,34 +828,18 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
  *                 mbedtls_rsa_rsassa_pss_sign() for details on
  *                 \p md_alg and \p hash_id.
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function to use. If the padding mode is PKCS#1 v2.1,
- *                 this must be provided. If the padding mode is PKCS#1 v1.5 and
- *                 \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding
- *                 and should be provided; see mbedtls_rsa_private() for more
- *                 more. It is ignored otherwise.
+ * \param f_rng    The RNG function to use. This is mandatory and
+ *                 must not be \c NULL.
  * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
- *                 if \p f_rng is \c NULL or doesn't need a context argument.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ *                 if \p f_rng doesn't need a context argument.
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param sig      The buffer to hold the signature. This must be a writable
  *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
  *                 for an 2048-bit RSA modulus. A buffer length of
@@ -923,9 +849,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
-                           int (*f_rng)(void *, unsigned char *, size_t),
+                           mbedtls_f_rng_t *f_rng,
                            void *p_rng,
-                           int mode,
                            mbedtls_md_type_t md_alg,
                            unsigned int hashlen,
                            const unsigned char *hash,
@@ -935,33 +860,18 @@ int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 signature
  *                 operation (RSASSA-PKCS1-v1_5-SIGN).
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                 this is used for blinding and should be provided; see
- *                 mbedtls_rsa_private() for more. If \p mode is
- *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param f_rng    The RNG function. This is used for blinding and is
+ *                 mandatory; see mbedtls_rsa_private() for more.
  * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
- *                 if \p f_rng is \c NULL or doesn't need a context argument.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ *                 if \p f_rng doesn't need a context argument.
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param sig      The buffer to hold the signature. This must be a writable
  *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
  *                 for an 2048-bit RSA modulus. A buffer length of
@@ -971,21 +881,20 @@ int mbedtls_rsa_pkcs1_sign(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
-                                      int (*f_rng)(void *, unsigned char *, size_t),
+                                      mbedtls_f_rng_t *f_rng,
                                       void *p_rng,
-                                      int mode,
                                       mbedtls_md_type_t md_alg,
                                       unsigned int hashlen,
                                       const unsigned char *hash,
                                       unsigned char *sig);
 
+#if defined(MBEDTLS_PKCS1_V21)
 /**
  * \brief          This function performs a PKCS#1 v2.1 PSS signature
  *                 operation (RSASSA-PSS-SIGN).
  *
- * \note           The \c hash_id set in \p ctx (when calling
- *                 mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
- *                 afterwards) selects the hash used for the
+ * \note           The \c hash_id set in \p ctx by calling
+ *                 mbedtls_rsa_set_padding() selects the hash used for the
  *                 encoding operation and for the mask generation function
  *                 (MGF1). For more details on the encoding operation and the
  *                 mask generation function, consult <em>RFC-3447: Public-Key
@@ -1000,18 +909,16 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
  *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
  *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. It must not be \c NULL.
+ * \param f_rng    The RNG function. It is mandatory and must not be \c NULL.
  * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
  *                 if \p f_rng doesn't need a context argument.
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param saltlen  The length of the salt that should be used.
  *                 If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use
  *                 the largest possible salt length up to the hash length,
@@ -1026,7 +933,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
-                                    int (*f_rng)(void *, unsigned char *, size_t),
+                                    mbedtls_f_rng_t *f_rng,
                                     void *p_rng,
                                     mbedtls_md_type_t md_alg,
                                     unsigned int hashlen,
@@ -1038,9 +945,8 @@ int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v2.1 PSS signature
  *                 operation (RSASSA-PSS-SIGN).
  *
- * \note           The \c hash_id set in \p ctx (when calling
- *                 mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
- *                 afterwards) selects the hash used for the
+ * \note           The \c hash_id set in \p ctx by calling
+ *                 mbedtls_rsa_set_padding() selects the hash used for the
  *                 encoding operation and for the mask generation function
  *                 (MGF1). For more details on the encoding operation and the
  *                 mask generation function, consult <em>RFC-3447: Public-Key
@@ -1057,30 +963,17 @@ int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
  *                 the key size in bytes), this function returns
  *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA context to use.
- * \param f_rng    The RNG function. It must not be \c NULL.
+ * \param f_rng    The RNG function. It is mandatory and must not be \c NULL.
  * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
  *                 if \p f_rng doesn't need a context argument.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param sig      The buffer to hold the signature. This must be a writable
  *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
  *                 for an 2048-bit RSA modulus. A buffer length of
@@ -1090,51 +983,33 @@ int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
-                                int (*f_rng)(void *, unsigned char *, size_t),
+                                mbedtls_f_rng_t *f_rng,
                                 void *p_rng,
-                                int mode,
                                 mbedtls_md_type_t md_alg,
                                 unsigned int hashlen,
                                 const unsigned char *hash,
                                 unsigned char *sig);
+#endif /* MBEDTLS_PKCS1_V21 */
 
 /**
  * \brief          This function performs a public RSA operation and checks
  *                 the message digest.
  *
  *                 This is the generic wrapper for performing a PKCS#1
- *                 verification using the mode from the context.
+ *                 verification.
  *
  * \note           For PKCS#1 v2.1 encoding, see comments on
  *                 mbedtls_rsa_rsassa_pss_verify() about \c md_alg and
  *                 \c hash_id.
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 set to #MBEDTLS_RSA_PUBLIC.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA public key context to use.
- * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                 this is used for blinding and should be provided; see
- *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param sig      The buffer holding the signature. This must be a readable
  *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
  *                 for an 2048-bit RSA modulus.
@@ -1143,9 +1018,6 @@ int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
-                             int (*f_rng)(void *, unsigned char *, size_t),
-                             void *p_rng,
-                             int mode,
                              mbedtls_md_type_t md_alg,
                              unsigned int hashlen,
                              const unsigned char *hash,
@@ -1155,32 +1027,14 @@ int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v1.5 verification
  *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
  *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 set to #MBEDTLS_RSA_PUBLIC.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
- *
  * \param ctx      The initialized RSA public key context to use.
- * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                 this is used for blinding and should be provided; see
- *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param sig      The buffer holding the signature. This must be a readable
  *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
  *                 for an 2048-bit RSA modulus.
@@ -1189,9 +1043,6 @@ int mbedtls_rsa_pkcs1_verify(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
-                                        int (*f_rng)(void *, unsigned char *, size_t),
-                                        void *p_rng,
-                                        int mode,
                                         mbedtls_md_type_t md_alg,
                                         unsigned int hashlen,
                                         const unsigned char *hash,
@@ -1201,42 +1052,24 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
  * \brief          This function performs a PKCS#1 v2.1 PSS verification
  *                 operation (RSASSA-PSS-VERIFY).
  *
- * \note           The \c hash_id set in \p ctx (when calling
- *                 mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
- *                 afterwards) selects the hash used for the
+ * \note           The \c hash_id set in \p ctx by calling
+ *                 mbedtls_rsa_set_padding() selects the hash used for the
  *                 encoding operation and for the mask generation function
  *                 (MGF1). For more details on the encoding operation and the
  *                 mask generation function, consult <em>RFC-3447: Public-Key
  *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- *                 Specifications</em>. If the \c hash_id set in \p ctx is
- *                 #MBEDTLS_MD_NONE, the \p md_alg parameter is used.
- *
- * \deprecated     It is deprecated and discouraged to call this function
- *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
- *                 are likely to remove the \p mode argument and have it
- *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
- *
- * \note           Alternative implementations of RSA need not support
- *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
- *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *                 Specifications</em>. If the \c hash_id set in \p ctx by
+ *                 mbedtls_rsa_set_padding() is #MBEDTLS_MD_NONE, the \p md_alg
+ *                 parameter is used.
  *
  * \param ctx      The initialized RSA public key context to use.
- * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                 this is used for blinding and should be provided; see
- *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param sig      The buffer holding the signature. This must be a readable
  *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
  *                 for an 2048-bit RSA modulus.
@@ -1245,9 +1078,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
-                                  int (*f_rng)(void *, unsigned char *, size_t),
-                                  void *p_rng,
-                                  int mode,
                                   mbedtls_md_type_t md_alg,
                                   unsigned int hashlen,
                                   const unsigned char *hash,
@@ -1260,27 +1090,17 @@ int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
  * \note           The \p sig buffer must be as large as the size
  *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
  *
- * \note           The \c hash_id set in \p ctx (when calling
- *                 mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
- *                 afterwards) is ignored.
+ * \note           The \c hash_id set in \p ctx by mbedtls_rsa_set_padding() is
+ *                 ignored.
  *
  * \param ctx      The initialized RSA public key context to use.
- * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
- *                 this is used for blinding and should be provided; see
- *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
- * \param p_rng    The RNG context to be passed to \p f_rng. This may be
- *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
- * \param mode     The mode of operation. This must be either
- *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
  * \param md_alg   The message-digest algorithm used to hash the original data.
  *                 Use #MBEDTLS_MD_NONE for signing raw data.
- * \param hashlen  The length of the message digest.
- *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hashlen  The length of the message digest or raw data in Bytes.
+ *                 If \p md_alg is not #MBEDTLS_MD_NONE, this must match the
+ *                 output length of the corresponding hash algorithm.
  * \param hash     The buffer holding the message digest or raw data.
- *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
- *                 buffer of length \p hashlen Bytes. If \p md_alg is not
- *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
- *                 the size of the hash corresponding to \p md_alg.
+ *                 This must be a readable buffer of at least \p hashlen Bytes.
  * \param mgf1_hash_id      The message digest algorithm used for the
  *                          verification operation and the mask generation
  *                          function (MGF1). For more details on the encoding
@@ -1298,9 +1118,6 @@ int mbedtls_rsa_rsassa_pss_verify(mbedtls_rsa_context *ctx,
  * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
  */
 int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
-                                      int (*f_rng)(void *, unsigned char *, size_t),
-                                      void *p_rng,
-                                      int mode,
                                       mbedtls_md_type_t md_alg,
                                       unsigned int hashlen,
                                       const unsigned char *hash,

+ 14 - 134
thirdparty/mbedtls/include/mbedtls/sha1.h

@@ -16,19 +16,13 @@
  */
 #ifndef MBEDTLS_SHA1_H
 #define MBEDTLS_SHA1_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
-/* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** SHA-1 hardware accelerator failed */
-#define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED                  -0x0035
 /** SHA-1 input data was malformed. */
 #define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA                   -0x0073
 
@@ -49,9 +43,9 @@ extern "C" {
  *
  */
 typedef struct mbedtls_sha1_context {
-    uint32_t total[2];          /*!< The number of Bytes processed.  */
-    uint32_t state[5];          /*!< The intermediate digest state.  */
-    unsigned char buffer[64];   /*!< The data block being processed. */
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed.  */
+    uint32_t MBEDTLS_PRIVATE(state)[5];          /*!< The intermediate digest state.  */
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< The data block being processed. */
 }
 mbedtls_sha1_context;
 
@@ -114,7 +108,7 @@ void mbedtls_sha1_clone(mbedtls_sha1_context *dst,
  * \return         A negative error code on failure.
  *
  */
-int mbedtls_sha1_starts_ret(mbedtls_sha1_context *ctx);
+int mbedtls_sha1_starts(mbedtls_sha1_context *ctx);
 
 /**
  * \brief          This function feeds an input buffer into an ongoing SHA-1
@@ -133,9 +127,9 @@ int mbedtls_sha1_starts_ret(mbedtls_sha1_context *ctx);
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha1_update_ret(mbedtls_sha1_context *ctx,
-                            const unsigned char *input,
-                            size_t ilen);
+int mbedtls_sha1_update(mbedtls_sha1_context *ctx,
+                        const unsigned char *input,
+                        size_t ilen);
 
 /**
  * \brief          This function finishes the SHA-1 operation, and writes
@@ -153,8 +147,8 @@ int mbedtls_sha1_update_ret(mbedtls_sha1_context *ctx,
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha1_finish_ret(mbedtls_sha1_context *ctx,
-                            unsigned char output[20]);
+int mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
+                        unsigned char output[20]);
 
 /**
  * \brief          SHA-1 process data block (internal use only).
@@ -174,85 +168,6 @@ int mbedtls_sha1_finish_ret(mbedtls_sha1_context *ctx,
 int mbedtls_internal_sha1_process(mbedtls_sha1_context *ctx,
                                   const unsigned char data[64]);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          This function starts a SHA-1 checksum calculation.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \deprecated     Superseded by mbedtls_sha1_starts_ret() in 2.7.0.
- *
- * \param ctx      The SHA-1 context to initialize. This must be initialized.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_sha1_starts(mbedtls_sha1_context *ctx);
-
-/**
- * \brief          This function feeds an input buffer into an ongoing SHA-1
- *                 checksum calculation.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \deprecated     Superseded by mbedtls_sha1_update_ret() in 2.7.0.
- *
- * \param ctx      The SHA-1 context. This must be initialized and
- *                 have a hash operation started.
- * \param input    The buffer holding the input data.
- *                 This must be a readable buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data \p input in Bytes.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_sha1_update(mbedtls_sha1_context *ctx,
-                                            const unsigned char *input,
-                                            size_t ilen);
-
-/**
- * \brief          This function finishes the SHA-1 operation, and writes
- *                 the result to the output buffer.
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \deprecated     Superseded by mbedtls_sha1_finish_ret() in 2.7.0.
- *
- * \param ctx      The SHA-1 context. This must be initialized and
- *                 have a hash operation started.
- * \param output   The SHA-1 checksum result.
- *                 This must be a writable buffer of length \c 20 Bytes.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha1_finish(mbedtls_sha1_context *ctx,
-                                            unsigned char output[20]);
-
-/**
- * \brief          SHA-1 process data block (internal use only).
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \deprecated     Superseded by mbedtls_internal_sha1_process() in 2.7.0.
- *
- * \param ctx      The SHA-1 context. This must be initialized.
- * \param data     The data block being processed.
- *                 This must be a readable buffer of length \c 64 bytes.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_sha1_process(mbedtls_sha1_context *ctx,
-                                             const unsigned char data[64]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief          This function calculates the SHA-1 checksum of a buffer.
  *
@@ -276,44 +191,9 @@ MBEDTLS_DEPRECATED void mbedtls_sha1_process(mbedtls_sha1_context *ctx,
  * \return         A negative error code on failure.
  *
  */
-int mbedtls_sha1_ret(const unsigned char *input,
-                     size_t ilen,
-                     unsigned char output[20]);
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          This function calculates the SHA-1 checksum of a buffer.
- *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The SHA-1 result is calculated as
- *                 output = SHA-1(input buffer).
- *
- * \warning        SHA-1 is considered a weak message digest and its use
- *                 constitutes a security risk. We recommend considering
- *                 stronger message digests instead.
- *
- * \deprecated     Superseded by mbedtls_sha1_ret() in 2.7.0
- *
- * \param input    The buffer holding the input data.
- *                 This must be a readable buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data \p input in Bytes.
- * \param output   The SHA-1 checksum result. This must be a writable
- *                 buffer of size \c 20 Bytes.
- *
- */
-MBEDTLS_DEPRECATED void mbedtls_sha1(const unsigned char *input,
-                                     size_t ilen,
-                                     unsigned char output[20]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+int mbedtls_sha1(const unsigned char *input,
+                 size_t ilen,
+                 unsigned char output[20]);
 
 #if defined(MBEDTLS_SELF_TEST)
 

+ 39 - 126
thirdparty/mbedtls/include/mbedtls/sha256.h

@@ -12,19 +12,13 @@
  */
 #ifndef MBEDTLS_SHA256_H
 #define MBEDTLS_SHA256_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
-/* MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** SHA-256 hardware accelerator failed */
-#define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037
 /** SHA-256 input data was malformed. */
 #define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA                 -0x0074
 
@@ -41,14 +35,16 @@ extern "C" {
  *
  *                 The structure is used both for SHA-256 and for SHA-224
  *                 checksum calculations. The choice between these two is
- *                 made in the call to mbedtls_sha256_starts_ret().
+ *                 made in the call to mbedtls_sha256_starts().
  */
 typedef struct mbedtls_sha256_context {
-    uint32_t total[2];          /*!< The number of Bytes processed.  */
-    uint32_t state[8];          /*!< The intermediate digest state.  */
-    unsigned char buffer[64];   /*!< The data block being processed. */
-    int is224;                  /*!< Determines which function to use:
-                                     0: Use SHA-256, or 1: Use SHA-224. */
+    unsigned char MBEDTLS_PRIVATE(buffer)[64];   /*!< The data block being processed. */
+    uint32_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed.  */
+    uint32_t MBEDTLS_PRIVATE(state)[8];          /*!< The intermediate digest state.  */
+#if defined(MBEDTLS_SHA224_C)
+    int MBEDTLS_PRIVATE(is224);                  /*!< Determines which function to use:
+                                                    0: Use SHA-256, or 1: Use SHA-224. */
+#endif
 }
 mbedtls_sha256_context;
 
@@ -89,10 +85,14 @@ void mbedtls_sha256_clone(mbedtls_sha256_context *dst,
  * \param is224    This determines which function to use. This must be
  *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  *
+ * \note           is224 must be defined accordingly to the enabled
+ *                 MBEDTLS_SHA224_C/MBEDTLS_SHA256_C symbols otherwise the
+ *                 function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
+ *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int is224);
+int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224);
 
 /**
  * \brief          This function feeds an input buffer into an ongoing
@@ -107,9 +107,9 @@ int mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int is224);
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx,
-                              const unsigned char *input,
-                              size_t ilen);
+int mbedtls_sha256_update(mbedtls_sha256_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen);
 
 /**
  * \brief          This function finishes the SHA-256 operation, and writes
@@ -118,13 +118,14 @@ int mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx,
  * \param ctx      The SHA-256 context. This must be initialized
  *                 and have a hash operation started.
  * \param output   The SHA-224 or SHA-256 checksum result.
- *                 This must be a writable buffer of length \c 32 Bytes.
+ *                 This must be a writable buffer of length \c 32 bytes
+ *                 for SHA-256, \c 28 bytes for SHA-224.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx,
-                              unsigned char output[32]);
+int mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
+                          unsigned char *output);
 
 /**
  * \brief          This function processes a single data block within
@@ -141,72 +142,6 @@ int mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx,
 int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx,
                                     const unsigned char data[64]);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          This function starts a SHA-224 or SHA-256 checksum
- *                 calculation.
- *
- * \deprecated     Superseded by mbedtls_sha256_starts_ret() in 2.7.0.
- *
- * \param ctx      The context to use. This must be initialized.
- * \param is224    Determines which function to use. This must be
- *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha256_starts(mbedtls_sha256_context *ctx,
-                                              int is224);
-
-/**
- * \brief          This function feeds an input buffer into an ongoing
- *                 SHA-256 checksum calculation.
- *
- * \deprecated     Superseded by mbedtls_sha256_update_ret() in 2.7.0.
- *
- * \param ctx      The SHA-256 context to use. This must be
- *                 initialized and have a hash operation started.
- * \param input    The buffer holding the data. This must be a readable
- *                 buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha256_update(mbedtls_sha256_context *ctx,
-                                              const unsigned char *input,
-                                              size_t ilen);
-
-/**
- * \brief          This function finishes the SHA-256 operation, and writes
- *                 the result to the output buffer.
- *
- * \deprecated     Superseded by mbedtls_sha256_finish_ret() in 2.7.0.
- *
- * \param ctx      The SHA-256 context. This must be initialized and
- *                 have a hash operation started.
- * \param output   The SHA-224 or SHA-256 checksum result. This must be
- *                 a writable buffer of length \c 32 Bytes.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha256_finish(mbedtls_sha256_context *ctx,
-                                              unsigned char output[32]);
-
-/**
- * \brief          This function processes a single data block within
- *                 the ongoing SHA-256 computation. This function is for
- *                 internal use only.
- *
- * \deprecated     Superseded by mbedtls_internal_sha256_process() in 2.7.0.
- *
- * \param ctx      The SHA-256 context. This must be initialized.
- * \param data     The buffer holding one block of data. This must be
- *                 a readable buffer of size \c 64 Bytes.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha256_process(mbedtls_sha256_context *ctx,
-                                               const unsigned char data[64]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief          This function calculates the SHA-224 or SHA-256
  *                 checksum of a buffer.
@@ -220,63 +155,41 @@ MBEDTLS_DEPRECATED void mbedtls_sha256_process(mbedtls_sha256_context *ctx,
  * \param input    The buffer holding the data. This must be a readable
  *                 buffer of length \p ilen Bytes.
  * \param ilen     The length of the input data in Bytes.
- * \param output   The SHA-224 or SHA-256 checksum result. This must
- *                 be a writable buffer of length \c 32 Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ *                 This must be a writable buffer of length \c 32 bytes
+ *                 for SHA-256, \c 28 bytes for SHA-224.
  * \param is224    Determines which function to use. This must be
  *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha256_ret(const unsigned char *input,
-                       size_t ilen,
-                       unsigned char output[32],
-                       int is224);
+int mbedtls_sha256(const unsigned char *input,
+                   size_t ilen,
+                   unsigned char *output,
+                   int is224);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
+#if defined(MBEDTLS_SHA224_C)
 /**
- * \brief          This function calculates the SHA-224 or SHA-256 checksum
- *                 of a buffer.
+ * \brief          The SHA-224 checkup routine.
  *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The SHA-256 result is calculated as
- *                 output = SHA-256(input buffer).
- *
- * \deprecated     Superseded by mbedtls_sha256_ret() in 2.7.0.
- *
- * \param input    The buffer holding the data. This must be a readable
- *                 buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- * \param output   The SHA-224 or SHA-256 checksum result. This must be
- *                 a writable buffer of length \c 32 Bytes.
- * \param is224    Determines which function to use. This must be either
- *                 \c 0 for SHA-256, or \c 1 for SHA-224.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
-MBEDTLS_DEPRECATED void mbedtls_sha256(const unsigned char *input,
-                                       size_t ilen,
-                                       unsigned char output[32],
-                                       int is224);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_SELF_TEST)
+int mbedtls_sha224_self_test(int verbose);
+#endif /* MBEDTLS_SHA224_C */
 
+#if defined(MBEDTLS_SHA256_C)
 /**
- * \brief          The SHA-224 and SHA-256 checkup routine.
+ * \brief          The SHA-256 checkup routine.
  *
  * \return         \c 0 on success.
  * \return         \c 1 on failure.
  */
 int mbedtls_sha256_self_test(int verbose);
+#endif /* MBEDTLS_SHA256_C */
 
 #endif /* MBEDTLS_SELF_TEST */
 

+ 172 - 0
thirdparty/mbedtls/include/mbedtls/sha3.h

@@ -0,0 +1,172 @@
+/**
+ * \file sha3.h
+ *
+ * \brief This file contains SHA-3 definitions and functions.
+ *
+ * The Secure Hash Algorithms cryptographic
+ * hash functions are defined in <em>FIPS 202: SHA-3 Standard:
+ * Permutation-Based Hash and Extendable-Output Functions </em>.
+ */
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef MBEDTLS_SHA3_H
+#define MBEDTLS_SHA3_H
+#include "mbedtls/private_access.h"
+
+#include "mbedtls/build_info.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/** SHA-3 input data was malformed. */
+#define MBEDTLS_ERR_SHA3_BAD_INPUT_DATA                 -0x0076
+
+/**
+ * SHA-3 family id.
+ *
+ * It identifies the family (SHA3-256, SHA3-512, etc.)
+ */
+
+typedef enum {
+    MBEDTLS_SHA3_NONE = 0, /*!< Operation not defined. */
+    MBEDTLS_SHA3_224, /*!< SHA3-224 */
+    MBEDTLS_SHA3_256, /*!< SHA3-256 */
+    MBEDTLS_SHA3_384, /*!< SHA3-384 */
+    MBEDTLS_SHA3_512, /*!< SHA3-512 */
+} mbedtls_sha3_id;
+
+/**
+ * \brief          The SHA-3 context structure.
+ *
+ *                 The structure is used SHA-3 checksum calculations.
+ */
+typedef struct {
+    uint64_t MBEDTLS_PRIVATE(state[25]);
+    uint32_t MBEDTLS_PRIVATE(index);
+    uint16_t MBEDTLS_PRIVATE(olen);
+    uint16_t MBEDTLS_PRIVATE(max_block_size);
+}
+mbedtls_sha3_context;
+
+/**
+ * \brief          This function initializes a SHA-3 context.
+ *
+ * \param ctx      The SHA-3 context to initialize. This must not be \c NULL.
+ */
+void mbedtls_sha3_init(mbedtls_sha3_context *ctx);
+
+/**
+ * \brief          This function clears a SHA-3 context.
+ *
+ * \param ctx      The SHA-3 context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized SHA-3 context.
+ */
+void mbedtls_sha3_free(mbedtls_sha3_context *ctx);
+
+/**
+ * \brief          This function clones the state of a SHA-3 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
+                        const mbedtls_sha3_context *src);
+
+/**
+ * \brief          This function starts a SHA-3 checksum
+ *                 calculation.
+ *
+ * \param ctx      The context to use. This must be initialized.
+ * \param id       The id of the SHA-3 family.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id);
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-3 checksum calculation.
+ *
+ * \param ctx      The SHA-3 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
+                        const uint8_t *input,
+                        size_t ilen);
+
+/**
+ * \brief          This function finishes the SHA-3 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-3 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-3 checksum result.
+ *                 This must be a writable buffer of length \c olen bytes.
+ * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
+ *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
+ *                 respectively.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
+                        uint8_t *output, size_t olen);
+
+/**
+ * \brief          This function calculates the SHA-3
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-3 result is calculated as
+ *                 output = SHA-3(id, input buffer, d).
+ *
+ * \param id       The id of the SHA-3 family.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-3 checksum result.
+ *                 This must be a writable buffer of length \c olen bytes.
+ * \param olen     Defines the length of output buffer (in bytes). For SHA-3 224, SHA-3 256,
+ *                 SHA-3 384 and SHA-3 512 \c olen must equal to 28, 32, 48 and 64,
+ *                 respectively.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha3(mbedtls_sha3_id id, const uint8_t *input,
+                 size_t ilen,
+                 uint8_t *output,
+                 size_t olen);
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine for the algorithms implemented
+ *                 by this module: SHA3-224, SHA3-256, SHA3-384, SHA3-512.
+ *
+ * \return         0 if successful, or 1 if the test failed.
+ */
+int mbedtls_sha3_self_test(int verbose);
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha3.h */

+ 42 - 137
thirdparty/mbedtls/include/mbedtls/sha512.h

@@ -11,19 +11,13 @@
  */
 #ifndef MBEDTLS_SHA512_H
 #define MBEDTLS_SHA512_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
-/* MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** SHA-512 hardware accelerator failed */
-#define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED                -0x0039
 /** SHA-512 input data was malformed. */
 #define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA                 -0x0075
 
@@ -40,15 +34,15 @@ extern "C" {
  *
  *                 The structure is used both for SHA-384 and for SHA-512
  *                 checksum calculations. The choice between these two is
- *                 made in the call to mbedtls_sha512_starts_ret().
+ *                 made in the call to mbedtls_sha512_starts().
  */
 typedef struct mbedtls_sha512_context {
-    uint64_t total[2];          /*!< The number of Bytes processed. */
-    uint64_t state[8];          /*!< The intermediate digest state. */
-    unsigned char buffer[128];  /*!< The data block being processed. */
-#if !defined(MBEDTLS_SHA512_NO_SHA384)
-    int is384;                  /*!< Determines which function to use:
-                                     0: Use SHA-512, or 1: Use SHA-384. */
+    uint64_t MBEDTLS_PRIVATE(total)[2];          /*!< The number of Bytes processed. */
+    uint64_t MBEDTLS_PRIVATE(state)[8];          /*!< The intermediate digest state. */
+    unsigned char MBEDTLS_PRIVATE(buffer)[128];  /*!< The data block being processed. */
+#if defined(MBEDTLS_SHA384_C)
+    int MBEDTLS_PRIVATE(is384);                  /*!< Determines which function to use:
+                                                      0: Use SHA-512, or 1: Use SHA-384. */
 #endif
 }
 mbedtls_sha512_context;
@@ -92,14 +86,14 @@ void mbedtls_sha512_clone(mbedtls_sha512_context *dst,
  * \param is384    Determines which function to use. This must be
  *                 either \c 0 for SHA-512, or \c 1 for SHA-384.
  *
- * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
- *                 be \c 0, or the function will return
- *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
+ * \note           is384 must be defined accordingly to the enabled
+ *                 MBEDTLS_SHA384_C/MBEDTLS_SHA512_C symbols otherwise the
+ *                 function will return #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384);
+int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384);
 
 /**
  * \brief          This function feeds an input buffer into an ongoing
@@ -114,9 +108,9 @@ int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384);
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx,
-                              const unsigned char *input,
-                              size_t ilen);
+int mbedtls_sha512_update(mbedtls_sha512_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen);
 
 /**
  * \brief          This function finishes the SHA-512 operation, and writes
@@ -125,13 +119,14 @@ int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx,
  * \param ctx      The SHA-512 context. This must be initialized
  *                 and have a hash operation started.
  * \param output   The SHA-384 or SHA-512 checksum result.
- *                 This must be a writable buffer of length \c 64 Bytes.
+ *                 This must be a writable buffer of length \c 64 bytes
+ *                 for SHA-512, \c 48 bytes for SHA-384.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
-                              unsigned char output[64]);
+int mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
+                          unsigned char *output);
 
 /**
  * \brief          This function processes a single data block within
@@ -147,75 +142,6 @@ int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx,
  */
 int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx,
                                     const unsigned char data[128]);
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          This function starts a SHA-384 or SHA-512 checksum
- *                 calculation.
- *
- * \deprecated     Superseded by mbedtls_sha512_starts_ret() in 2.7.0
- *
- * \param ctx      The SHA-512 context to use. This must be initialized.
- * \param is384    Determines which function to use. This must be either
- *                 \c 0 for SHA-512 or \c 1 for SHA-384.
- *
- * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
- *                 be \c 0, or the function will fail to work.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha512_starts(mbedtls_sha512_context *ctx,
-                                              int is384);
-
-/**
- * \brief          This function feeds an input buffer into an ongoing
- *                 SHA-512 checksum calculation.
- *
- * \deprecated     Superseded by mbedtls_sha512_update_ret() in 2.7.0.
- *
- * \param ctx      The SHA-512 context. This must be initialized
- *                 and have a hash operation started.
- * \param input    The buffer holding the data. This must be a readable
- *                 buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha512_update(mbedtls_sha512_context *ctx,
-                                              const unsigned char *input,
-                                              size_t ilen);
-
-/**
- * \brief          This function finishes the SHA-512 operation, and writes
- *                 the result to the output buffer.
- *
- * \deprecated     Superseded by mbedtls_sha512_finish_ret() in 2.7.0.
- *
- * \param ctx      The SHA-512 context. This must be initialized
- *                 and have a hash operation started.
- * \param output   The SHA-384 or SHA-512 checksum result. This must
- *                 be a writable buffer of size \c 64 Bytes.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha512_finish(mbedtls_sha512_context *ctx,
-                                              unsigned char output[64]);
-
-/**
- * \brief          This function processes a single data block within
- *                 the ongoing SHA-512 computation. This function is for
- *                 internal use only.
- *
- * \deprecated     Superseded by mbedtls_internal_sha512_process() in 2.7.0.
- *
- * \param ctx      The SHA-512 context. This must be initialized.
- * \param data     The buffer holding one block of data. This must be
- *                 a readable buffer of length \c 128 Bytes.
- */
-MBEDTLS_DEPRECATED void mbedtls_sha512_process(
-    mbedtls_sha512_context *ctx,
-    const unsigned char data[128]);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 
 /**
  * \brief          This function calculates the SHA-512 or SHA-384
@@ -231,69 +157,48 @@ MBEDTLS_DEPRECATED void mbedtls_sha512_process(
  *                 a readable buffer of length \p ilen Bytes.
  * \param ilen     The length of the input data in Bytes.
  * \param output   The SHA-384 or SHA-512 checksum result.
- *                 This must be a writable buffer of length \c 64 Bytes.
+ *                 This must be a writable buffer of length \c 64 bytes
+ *                 for SHA-512, \c 48 bytes for SHA-384.
  * \param is384    Determines which function to use. This must be either
  *                 \c 0 for SHA-512, or \c 1 for SHA-384.
  *
- * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
- *                 be \c 0, or the function will return
+ * \note           is384 must be defined accordingly with the supported
+ *                 symbols in the config file. If:
+ *                 - is384 is 0, but \c MBEDTLS_SHA384_C is not defined, or
+ *                 - is384 is 1, but \c MBEDTLS_SHA512_C is not defined
+ *                 then the function will return
  *                 #MBEDTLS_ERR_SHA512_BAD_INPUT_DATA.
  *
  * \return         \c 0 on success.
  * \return         A negative error code on failure.
  */
-int mbedtls_sha512_ret(const unsigned char *input,
-                       size_t ilen,
-                       unsigned char output[64],
-                       int is384);
+int mbedtls_sha512(const unsigned char *input,
+                   size_t ilen,
+                   unsigned char *output,
+                   int is384);
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
+#if defined(MBEDTLS_SELF_TEST)
 
+#if defined(MBEDTLS_SHA384_C)
 /**
- * \brief          This function calculates the SHA-512 or SHA-384
- *                 checksum of a buffer.
- *
- *                 The function allocates the context, performs the
- *                 calculation, and frees the context.
- *
- *                 The SHA-512 result is calculated as
- *                 output = SHA-512(input buffer).
+ * \brief          The SHA-384 checkup routine.
  *
- * \deprecated     Superseded by mbedtls_sha512_ret() in 2.7.0
- *
- * \param input    The buffer holding the data. This must be a
- *                 readable buffer of length \p ilen Bytes.
- * \param ilen     The length of the input data in Bytes.
- * \param output   The SHA-384 or SHA-512 checksum result. This must
- *                 be a writable buffer of length \c 64 Bytes.
- * \param is384    Determines which function to use. This must be either
- *                 \c 0 for SHA-512, or \c 1 for SHA-384.
- *
- * \note           When \c MBEDTLS_SHA512_NO_SHA384 is defined, \p is384 must
- *                 be \c 0, or the function will fail to work.
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
  */
-MBEDTLS_DEPRECATED void mbedtls_sha512(const unsigned char *input,
-                                       size_t ilen,
-                                       unsigned char output[64],
-                                       int is384);
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-#if defined(MBEDTLS_SELF_TEST)
+int mbedtls_sha384_self_test(int verbose);
+#endif /* MBEDTLS_SHA384_C */
 
+#if defined(MBEDTLS_SHA512_C)
 /**
- * \brief          The SHA-384 or SHA-512 checkup routine.
+ * \brief          The SHA-512 checkup routine.
  *
  * \return         \c 0 on success.
  * \return         \c 1 on failure.
  */
 int mbedtls_sha512_self_test(int verbose);
+#endif /* MBEDTLS_SHA512_C */
+
 #endif /* MBEDTLS_SELF_TEST */
 
 #ifdef __cplusplus

Tiedoston diff-näkymää rajattu, sillä se on liian suuri
+ 573 - 165
thirdparty/mbedtls/include/mbedtls/ssl.h


+ 67 - 23
thirdparty/mbedtls/include/mbedtls/ssl_cache.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_SSL_CACHE_H
 #define MBEDTLS_SSL_CACHE_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/ssl.h"
 
@@ -26,7 +23,7 @@
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
  * \{
  */
 
@@ -52,25 +49,27 @@ typedef struct mbedtls_ssl_cache_entry mbedtls_ssl_cache_entry;
  */
 struct mbedtls_ssl_cache_entry {
 #if defined(MBEDTLS_HAVE_TIME)
-    mbedtls_time_t timestamp;           /*!< entry timestamp    */
-#endif
-    mbedtls_ssl_session session;        /*!< entry session      */
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
-    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    mbedtls_x509_buf peer_cert;         /*!< entry peer_cert    */
+    mbedtls_time_t MBEDTLS_PRIVATE(timestamp);           /*!< entry timestamp    */
 #endif
-    mbedtls_ssl_cache_entry *next;      /*!< chain pointer      */
+
+    unsigned char MBEDTLS_PRIVATE(session_id)[32];       /*!< session ID         */
+    size_t MBEDTLS_PRIVATE(session_id_len);
+
+    unsigned char *MBEDTLS_PRIVATE(session);             /*!< serialized session */
+    size_t MBEDTLS_PRIVATE(session_len);
+
+    mbedtls_ssl_cache_entry *MBEDTLS_PRIVATE(next);      /*!< chain pointer      */
 };
 
 /**
  * \brief Cache context
  */
 struct mbedtls_ssl_cache_context {
-    mbedtls_ssl_cache_entry *chain;     /*!< start of the chain     */
-    int timeout;                /*!< cache entry timeout    */
-    int max_entries;            /*!< maximum entries        */
+    mbedtls_ssl_cache_entry *MBEDTLS_PRIVATE(chain);     /*!< start of the chain     */
+    int MBEDTLS_PRIVATE(timeout);                /*!< cache entry timeout    */
+    int MBEDTLS_PRIVATE(max_entries);            /*!< maximum entries        */
 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);    /*!< mutex                  */
 #endif
 };
 
@@ -85,27 +84,58 @@ void mbedtls_ssl_cache_init(mbedtls_ssl_cache_context *cache);
  * \brief          Cache get callback implementation
  *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
  *
- * \param data     SSL cache context
- * \param session  session to retrieve entry for
+ * \param data            The SSL cache context to use.
+ * \param session_id      The pointer to the buffer holding the session ID
+ *                        for the session to load.
+ * \param session_id_len  The length of \p session_id in bytes.
+ * \param session         The address at which to store the session
+ *                        associated with \p session_id, if present.
  *
  * \return                \c 0 on success.
  * \return                #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is
  *                        no cache entry with specified session ID found, or
  *                        any other negative error code for other failures.
  */
-int mbedtls_ssl_cache_get(void *data, mbedtls_ssl_session *session);
+int mbedtls_ssl_cache_get(void *data,
+                          unsigned char const *session_id,
+                          size_t session_id_len,
+                          mbedtls_ssl_session *session);
 
 /**
  * \brief          Cache set callback implementation
  *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
  *
- * \param data     SSL cache context
- * \param session  session to store entry for
+ * \param data            The SSL cache context to use.
+ * \param session_id      The pointer to the buffer holding the session ID
+ *                        associated to \p session.
+ * \param session_id_len  The length of \p session_id in bytes.
+ * \param session         The session to store.
  *
  * \return                \c 0 on success.
  * \return                A negative error code on failure.
  */
-int mbedtls_ssl_cache_set(void *data, const mbedtls_ssl_session *session);
+int mbedtls_ssl_cache_set(void *data,
+                          unsigned char const *session_id,
+                          size_t session_id_len,
+                          const mbedtls_ssl_session *session);
+
+/**
+ * \brief          Remove the cache entry by the session ID
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data            The SSL cache context to use.
+ * \param session_id      The pointer to the buffer holding the session ID
+ *                        associated to session.
+ * \param session_id_len  The length of \p session_id in bytes.
+ *
+ * \return                \c 0 on success. This indicates the cache entry for
+ *                        the session with provided ID is removed or does not
+ *                        exist.
+ * \return                A negative error code on failure.
+ */
+int mbedtls_ssl_cache_remove(void *data,
+                             unsigned char const *session_id,
+                             size_t session_id_len);
 
 #if defined(MBEDTLS_HAVE_TIME)
 /**
@@ -118,6 +148,20 @@ int mbedtls_ssl_cache_set(void *data, const mbedtls_ssl_session *session);
  * \param timeout  cache entry timeout in seconds
  */
 void mbedtls_ssl_cache_set_timeout(mbedtls_ssl_cache_context *cache, int timeout);
+
+/**
+ * \brief          Get the cache timeout
+ *
+ *                 A timeout of 0 indicates no timeout.
+ *
+ * \param cache    SSL cache context
+ *
+ * \return         cache entry timeout in seconds
+ */
+static inline int mbedtls_ssl_cache_get_timeout(mbedtls_ssl_cache_context *cache)
+{
+    return cache->MBEDTLS_PRIVATE(timeout);
+}
 #endif /* MBEDTLS_HAVE_TIME */
 
 /**

+ 143 - 197
thirdparty/mbedtls/include/mbedtls/ssl_ciphersuites.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_SSL_CIPHERSUITES_H
 #define MBEDTLS_SSL_CIPHERSUITES_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/pk.h"
 #include "mbedtls/cipher.h"
@@ -30,15 +27,6 @@ extern "C" {
 #define MBEDTLS_TLS_RSA_WITH_NULL_MD5                    0x01   /**< Weak! */
 #define MBEDTLS_TLS_RSA_WITH_NULL_SHA                    0x02   /**< Weak! */
 
-#define MBEDTLS_TLS_RSA_WITH_RC4_128_MD5                 0x04
-#define MBEDTLS_TLS_RSA_WITH_RC4_128_SHA                 0x05
-#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA                 0x09   /**< Weak! Not in TLS 1.2 */
-
-#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA            0x0A
-
-#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA             0x15   /**< Weak! Not in TLS 1.2 */
-#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        0x16
-
 #define MBEDTLS_TLS_PSK_WITH_NULL_SHA                    0x2C   /**< Weak! */
 #define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA                0x2D   /**< Weak! */
 #define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA                0x2E   /**< Weak! */
@@ -61,18 +49,12 @@ extern "C" {
 #define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        0x84
 #define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    0x88
 
-#define MBEDTLS_TLS_PSK_WITH_RC4_128_SHA                 0x8A
-#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA            0x8B
 #define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA             0x8C
 #define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA             0x8D
 
-#define MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA             0x8E
-#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        0x8F
 #define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA         0x90
 #define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA         0x91
 
-#define MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA             0x92
-#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        0x93
 #define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA         0x94
 #define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA         0x95
 
@@ -110,28 +92,20 @@ extern "C" {
 #define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4   /**< TLS 1.2 */
 
 #define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA             0xC001 /**< Weak! */
-#define MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA          0xC002 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA     0xC003 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      0xC004 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      0xC005 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      0xC004
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      0xC005
 
 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA            0xC006 /**< Weak! */
-#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         0xC007 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    0xC008 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     0xC009 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     0xC00A /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     0xC009
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     0xC00A
 
 #define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA               0xC00B /**< Weak! */
-#define MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA            0xC00C /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA       0xC00D /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        0xC00E /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        0xC00F /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        0xC00E
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        0xC00F
 
 #define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA              0xC010 /**< Weak! */
-#define MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA           0xC011 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      0xC012 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       0xC013 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       0xC014 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       0xC013
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       0xC014
 
 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023 /**< TLS 1.2 */
 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024 /**< TLS 1.2 */
@@ -151,15 +125,13 @@ extern "C" {
 #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     0xC031 /**< TLS 1.2 */
 #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     0xC032 /**< TLS 1.2 */
 
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA           0xC033 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      0xC034 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       0xC036 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    0xC038 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA              0xC039 /**< Weak! No SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256           0xC03A /**< Weak! No SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384           0xC03B /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       0xC036
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    0xC038
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA              0xC039
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256           0xC03A
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384           0xC03B
 
 #define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256         0xC03C /**< TLS 1.2 */
 #define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384         0xC03D /**< TLS 1.2 */
@@ -200,14 +172,14 @@ extern "C" {
 #define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256   0xC070 /**< TLS 1.2 */
 #define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384   0xC071 /**< TLS 1.2 */
 
-#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0xC074 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  0xC075 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   0xC076 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   0xC077 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    0xC078 /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    0xC079 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0xC074
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  0xC075
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   0xC076
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   0xC077
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    0xC078
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    0xC079
 
 #define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256         0xC07A /**< TLS 1.2 */
 #define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384         0xC07B /**< TLS 1.2 */
@@ -235,8 +207,8 @@ extern "C" {
 #define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC097
 #define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC098
 #define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC099
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A /**< Not in SSL3! */
-#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B
 
 #define MBEDTLS_TLS_RSA_WITH_AES_128_CCM                0xC09C  /**< TLS 1.2 */
 #define MBEDTLS_TLS_RSA_WITH_AES_256_CCM                0xC09D  /**< TLS 1.2 */
@@ -272,6 +244,13 @@ extern "C" {
 #define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAD /**< TLS 1.2 */
 #define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAE /**< TLS 1.2 */
 
+/* RFC 8446, Appendix B.4 */
+#define MBEDTLS_TLS1_3_AES_128_GCM_SHA256                     0x1301 /**< TLS 1.3 */
+#define MBEDTLS_TLS1_3_AES_256_GCM_SHA384                     0x1302 /**< TLS 1.3 */
+#define MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256               0x1303 /**< TLS 1.3 */
+#define MBEDTLS_TLS1_3_AES_128_CCM_SHA256                     0x1304 /**< TLS 1.3 */
+#define MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256                   0x1305 /**< TLS 1.3 */
+
 /* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
  * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
  */
@@ -301,16 +280,49 @@ typedef enum {
 #define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
 #endif
 
-/* Key exchanges allowing client certificate requests */
+/* Key exchanges in either TLS 1.2 or 1.3 which are using an ECDSA
+ * signature */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#define MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED
+#endif
+
+/* Key exchanges allowing client certificate requests.
+ *
+ * Note: that's almost the same as MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
+ * above, except RSA-PSK uses a server certificate but no client cert.
+ *
+ * Note: this difference is specific to TLS 1.2, as with TLS 1.3, things are
+ * more symmetrical: client certs and server certs are either both allowed
+ * (Ephemeral mode) or both disallowed (PSK and PKS-Ephemeral modes).
+ */
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           ||       \
     defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       ||       \
-    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      ||       \
     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   ||       \
     defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)    ||       \
-    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
 #define MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED
 #endif
 
+/* Helper to state that certificate-based client authentication through ECDSA
+ * is supported in TLS 1.2 */
+#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) && \
+    defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
+#define MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED
+#endif
+
+/* ECDSA required for certificates in either TLS 1.2 or 1.3 */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED
+#endif
+
 /* Key exchanges involving server signature in ServerKeyExchange */
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
@@ -363,6 +375,62 @@ typedef enum {
 #define MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED
 #endif
 
+/* TLS 1.2 key exchanges using ECDH or ECDHE*/
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED
+#endif
+
+/* TLS 1.3 PSK key exchanges */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
+#endif
+
+/* TLS 1.2 or 1.3 key exchanges with PSK */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
+#define MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED
+#endif
+
+/* TLS 1.3 ephemeral key exchanges */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED
+#endif
+
+/* TLS 1.3 key exchanges using ECDHE */
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \
+    defined(PSA_WANT_ALG_ECDH)
+#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_ECDHE_ENABLED
+#endif
+
+/* TLS 1.2 or 1.3 key exchanges using ECDH or ECDHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_ECDHE_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED
+#endif
+
+/* TLS 1.2 XXDH key exchanges: ECDH or ECDHE or FFDH */
+#if (defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED))
+#define MBEDTLS_KEY_EXCHANGE_SOME_XXDH_1_2_ENABLED
+#endif
+
+/* The handshake params structure has a set of fields called xxdh_psa which are used:
+ * - by TLS 1.2 with `USE_PSA` to do ECDH or ECDHE;
+ * - by TLS 1.3 to do ECDHE or FFDHE.
+ * The following macros can be used to guard their declaration and use.
+ */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) && \
+    defined(MBEDTLS_USE_PSA_CRYPTO)
+#define MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_1_2_ENABLED
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_1_2_ENABLED) || \
+    defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED
+#endif
+
 typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
 
 #define MBEDTLS_CIPHERSUITE_WEAK       0x01    /**< Weak ciphersuite flag  */
@@ -372,21 +440,22 @@ typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
 
 /**
  * \brief   This structure is used for storing ciphersuite information
+ *
+ * \note    members are defined using integral types instead of enums
+ *          in order to pack structure and reduce memory usage by internal
+ *          \c ciphersuite_definitions[]
  */
 struct mbedtls_ssl_ciphersuite_t {
-    int id;
-    const char *name;
+    int MBEDTLS_PRIVATE(id);
+    const char *MBEDTLS_PRIVATE(name);
 
-    mbedtls_cipher_type_t cipher;
-    mbedtls_md_type_t mac;
-    mbedtls_key_exchange_type_t key_exchange;
+    uint8_t MBEDTLS_PRIVATE(cipher);           /* mbedtls_cipher_type_t */
+    uint8_t MBEDTLS_PRIVATE(mac);              /* mbedtls_md_type_t */
+    uint8_t MBEDTLS_PRIVATE(key_exchange);     /* mbedtls_key_exchange_type_t */
+    uint8_t MBEDTLS_PRIVATE(flags);
 
-    int min_major_ver;
-    int min_minor_ver;
-    int max_major_ver;
-    int max_minor_ver;
-
-    unsigned char flags;
+    uint16_t MBEDTLS_PRIVATE(min_tls_version); /* mbedtls_ssl_protocol_version */
+    uint16_t MBEDTLS_PRIVATE(max_tls_version); /* mbedtls_ssl_protocol_version */
 };
 
 const int *mbedtls_ssl_list_ciphersuites(void);
@@ -394,140 +463,17 @@ const int *mbedtls_ssl_list_ciphersuites(void);
 const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(const char *ciphersuite_name);
 const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id(int ciphersuite_id);
 
-#if defined(MBEDTLS_PK_C)
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphersuite_t *info);
-mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersuite_t *info);
-#endif
-
-int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info);
-int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info);
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info)
+static inline const char *mbedtls_ssl_ciphersuite_get_name(const mbedtls_ssl_ciphersuite_t *info)
 {
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_PSK:
-        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
-            return 1;
-
-        default:
-            return 0;
-    }
+    return info->MBEDTLS_PRIVATE(name);
 }
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */
 
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info)
+static inline int mbedtls_ssl_ciphersuite_get_id(const mbedtls_ssl_ciphersuite_t *info)
 {
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
+    return info->MBEDTLS_PRIVATE(id);
 }
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */
 
-static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-
-static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
-static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
-    const mbedtls_ssl_ciphersuite_t *info)
-{
-    switch (info->key_exchange) {
-        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
-        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
-            return 1;
-
-        default:
-            return 0;
-    }
-}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
+size_t mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(const mbedtls_ssl_ciphersuite_t *info);
 
 #ifdef __cplusplus
 }

+ 18 - 12
thirdparty/mbedtls/include/mbedtls/ssl_cookie.h

@@ -9,24 +9,23 @@
  */
 #ifndef MBEDTLS_SSL_COOKIE_H
 #define MBEDTLS_SSL_COOKIE_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/ssl.h"
 
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_THREADING_C)
 #include "mbedtls/threading.h"
 #endif
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
 
 /**
  * \name SECTION: Module settings
  *
  * The configuration options you can set for this module are in this section.
- * Either change them in config.h or define them on the compiler command line.
+ * Either change them in mbedtls_config.h or define them on the compiler command line.
  * \{
  */
 #ifndef MBEDTLS_SSL_COOKIE_TIMEOUT
@@ -43,16 +42,23 @@ extern "C" {
  * \brief          Context for the default cookie functions.
  */
 typedef struct mbedtls_ssl_cookie_ctx {
-    mbedtls_md_context_t    hmac_ctx;   /*!< context for the HMAC portion   */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+    mbedtls_svc_key_id_t    MBEDTLS_PRIVATE(psa_hmac_key);  /*!< key id for the HMAC portion   */
+    psa_algorithm_t         MBEDTLS_PRIVATE(psa_hmac_alg);  /*!< key algorithm for the HMAC portion   */
+#else
+    mbedtls_md_context_t    MBEDTLS_PRIVATE(hmac_ctx);   /*!< context for the HMAC portion   */
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
 #if !defined(MBEDTLS_HAVE_TIME)
-    unsigned long   serial;     /*!< serial number for expiration   */
+    unsigned long   MBEDTLS_PRIVATE(serial);     /*!< serial number for expiration   */
 #endif
-    unsigned long   timeout;    /*!< timeout delay, in seconds if HAVE_TIME,
-                                     or in number of tickets issued */
+    unsigned long   MBEDTLS_PRIVATE(timeout);    /*!< timeout delay, in seconds if HAVE_TIME,
+                                                    or in number of tickets issued */
 
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_threading_mutex_t mutex;
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
 #endif
+#endif /* !MBEDTLS_USE_PSA_CRYPTO */
 } mbedtls_ssl_cookie_ctx;
 
 /**
@@ -64,7 +70,7 @@ void mbedtls_ssl_cookie_init(mbedtls_ssl_cookie_ctx *ctx);
  * \brief          Setup cookie context (generate keys)
  */
 int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
-                             int (*f_rng)(void *, unsigned char *, size_t),
+                             mbedtls_f_rng_t *f_rng,
                              void *p_rng);
 
 /**

+ 0 - 1339
thirdparty/mbedtls/include/mbedtls/ssl_internal.h

@@ -1,1339 +0,0 @@
-/**
- * \file ssl_internal.h
- *
- * \brief Internal functions shared by the SSL modules
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_SSL_INTERNAL_H
-#define MBEDTLS_SSL_INTERNAL_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include "mbedtls/ssl.h"
-#include "mbedtls/cipher.h"
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#endif
-
-#if defined(MBEDTLS_MD5_C)
-#include "mbedtls/md5.h"
-#endif
-
-#if defined(MBEDTLS_SHA1_C)
-#include "mbedtls/sha1.h"
-#endif
-
-#if defined(MBEDTLS_SHA256_C)
-#include "mbedtls/sha256.h"
-#endif
-
-#if defined(MBEDTLS_SHA512_C)
-#include "mbedtls/sha512.h"
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-#include "mbedtls/ecjpake.h"
-#endif
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-#include "psa/crypto.h"
-#include "mbedtls/psa_util.h"
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
-    !defined(inline) && !defined(__cplusplus)
-#define inline __inline
-#endif
-
-/* Determine minimum supported version */
-#define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
-
-#if defined(MBEDTLS_SSL_PROTO_SSL3)
-#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
-#else
-#if defined(MBEDTLS_SSL_PROTO_TLS1)
-#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
-#else
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
-#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
-#else
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
-#endif /* MBEDTLS_SSL_PROTO_TLS1   */
-#endif /* MBEDTLS_SSL_PROTO_SSL3   */
-
-#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
-#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
-
-/* Determine maximum supported version */
-#define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
-#else
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
-#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
-#else
-#if defined(MBEDTLS_SSL_PROTO_TLS1)
-#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
-#else
-#if defined(MBEDTLS_SSL_PROTO_SSL3)
-#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
-#endif /* MBEDTLS_SSL_PROTO_SSL3   */
-#endif /* MBEDTLS_SSL_PROTO_TLS1   */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-/* Shorthand for restartable ECC */
-#if defined(MBEDTLS_ECP_RESTARTABLE) && \
-    defined(MBEDTLS_SSL_CLI_C) && \
-    defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
-    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-#define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
-#endif
-
-#define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
-#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
-#define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
-#define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
-
-/*
- * DTLS retransmission states, see RFC 6347 4.2.4
- *
- * The SENDING state is merged in PREPARING for initial sends,
- * but is distinct for resends.
- *
- * Note: initial state is wrong for server, but is not used anyway.
- */
-#define MBEDTLS_SSL_RETRANS_PREPARING       0
-#define MBEDTLS_SSL_RETRANS_SENDING         1
-#define MBEDTLS_SSL_RETRANS_WAITING         2
-#define MBEDTLS_SSL_RETRANS_FINISHED        3
-
-/*
- * Allow extra bytes for record, authentication and encryption overhead:
- * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
- * and allow for a maximum of 1024 of compression expansion if
- * enabled.
- */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
-#define MBEDTLS_SSL_COMPRESSION_ADD          1024
-#else
-#define MBEDTLS_SSL_COMPRESSION_ADD             0
-#endif
-
-/* This macro determines whether CBC is supported. */
-#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                               \
-    (defined(MBEDTLS_AES_C)      ||                                  \
-    defined(MBEDTLS_CAMELLIA_C) ||                                  \
-    defined(MBEDTLS_ARIA_C)     ||                                  \
-    defined(MBEDTLS_DES_C))
-#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
-#endif
-
-/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
- * opposed to the very different CBC construct used in SSLv3) is supported. */
-#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
-    (defined(MBEDTLS_SSL_PROTO_TLS1) ||        \
-    defined(MBEDTLS_SSL_PROTO_TLS1_1) ||      \
-    defined(MBEDTLS_SSL_PROTO_TLS1_2))
-#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
-#endif
-
-#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||   \
-    defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
-#define MBEDTLS_SSL_SOME_MODES_USE_MAC
-#endif
-
-#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
-/* Ciphersuites using HMAC */
-#if defined(MBEDTLS_SHA512_C)
-#define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
-#elif defined(MBEDTLS_SHA256_C)
-#define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
-#else
-#define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
-#endif
-#else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
-/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
-#define MBEDTLS_SSL_MAC_ADD                 16
-#endif
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-#define MBEDTLS_SSL_PADDING_ADD            256
-#else
-#define MBEDTLS_SSL_PADDING_ADD              0
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#define MBEDTLS_SSL_MAX_CID_EXPANSION      MBEDTLS_SSL_CID_PADDING_GRANULARITY
-#else
-#define MBEDTLS_SSL_MAX_CID_EXPANSION        0
-#endif
-
-#define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_SSL_COMPRESSION_ADD +    \
-                                      MBEDTLS_MAX_IV_LENGTH +          \
-                                      MBEDTLS_SSL_MAC_ADD +            \
-                                      MBEDTLS_SSL_PADDING_ADD +        \
-                                      MBEDTLS_SSL_MAX_CID_EXPANSION    \
-                                      )
-
-#define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
-                                    (MBEDTLS_SSL_IN_CONTENT_LEN))
-
-#define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
-                                     (MBEDTLS_SSL_OUT_CONTENT_LEN))
-
-/* The maximum number of buffered handshake messages. */
-#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
-
-/* Maximum length we can advertise as our max content length for
-   RFC 6066 max_fragment_length extension negotiation purposes
-   (the lesser of both sizes, if they are unequal.)
- */
-#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
-        (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
-        ? (MBEDTLS_SSL_OUT_CONTENT_LEN)                            \
-        : (MBEDTLS_SSL_IN_CONTENT_LEN)                             \
-        )
-
-/* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
-#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN  65534
-
-/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
-#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
-
-/*
- * Check that we obey the standard's message size bounds
- */
-
-#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
-#error "Bad configuration - record content too large."
-#endif
-
-#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
-#error \
-    "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
-#endif
-
-#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
-#error \
-    "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
-#endif
-
-#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
-#error "Bad configuration - incoming protected record payload too large."
-#endif
-
-#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
-#error "Bad configuration - outgoing protected record payload too large."
-#endif
-
-/* Calculate buffer sizes */
-
-/* Note: Even though the TLS record header is only 5 bytes
-   long, we're internally using 8 bytes to store the
-   implicit sequence number. */
-#define MBEDTLS_SSL_HEADER_LEN 13
-
-#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#define MBEDTLS_SSL_IN_BUFFER_LEN  \
-    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
-#else
-#define MBEDTLS_SSL_IN_BUFFER_LEN  \
-    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
-     + (MBEDTLS_SSL_CID_IN_LEN_MAX))
-#endif
-
-#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-#define MBEDTLS_SSL_OUT_BUFFER_LEN  \
-    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
-#else
-#define MBEDTLS_SSL_OUT_BUFFER_LEN                               \
-    ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)    \
-     + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
-#endif
-
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
-static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
-{
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    return mbedtls_ssl_get_output_max_frag_len(ctx)
-           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
-           + MBEDTLS_SSL_CID_OUT_LEN_MAX;
-#else
-    return mbedtls_ssl_get_output_max_frag_len(ctx)
-           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
-#endif
-}
-
-static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
-{
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    return mbedtls_ssl_get_input_max_frag_len(ctx)
-           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
-           + MBEDTLS_SSL_CID_IN_LEN_MAX;
-#else
-    return mbedtls_ssl_get_input_max_frag_len(ctx)
-           + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
-#endif
-}
-#endif
-
-#ifdef MBEDTLS_ZLIB_SUPPORT
-/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
-#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
-        (MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN)      \
-        ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
-        : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
-        )
-#endif
-
-/*
- * TLS extension flags (for extensions with outgoing ServerHello content
- * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
- * of state of the renegotiation flag, so no indicator is required)
- */
-#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
-#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
-
-/**
- * \brief        This function checks if the remaining size in a buffer is
- *               greater or equal than a needed space.
- *
- * \param cur    Pointer to the current position in the buffer.
- * \param end    Pointer to one past the end of the buffer.
- * \param need   Needed space in bytes.
- *
- * \return       Zero if the needed space is available in the buffer, non-zero
- *               otherwise.
- */
-static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
-                                          const uint8_t *end, size_t need)
-{
-    return (cur > end) || (need > (size_t) (end - cur));
-}
-
-/**
- * \brief        This macro checks if the remaining size in a buffer is
- *               greater or equal than a needed space. If it is not the case,
- *               it returns an SSL_BUFFER_TOO_SMALL error.
- *
- * \param cur    Pointer to the current position in the buffer.
- * \param end    Pointer to one past the end of the buffer.
- * \param need   Needed space in bytes.
- *
- */
-#define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need)                        \
-    do {                                                                 \
-        if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
-        {                                                                \
-            return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;                  \
-        }                                                                \
-    } while (0)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
-    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-/*
- * Abstraction for a grid of allowed signature-hash-algorithm pairs.
- */
-struct mbedtls_ssl_sig_hash_set_t {
-    /* At the moment, we only need to remember a single suitable
-     * hash algorithm per signature algorithm. As long as that's
-     * the case - and we don't need a general lookup function -
-     * we can implement the sig-hash-set as a map from signatures
-     * to hash algorithms. */
-    mbedtls_md_type_t rsa;
-    mbedtls_md_type_t ecdsa;
-};
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
-          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
-typedef int  mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
-                                    const char *label,
-                                    const unsigned char *random, size_t rlen,
-                                    unsigned char *dstbuf, size_t dlen);
-
-/* cipher.h exports the maximum IV, key and block length from
- * all ciphers enabled in the config, regardless of whether those
- * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
- * in the default configuration and uses 64 Byte keys, but it is
- * not used for record protection in SSL/TLS.
- *
- * In order to prevent unnecessary inflation of key structures,
- * we introduce SSL-specific variants of the max-{key,block,IV}
- * macros here which are meant to only take those ciphers into
- * account which can be negotiated in SSL/TLS.
- *
- * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
- * in cipher.h are rough overapproximations of the real maxima, here
- * we content ourselves with replicating those overapproximations
- * for the maximum block and IV length, and excluding XTS from the
- * computation of the maximum key length. */
-#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
-#define MBEDTLS_SSL_MAX_IV_LENGTH    16
-#define MBEDTLS_SSL_MAX_KEY_LENGTH   32
-
-/**
- * \brief   The data structure holding the cryptographic material (key and IV)
- *          used for record protection in TLS 1.3.
- */
-struct mbedtls_ssl_key_set {
-    /*! The key for client->server records. */
-    unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
-    /*! The key for server->client records. */
-    unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
-    /*! The IV  for client->server records. */
-    unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
-    /*! The IV  for server->client records. */
-    unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
-
-    size_t key_len; /*!< The length of client_write_key and
-                     *   server_write_key, in Bytes. */
-    size_t iv_len;  /*!< The length of client_write_iv and
-                     *   server_write_iv, in Bytes. */
-};
-typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
-
-/*
- * This structure contains the parameters only needed during handshake.
- */
-struct mbedtls_ssl_handshake_params {
-    /*
-     * Handshake specific crypto variables
-     */
-
-    uint8_t max_major_ver;              /*!< max. major version client*/
-    uint8_t max_minor_ver;              /*!< max. minor version client*/
-    uint8_t resume;                     /*!<  session resume indicator*/
-    uint8_t cli_exts;                   /*!< client extension presence*/
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) &&        \
-    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-    uint8_t sni_authmode;               /*!< authmode from SNI callback     */
-#endif
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-    uint8_t new_session_ticket;         /*!< use NewSessionTicket?    */
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-    uint8_t extended_ms;                /*!< use Extended Master Secret? */
-#endif
-
-#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
-    uint8_t async_in_progress;          /*!< an asynchronous operation is in progress */
-#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    unsigned char retransmit_state;     /*!<  Retransmission state           */
-#endif
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
-    uint8_t ecrs_enabled;               /*!< Handshake supports EC restart? */
-    enum { /* this complements ssl->state with info on intra-state operations */
-        ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
-        ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
-        ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
-        ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
-        ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
-    } ecrs_state;                       /*!< current (or last) operation    */
-    mbedtls_x509_crt *ecrs_peer_cert;   /*!< The peer's CRT chain.          */
-    size_t ecrs_n;                      /*!< place for saving a length      */
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) &&                \
-    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
-#endif
-
-    size_t pmslen;                      /*!<  premaster length        */
-
-    mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
-
-    void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
-    void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
-    MBEDTLS_CHECK_RETURN_CRITICAL
-    int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
-    mbedtls_ssl_tls_prf_cb *tls_prf;
-
-#if defined(MBEDTLS_DHM_C)
-    mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
-#endif
-
-/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
- * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
- * in functionality that access to ecdh_ctx structure is needed for
- * MBEDTLS_ECDSA_C which does not seem correct.
- */
-#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
-    mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    psa_key_type_t ecdh_psa_type;
-    uint16_t ecdh_bits;
-    psa_key_id_t ecdh_psa_privkey;
-    unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
-    size_t ecdh_psa_peerkey_len;
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-    mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
-#if defined(MBEDTLS_SSL_CLI_C)
-    unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
-    size_t ecjpake_cache_len;                   /*!< Length of cached data */
-#endif
-#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
-
-#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) ||      \
-    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-    const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    psa_key_id_t psk_opaque;            /*!< Opaque PSK from the callback   */
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    unsigned char *psk;                 /*!<  PSK from the callback         */
-    size_t psk_len;                     /*!<  Length of PSK from callback   */
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-    mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-    mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
-    mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
-    mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
-    mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C) &&        \
-    !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    mbedtls_pk_context peer_pubkey;     /*!< The public key from the peer.  */
-#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    struct {
-        size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
-                                      *   buffers used for message buffering. */
-
-        uint8_t seen_ccs;               /*!< Indicates if a CCS message has
-                                         *   been seen in the current flight. */
-
-        struct mbedtls_ssl_hs_buffer {
-            unsigned is_valid      : 1;
-            unsigned is_fragmented : 1;
-            unsigned is_complete   : 1;
-            unsigned char *data;
-            size_t data_len;
-        } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
-
-        struct {
-            unsigned char *data;
-            size_t len;
-            unsigned epoch;
-        } future_record;
-
-    } buffering;
-
-    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
-    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
-
-    unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
-                                              Srv: unused                    */
-    unsigned char verify_cookie_len;    /*!<  Cli: cookie length
-                                              Srv: flag for sending a cookie */
-
-    uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
-    mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
-    mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
-    unsigned char *cur_msg_p;           /*!<  Position in current message    */
-    unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
-                                              flight being received          */
-    mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
-                                                   resending messages             */
-    unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
-                                              for resending messages         */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    /* The state of CID configuration in this handshake. */
-
-    uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
-                         *   has been negotiated. Possible values are
-                         *   #MBEDTLS_SSL_CID_ENABLED and
-                         *   #MBEDTLS_SSL_CID_DISABLED. */
-    unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];   /*! The peer's CID */
-    uint8_t peer_cid_len;                                  /*!< The length of
-                                                            *   \c peer_cid.  */
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-    uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-    /*
-     * Checksum contexts
-     */
-#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
-    defined(MBEDTLS_SSL_PROTO_TLS1_1)
-    mbedtls_md5_context fin_md5;
-    mbedtls_sha1_context fin_sha1;
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_SHA256_C)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    psa_hash_operation_t fin_sha256_psa;
-#else
-    mbedtls_sha256_context fin_sha256;
-#endif
-#endif
-#if defined(MBEDTLS_SHA512_C)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    psa_hash_operation_t fin_sha384_psa;
-#else
-    mbedtls_sha512_context fin_sha512;
-#endif
-#endif
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-    unsigned char randbytes[64];        /*!<  random bytes            */
-    unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
-    /*!<  premaster secret        */
-
-#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
-    /** Asynchronous operation context. This field is meant for use by the
-     * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
-     * mbedtls_ssl_config::f_async_decrypt_start,
-     * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
-     * The library does not use it internally. */
-    void *user_async_ctx;
-#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
-};
-
-typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
-
-/*
- * Representation of decryption/encryption transformations on records
- *
- * There are the following general types of record transformations:
- * - Stream transformations (TLS versions <= 1.2 only)
- *   Transformation adding a MAC and applying a stream-cipher
- *   to the authenticated message.
- * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
- *   In addition to the distinction of the order of encryption and
- *   authentication, there's a fundamental difference between the
- *   handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
- *   and TLS 1.0, the final IV after processing a record is used
- *   as the IV for the next record. No explicit IV is contained
- *   in an encrypted record. The IV for the first record is extracted
- *   at key extraction time. In contrast, for TLS 1.1 and 1.2, no
- *   IV is generated at key extraction time, but every encrypted
- *   record is explicitly prefixed by the IV with which it was encrypted.
- * - AEAD transformations ([D]TLS versions >= 1.2 only)
- *   These come in two fundamentally different versions, the first one
- *   used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
- *   one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
- *   In the first transformation, the IV to be used for a record is obtained
- *   as the concatenation of an explicit, static 4-byte IV and the 8-byte
- *   record sequence number, and explicitly prepending this sequence number
- *   to the encrypted record. In contrast, in the second transformation
- *   the IV is obtained by XOR'ing a static IV obtained at key extraction
- *   time with the 8-byte record sequence number, without prepending the
- *   latter to the encrypted record.
- *
- * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
- * which allows to add flexible length padding and to hide a record's true
- * content type.
- *
- * In addition to type and version, the following parameters are relevant:
- * - The symmetric cipher algorithm to be used.
- * - The (static) encryption/decryption keys for the cipher.
- * - For stream/CBC, the type of message digest to be used.
- * - For stream/CBC, (static) encryption/decryption keys for the digest.
- * - For AEAD transformations, the size (potentially 0) of an explicit,
- *   random initialization vector placed in encrypted records.
- * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
- *   an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
- *   and (if present) is combined with the explicit IV in a transformation-
- *   dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
- * - For stream/CBC, a flag determining the order of encryption and MAC.
- * - The details of the transformation depend on the SSL/TLS version.
- * - The length of the authentication tag.
- *
- * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
- *       constant across multiple encryption/decryption operations.
- *       For CBC, the implicit IV needs to be updated after each
- *       operation.
- *
- * The struct below refines this abstract view as follows:
- * - The cipher underlying the transformation is managed in
- *   cipher contexts cipher_ctx_{enc/dec}, which must have the
- *   same cipher type. The mode of these cipher contexts determines
- *   the type of the transformation in the sense above: e.g., if
- *   the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
- *   then the transformation has type CBC resp. AEAD.
- * - The cipher keys are never stored explicitly but
- *   are maintained within cipher_ctx_{enc/dec}.
- * - For stream/CBC transformations, the message digest contexts
- *   used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
- *   are unused for AEAD transformations.
- * - For stream/CBC transformations and versions > SSL3, the
- *   MAC keys are not stored explicitly but maintained within
- *   md_ctx_{enc/dec}.
- * - For stream/CBC transformations and version SSL3, the MAC
- *   keys are stored explicitly in mac_enc, mac_dec and have
- *   a fixed size of 20 bytes. These fields are unused for
- *   AEAD transformations or transformations >= TLS 1.0.
- * - For transformations using an implicit IV maintained within
- *   the transformation context, its contents are stored within
- *   iv_{enc/dec}.
- * - The value of ivlen indicates the length of the IV.
- *   This is redundant in case of stream/CBC transformations
- *   which always use 0 resp. the cipher's block length as the
- *   IV length, but is needed for AEAD ciphers and may be
- *   different from the underlying cipher's block length
- *   in this case.
- * - The field fixed_ivlen is nonzero for AEAD transformations only
- *   and indicates the length of the static part of the IV which is
- *   constant throughout the communication, and which is stored in
- *   the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
- *   Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
- *   still store IV's for continued use across multiple transformations,
- *   so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
- *   not being used!
- * - minor_ver denotes the SSL/TLS version
- * - For stream/CBC transformations, maclen denotes the length of the
- *   authentication tag, while taglen is unused and 0.
- * - For AEAD transformations, taglen denotes the length of the
- *   authentication tag, while maclen is unused and 0.
- * - For CBC transformations, encrypt_then_mac determines the
- *   order of encryption and authentication. This field is unused
- *   in other transformations.
- *
- */
-struct mbedtls_ssl_transform {
-    /*
-     * Session specific crypto layer
-     */
-    size_t minlen;                      /*!<  min. ciphertext length  */
-    size_t ivlen;                       /*!<  IV length               */
-    size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
-    size_t maclen;                      /*!<  MAC(CBC) len            */
-    size_t taglen;                      /*!<  TAG(AEAD) len           */
-
-    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
-    unsigned char iv_dec[16];           /*!<  IV (decryption)         */
-
-#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
-
-#if defined(MBEDTLS_SSL_PROTO_SSL3)
-    /* Needed only for SSL v3.0 secret */
-    unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
-    unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
-#endif /* MBEDTLS_SSL_PROTO_SSL3 */
-
-    mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
-    mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
-
-#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-    int encrypt_then_mac;       /*!< flag for EtM activation                */
-#endif
-
-#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
-
-    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
-    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
-    int minor_ver;
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    uint8_t in_cid_len;
-    uint8_t out_cid_len;
-    unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
-    unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-
-    /*
-     * Session specific compression layer
-     */
-#if defined(MBEDTLS_ZLIB_SUPPORT)
-    z_stream ctx_deflate;               /*!<  compression context     */
-    z_stream ctx_inflate;               /*!<  decompression context   */
-#endif
-
-#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
-    /* We need the Hello random bytes in order to re-derive keys from the
-     * Master Secret and other session info, see ssl_populate_transform() */
-    unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
-#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
-};
-
-/*
- * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
- * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
- */
-static inline int mbedtls_ssl_transform_uses_aead(
-    const mbedtls_ssl_transform *transform)
-{
-#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
-    return transform->maclen == 0 && transform->taglen != 0;
-#else
-    (void) transform;
-    return 1;
-#endif
-}
-
-/*
- * Internal representation of record frames
- *
- * Instances come in two flavors:
- * (1) Encrypted
- *     These always have data_offset = 0
- * (2) Unencrypted
- *     These have data_offset set to the amount of
- *     pre-expansion during record protection. Concretely,
- *     this is the length of the fixed part of the explicit IV
- *     used for encryption, or 0 if no explicit IV is used
- *     (e.g. for CBC in TLS 1.0, or stream ciphers).
- *
- * The reason for the data_offset in the unencrypted case
- * is to allow for in-place conversion of an unencrypted to
- * an encrypted record. If the offset wasn't included, the
- * encrypted content would need to be shifted afterwards to
- * make space for the fixed IV.
- *
- */
-#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
-#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
-#else
-#define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
-#endif
-
-typedef struct {
-    uint8_t ctr[8];         /* In TLS:  The implicit record sequence number.
-                             * In DTLS: The 2-byte epoch followed by
-                             *          the 6-byte sequence number.
-                             * This is stored as a raw big endian byte array
-                             * as opposed to a uint64_t because we rarely
-                             * need to perform arithmetic on this, but do
-                             * need it as a Byte array for the purpose of
-                             * MAC computations.                             */
-    uint8_t type;           /* The record content type.                      */
-    uint8_t ver[2];         /* SSL/TLS version as present on the wire.
-                             * Convert to internal presentation of versions
-                             * using mbedtls_ssl_read_version() and
-                             * mbedtls_ssl_write_version().
-                             * Keep wire-format for MAC computations.        */
-
-    unsigned char *buf;     /* Memory buffer enclosing the record content    */
-    size_t buf_len;         /* Buffer length                                 */
-    size_t data_offset;     /* Offset of record content                      */
-    size_t data_len;        /* Length of record content                      */
-
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    uint8_t cid_len;        /* Length of the CID (0 if not present)          */
-    unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX];   /* The CID                 */
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-} mbedtls_record;
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-/*
- * List of certificate + private key pairs
- */
-struct mbedtls_ssl_key_cert {
-    mbedtls_x509_crt *cert;                 /*!< cert                       */
-    mbedtls_pk_context *key;                /*!< private key                */
-    mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
-};
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-/*
- * List of handshake messages kept around for resending
- */
-struct mbedtls_ssl_flight_item {
-    unsigned char *p;       /*!< message, including handshake headers   */
-    size_t len;             /*!< length of p                            */
-    unsigned char type;     /*!< type of the message: handshake or CCS  */
-    mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
-};
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
-    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-
-/* Find an entry in a signature-hash set matching a given hash algorithm. */
-mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t *set,
-                                                mbedtls_pk_type_t sig_alg);
-/* Add a signature-hash-pair to a signature-hash set */
-void mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t *set,
-                                  mbedtls_pk_type_t sig_alg,
-                                  mbedtls_md_type_t md_alg);
-/* Allow exactly one hash algorithm for each signature. */
-void mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t *set,
-                                         mbedtls_md_type_t md_alg);
-
-/* Setup an empty signature-hash set */
-static inline void mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t *set)
-{
-    mbedtls_ssl_sig_hash_set_const_hash(set, MBEDTLS_MD_NONE);
-}
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
-          MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
-/**
- * \brief           Free referenced items in an SSL transform context and clear
- *                  memory
- *
- * \param transform SSL transform context
- */
-void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
-
-/**
- * \brief           Free referenced items in an SSL handshake context and clear
- *                  memory
- *
- * \param ssl       SSL context
- */
-void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
-
-void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
-
-/**
- * \brief       Update record layer
- *
- *              This function roughly separates the implementation
- *              of the logic of (D)TLS from the implementation
- *              of the secure transport.
- *
- * \param  ssl              The SSL context to use.
- * \param  update_hs_digest This indicates if the handshake digest
- *                          should be automatically updated in case
- *                          a handshake message is found.
- *
- * \return      0 or non-zero error code.
- *
- * \note        A clarification on what is called 'record layer' here
- *              is in order, as many sensible definitions are possible:
- *
- *              The record layer takes as input an untrusted underlying
- *              transport (stream or datagram) and transforms it into
- *              a serially multiplexed, secure transport, which
- *              conceptually provides the following:
- *
- *              (1) Three datagram based, content-agnostic transports
- *                  for handshake, alert and CCS messages.
- *              (2) One stream- or datagram-based transport
- *                  for application data.
- *              (3) Functionality for changing the underlying transform
- *                  securing the contents.
- *
- *              The interface to this functionality is given as follows:
- *
- *              a Updating
- *                [Currently implemented by mbedtls_ssl_read_record]
- *
- *                Check if and on which of the four 'ports' data is pending:
- *                Nothing, a controlling datagram of type (1), or application
- *                data (2). In any case data is present, internal buffers
- *                provide access to the data for the user to process it.
- *                Consumption of type (1) datagrams is done automatically
- *                on the next update, invalidating that the internal buffers
- *                for previous datagrams, while consumption of application
- *                data (2) is user-controlled.
- *
- *              b Reading of application data
- *                [Currently manual adaption of ssl->in_offt pointer]
- *
- *                As mentioned in the last paragraph, consumption of data
- *                is different from the automatic consumption of control
- *                datagrams (1) because application data is treated as a stream.
- *
- *              c Tracking availability of application data
- *                [Currently manually through decreasing ssl->in_msglen]
- *
- *                For efficiency and to retain datagram semantics for
- *                application data in case of DTLS, the record layer
- *                provides functionality for checking how much application
- *                data is still available in the internal buffer.
- *
- *              d Changing the transformation securing the communication.
- *
- *              Given an opaque implementation of the record layer in the
- *              above sense, it should be possible to implement the logic
- *              of (D)TLS on top of it without the need to know anything
- *              about the record layer's internals. This is done e.g.
- *              in all the handshake handling functions, and in the
- *              application data reading function mbedtls_ssl_read.
- *
- * \note        The above tries to give a conceptual picture of the
- *              record layer, but the current implementation deviates
- *              from it in some places. For example, our implementation of
- *              the update functionality through mbedtls_ssl_read_record
- *              discards datagrams depending on the current state, which
- *              wouldn't fall under the record layer's responsibility
- *              following the above definition.
- *
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
-                            unsigned update_hs_digest);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, uint8_t force_flush);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
-
-void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
-                                   const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
-
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex);
-
-/**
- * Get the first defined PSK by order of precedence:
- * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
- * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
- * Return a code and update the pair (PSK, PSK length) passed to this function
- */
-static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
-                                      const unsigned char **psk, size_t *psk_len)
-{
-    if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
-        *psk = ssl->handshake->psk;
-        *psk_len = ssl->handshake->psk_len;
-    } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
-        *psk = ssl->conf->psk;
-        *psk_len = ssl->conf->psk_len;
-    } else {
-        *psk = NULL;
-        *psk_len = 0;
-        return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
-    }
-
-    return 0;
-}
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-/**
- * Get the first defined opaque PSK by order of precedence:
- * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
- *    callback
- * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
- * Return an opaque PSK
- */
-static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
-    const mbedtls_ssl_context *ssl)
-{
-    if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
-        return ssl->handshake->psk_opaque;
-    }
-
-    if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
-        return ssl->conf->psk_opaque;
-    }
-
-    return MBEDTLS_SVC_KEY_ID_INIT;
-}
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-
-#if defined(MBEDTLS_PK_C)
-unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
-unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
-mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
-#endif
-
-mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
-unsigned char mbedtls_ssl_hash_from_md_alg(int md);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
-
-#if defined(MBEDTLS_ECP_C)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl,
-                               mbedtls_md_type_t md);
-#endif
-
-#if defined(MBEDTLS_SSL_DTLS_SRTP)
-static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
-    (const uint16_t srtp_profile_value)
-{
-    switch (srtp_profile_value) {
-        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
-        case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
-        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
-        case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
-            return srtp_profile_value;
-        default: break;
-    }
-    return MBEDTLS_TLS_SRTP_UNSET;
-}
-#endif
-
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
-{
-    mbedtls_ssl_key_cert *key_cert;
-
-    if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
-        key_cert = ssl->handshake->key_cert;
-    } else {
-        key_cert = ssl->conf->key_cert;
-    }
-
-    return key_cert == NULL ? NULL : key_cert->key;
-}
-
-static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
-{
-    mbedtls_ssl_key_cert *key_cert;
-
-    if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
-        key_cert = ssl->handshake->key_cert;
-    } else {
-        key_cert = ssl->conf->key_cert;
-    }
-
-    return key_cert == NULL ? NULL : key_cert->cert;
-}
-
-/*
- * Check usage of a certificate wrt extensions:
- * keyUsage, extendedKeyUsage (later), and nSCertType (later).
- *
- * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
- * check a cert we received from them)!
- *
- * Return 0 if everything is OK, -1 if not.
- */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
-                                 const mbedtls_ssl_ciphersuite_t *ciphersuite,
-                                 int cert_endpoint,
-                                 uint32_t *flags);
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
-
-void mbedtls_ssl_write_version(int major, int minor, int transport,
-                               unsigned char ver[2]);
-void mbedtls_ssl_read_version(int *major, int *minor, int transport,
-                              const unsigned char ver[2]);
-
-static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
-{
-#if !defined(MBEDTLS_SSL_PROTO_DTLS)
-    ((void) ssl);
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-        return 13;
-    } else
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-    {
-        return 5;
-    }
-}
-
-static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
-{
-    return (size_t) (ssl->out_iv - ssl->out_hdr);
-}
-
-static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-        return 12;
-    }
-#else
-    ((void) ssl);
-#endif
-    return 4;
-}
-
-/** Get the host name from the SSL context.
- *
- * \param[in]   ssl     SSL context
- *
- * \return The \p hostname pointer from the SSL context.
- *         \c NULL if mbedtls_ssl_set_hostname() has never been called on
- *         \p ssl or if it was last called with \p NULL.
- */
-const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
-#endif
-
-/* Visible for testing purposes only */
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
-void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
-#endif
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
-                             const mbedtls_ssl_session *src);
-
-#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
-    defined(MBEDTLS_SSL_PROTO_TLS1_1)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl,
-                                            unsigned char *output,
-                                            unsigned char *data, size_t data_len);
-#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
-          MBEDTLS_SSL_PROTO_TLS1_1 */
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
-    defined(MBEDTLS_SSL_PROTO_TLS1_2)
-/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
-                                           unsigned char *hash, size_t *hashlen,
-                                           unsigned char *data, size_t data_len,
-                                           mbedtls_md_type_t md_alg);
-#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
-          MBEDTLS_SSL_PROTO_TLS1_2 */
-
-#ifdef __cplusplus
-}
-#endif
-
-void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
-                            mbedtls_ssl_transform *transform,
-                            mbedtls_record *rec,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
-                            mbedtls_ssl_transform *transform,
-                            mbedtls_record *rec);
-
-/* Length of the "epoch" field in the record header */
-static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
-{
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
-        return 2;
-    }
-#else
-    ((void) ssl);
-#endif
-    return 0;
-}
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
-
-void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
-                                     mbedtls_ssl_transform *transform);
-void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
-
-#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
-void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
-#endif
-
-void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
-
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
-#endif /* MBEDTLS_SSL_RENEGOTIATION */
-
-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
-void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
-
-#if defined(MBEDTLS_TEST_HOOKS)
-int mbedtls_ssl_check_dtls_clihlo_cookie(
-    mbedtls_ssl_context *ssl,
-    const unsigned char *cli_id, size_t cli_id_len,
-    const unsigned char *in, size_t in_len,
-    unsigned char *obuf, size_t buf_len, size_t *olen);
-#endif
-
-#endif /* ssl_internal.h */

+ 92 - 19
thirdparty/mbedtls/include/mbedtls/ssl_ticket.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_SSL_TICKET_H
 #define MBEDTLS_SSL_TICKET_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 /*
  * This implementation of the session ticket callbacks includes key
@@ -25,6 +22,14 @@
 #include "mbedtls/ssl.h"
 #include "mbedtls/cipher.h"
 
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
 #if defined(MBEDTLS_THREADING_C)
 #include "mbedtls/threading.h"
 #endif
@@ -33,13 +38,30 @@
 extern "C" {
 #endif
 
+#define MBEDTLS_SSL_TICKET_MAX_KEY_BYTES 32          /*!< Max supported key length in bytes */
+#define MBEDTLS_SSL_TICKET_KEY_NAME_BYTES 4          /*!< key name length in bytes */
+
 /**
  * \brief   Information for session ticket protection
  */
 typedef struct mbedtls_ssl_ticket_key {
-    unsigned char name[4];          /*!< random key identifier              */
-    uint32_t generation_time;       /*!< key generation timestamp (seconds) */
-    mbedtls_cipher_context_t ctx;   /*!< context for auth enc/decryption    */
+    unsigned char MBEDTLS_PRIVATE(name)[MBEDTLS_SSL_TICKET_KEY_NAME_BYTES];
+    /*!< random key identifier              */
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */
+#endif
+    /*! Lifetime of the key in seconds. This is also the lifetime of the
+     *  tickets created under that key.
+     */
+    uint32_t MBEDTLS_PRIVATE(lifetime);
+#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+    mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx);   /*!< context for auth enc/decryption    */
+#else
+    mbedtls_svc_key_id_t MBEDTLS_PRIVATE(key);       /*!< key used for auth enc/decryption   */
+    psa_algorithm_t MBEDTLS_PRIVATE(alg);            /*!< algorithm of auth enc/decryption   */
+    psa_key_type_t MBEDTLS_PRIVATE(key_type);        /*!< key type                           */
+    size_t MBEDTLS_PRIVATE(key_bits);                /*!< key length in bits                 */
+#endif
 }
 mbedtls_ssl_ticket_key;
 
@@ -47,17 +69,17 @@ mbedtls_ssl_ticket_key;
  * \brief   Context for session ticket handling functions
  */
 typedef struct mbedtls_ssl_ticket_context {
-    mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys             */
-    unsigned char active;           /*!< index of the currently active key  */
+    mbedtls_ssl_ticket_key MBEDTLS_PRIVATE(keys)[2]; /*!< ticket protection keys             */
+    unsigned char MBEDTLS_PRIVATE(active);           /*!< index of the currently active key  */
 
-    uint32_t ticket_lifetime;       /*!< lifetime of tickets in seconds     */
+    uint32_t MBEDTLS_PRIVATE(ticket_lifetime);       /*!< lifetime of tickets in seconds     */
 
     /** Callback for getting (pseudo-)random numbers                        */
-    int  (*f_rng)(void *, unsigned char *, size_t);
-    void *p_rng;                    /*!< context for the RNG function       */
+    int(*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t);
+    void *MBEDTLS_PRIVATE(p_rng);                    /*!< context for the RNG function       */
 
 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_threading_mutex_t mutex;
+    mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex);
 #endif
 }
 mbedtls_ssl_ticket_context;
@@ -75,8 +97,10 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
  * \brief           Prepare context to be actually used
  *
  * \param ctx       Context to be set up
- * \param f_rng     RNG callback function
- * \param p_rng     RNG callback context
+ * \param f_rng     RNG callback function (mandatory)
+ * \param p_rng     RNG callback context.
+ *                  Note that the RNG callback must remain valid
+ *                  until the ticket context is freed.
  * \param cipher    AEAD cipher to use for ticket protection.
  *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
  * \param lifetime  Tickets lifetime in seconds
@@ -86,18 +110,67 @@ void mbedtls_ssl_ticket_init(mbedtls_ssl_ticket_context *ctx);
  *                  least as strong as the strongest ciphersuite
  *                  supported. Usually that means a 256-bit key.
  *
- * \note            The lifetime of the keys is twice the lifetime of tickets.
- *                  It is recommended to pick a reasonable lifetime so as not
+ * \note            It is recommended to pick a reasonable lifetime so as not
  *                  to negate the benefits of forward secrecy.
  *
+ * \note            The TLS 1.3 specification states that ticket lifetime must
+ *                  be smaller than seven days. If ticket lifetime has been
+ *                  set to a value greater than seven days in this module then
+ *                  if the TLS 1.3 is configured to send tickets after the
+ *                  handshake it will fail the connection when trying to send
+ *                  the first ticket.
+ *
  * \return          0 if successful,
  *                  or a specific MBEDTLS_ERR_XXX error code
  */
 int mbedtls_ssl_ticket_setup(mbedtls_ssl_ticket_context *ctx,
-                             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                             mbedtls_f_rng_t *f_rng, void *p_rng,
                              mbedtls_cipher_type_t cipher,
                              uint32_t lifetime);
 
+/**
+ * \brief           Rotate session ticket encryption key to new specified key.
+ *                  Provides for external control of session ticket encryption
+ *                  key rotation, e.g. for synchronization between different
+ *                  machines.  If this function is not used, or if not called
+ *                  before ticket lifetime expires, then a new session ticket
+ *                  encryption key is generated internally in order to avoid
+ *                  unbounded session ticket encryption key lifetimes.
+ *
+ * \param ctx       Context to be set up
+ * \param name      Session ticket encryption key name
+ * \param nlength   Session ticket encryption key name length in bytes
+ * \param k         Session ticket encryption key
+ * \param klength   Session ticket encryption key length in bytes
+ * \param lifetime  Tickets lifetime in seconds
+ *                  Recommended value: 86400 (one day).
+ *
+ * \note            \c name and \c k are recommended to be cryptographically
+ *                  random data.
+ *
+ * \note            \c nlength must match sizeof( ctx->name )
+ *
+ * \note            \c klength must be sufficient for use by cipher specified
+ *                  to \c mbedtls_ssl_ticket_setup
+ *
+ * \note            It is recommended to pick a reasonable lifetime so as not
+ *                  to negate the benefits of forward secrecy.
+ *
+ * \note            The TLS 1.3 specification states that ticket lifetime must
+ *                  be smaller than seven days. If ticket lifetime has been
+ *                  set to a value greater than seven days in this module then
+ *                  if the TLS 1.3 is configured to send tickets after the
+ *                  handshake it will fail the connection when trying to send
+ *                  the first ticket.
+ *
+ * \return          0 if successful,
+ *                  or a specific MBEDTLS_ERR_XXX error code
+ */
+int mbedtls_ssl_ticket_rotate(mbedtls_ssl_ticket_context *ctx,
+                              const unsigned char *name, size_t nlength,
+                              const unsigned char *k, size_t klength,
+                              uint32_t lifetime);
+
 /**
  * \brief           Implementation of the ticket write callback
  *

+ 39 - 15
thirdparty/mbedtls/include/mbedtls/threading.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_THREADING_H
 #define MBEDTLS_THREADING_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stdlib.h>
 
@@ -22,11 +19,6 @@
 extern "C" {
 #endif
 
-/* MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE is deprecated and should not be
- * used. */
-/** The selected feature is not available. */
-#define MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE         -0x001A
-
 /** Bad input parameters to function. */
 #define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C
 /** Locking / unlocking / free failed with error code. */
@@ -35,11 +27,15 @@ extern "C" {
 #if defined(MBEDTLS_THREADING_PTHREAD)
 #include <pthread.h>
 typedef struct mbedtls_threading_mutex_t {
-    pthread_mutex_t mutex;
-    /* is_valid is 0 after a failed init or a free, and nonzero after a
-     * successful init. This field is not considered part of the public
-     * API of Mbed TLS and may change without notice. */
-    char is_valid;
+    pthread_mutex_t MBEDTLS_PRIVATE(mutex);
+
+    /* WARNING - state should only be accessed when holding the mutex lock in
+     * framework/tests/src/threading_helpers.c, otherwise corruption can occur.
+     * state will be 0 after a failed init or a free, and nonzero after a
+     * successful init. This field is for testing only and thus not considered
+     * part of the public API of Mbed TLS and may change without notice.*/
+    char MBEDTLS_PRIVATE(state);
+
 } mbedtls_threading_mutex_t;
 #endif
 
@@ -104,6 +100,34 @@ extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
 extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
 #endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
 
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+/*
+ * A mutex used to make the PSA subsystem thread safe.
+ *
+ * key_slot_mutex protects the registered_readers and
+ * state variable for all key slots in &global_data.key_slots.
+ *
+ * This mutex must be held when any read from or write to a state or
+ * registered_readers field is performed, i.e. when calling functions:
+ * psa_key_slot_state_transition(), psa_register_read(), psa_unregister_read(),
+ * psa_key_slot_has_readers() and psa_wipe_key_slot(). */
+extern mbedtls_threading_mutex_t mbedtls_threading_key_slot_mutex;
+
+/*
+ * A mutex used to make the non-rng PSA global_data struct members thread safe.
+ *
+ * This mutex must be held when reading or writing to any of the PSA global_data
+ * structure members, other than the rng_state or rng struct. */
+extern mbedtls_threading_mutex_t mbedtls_threading_psa_globaldata_mutex;
+
+/*
+ * A mutex used to make the PSA global_data rng data thread safe.
+ *
+ * This mutex must be held when reading or writing to the PSA
+ * global_data rng_state or rng struct members. */
+extern mbedtls_threading_mutex_t mbedtls_threading_psa_rngdata_mutex;
+#endif
+
 #endif /* MBEDTLS_THREADING_C */
 
 #ifdef __cplusplus

+ 14 - 57
thirdparty/mbedtls/include/mbedtls/timing.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_TIMING_H
 #define MBEDTLS_TIMING_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include <stdint.h>
 
@@ -30,67 +27,25 @@ extern "C" {
  * \brief          timer structure
  */
 struct mbedtls_timing_hr_time {
-    unsigned char opaque[32];
+    uint64_t MBEDTLS_PRIVATE(opaque)[4];
 };
 
 /**
  * \brief          Context for mbedtls_timing_set/get_delay()
  */
 typedef struct mbedtls_timing_delay_context {
-    struct mbedtls_timing_hr_time   timer;
-    uint32_t                        int_ms;
-    uint32_t                        fin_ms;
+    struct mbedtls_timing_hr_time   MBEDTLS_PRIVATE(timer);
+    uint32_t                        MBEDTLS_PRIVATE(int_ms);
+    uint32_t                        MBEDTLS_PRIVATE(fin_ms);
 } mbedtls_timing_delay_context;
 
 #else  /* MBEDTLS_TIMING_ALT */
 #include "timing_alt.h"
 #endif /* MBEDTLS_TIMING_ALT */
 
-extern volatile int mbedtls_timing_alarmed;
-
-/**
- * \brief          Return the CPU cycle counter value
- *
- * \warning        This is only a best effort! Do not rely on this!
- *                 In particular, it is known to be unreliable on virtual
- *                 machines.
- *
- * \note           This value starts at an unspecified origin and
- *                 may wrap around.
- */
-unsigned long mbedtls_timing_hardclock(void);
-
-/**
- * \brief          Return the elapsed time in milliseconds
- *
- * \param val      points to a timer structure
- * \param reset    If 0, query the elapsed time. Otherwise (re)start the timer.
- *
- * \return         Elapsed time since the previous reset in ms. When
- *                 restarting, this is always 0.
- *
- * \note           To initialize a timer, call this function with reset=1.
- *
- *                 Determining the elapsed time and resetting the timer is not
- *                 atomic on all platforms, so after the sequence
- *                 `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 =
- *                 get_timer(0) }` the value time1+time2 is only approximately
- *                 the delay since the first reset.
- */
+/* Internal use */
 unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset);
 
-/**
- * \brief          Setup an alarm clock
- *
- * \param seconds  delay before the "mbedtls_timing_alarmed" flag is set
- *                 (must be >=0)
- *
- * \warning        Only one alarm at a time  is supported. In a threaded
- *                 context, this means one for the whole process, not one per
- *                 thread.
- */
-void mbedtls_set_alarm(int seconds);
-
 /**
  * \brief          Set a pair of delays to watch
  *                 (See \c mbedtls_timing_get_delay().)
@@ -121,14 +76,16 @@ void mbedtls_timing_set_delay(void *data, uint32_t int_ms, uint32_t fin_ms);
  */
 int mbedtls_timing_get_delay(void *data);
 
-#if defined(MBEDTLS_SELF_TEST)
 /**
- * \brief          Checkup routine
+ * \brief          Get the final timing delay
  *
- * \return         0 if successful, or 1 if a test failed
+ * \param data     Pointer to timing data
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ *
+ * \return         Final timing delay in milliseconds.
  */
-int mbedtls_timing_self_test(int verbose);
-#endif
+uint32_t mbedtls_timing_get_final_delay(
+    const mbedtls_timing_delay_context *data);
 
 #ifdef __cplusplus
 }

+ 5 - 25
thirdparty/mbedtls/include/mbedtls/version.h

@@ -8,34 +8,14 @@
  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 /*
- * This set of compile-time defines and run-time variables can be used to
- * determine the version number of the Mbed TLS library used.
+ * This set of run-time variables can be used to determine the version number of
+ * the Mbed TLS library used. Compile-time version defines for the same can be
+ * found in build_info.h
  */
 #ifndef MBEDTLS_VERSION_H
 #define MBEDTLS_VERSION_H
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-/**
- * The version number x.y.z is split into three parts.
- * Major, Minor, Patchlevel
- */
-#define MBEDTLS_VERSION_MAJOR  2
-#define MBEDTLS_VERSION_MINOR  28
-#define MBEDTLS_VERSION_PATCH  10
-
-/**
- * The single version number has the following structure:
- *    MMNNPP00
- *    Major version | Minor version | Patch version
- */
-#define MBEDTLS_VERSION_NUMBER         0x021C0A00
-#define MBEDTLS_VERSION_STRING         "2.28.10"
-#define MBEDTLS_VERSION_STRING_FULL    "Mbed TLS 2.28.10"
+#include "mbedtls/build_info.h"
 
 #if defined(MBEDTLS_VERSION_C)
 
@@ -78,7 +58,7 @@ void mbedtls_version_get_string_full(char *string);
  *
  * \note            only checks against defines in the sections "System
  *                  support", "Mbed TLS modules" and "Mbed TLS feature
- *                  support" in config.h
+ *                  support" in mbedtls_config.h
  *
  * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
  *

+ 188 - 56
thirdparty/mbedtls/include/mbedtls/x509.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_X509_H
 #define MBEDTLS_X509_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/asn1.h"
 #include "mbedtls/pk.h"
@@ -139,7 +136,7 @@
 
 /*
  * X.509 v3 Key Usage Extension flags
- * Reminder: update x509_info_key_usage() when adding new flags.
+ * Reminder: update mbedtls_x509_info_key_usage() when adding new flags.
  */
 #define MBEDTLS_X509_KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
 #define MBEDTLS_X509_KU_NON_REPUDIATION              (0x40)  /* bit 1 */
@@ -234,6 +231,17 @@ typedef mbedtls_asn1_named_data mbedtls_x509_name;
  */
 typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
 
+/*
+ * Container for the fields of the Authority Key Identifier object
+ */
+typedef struct mbedtls_x509_authority {
+    mbedtls_x509_buf keyIdentifier;
+    mbedtls_x509_sequence authorityCertIssuer;
+    mbedtls_x509_buf authorityCertSerialNumber;
+    mbedtls_x509_buf raw;
+}
+mbedtls_x509_authority;
+
 /** Container for date and time (precision in seconds). */
 typedef struct mbedtls_x509_time {
     int year, mon, day;         /**< Date. */
@@ -241,7 +249,65 @@ typedef struct mbedtls_x509_time {
 }
 mbedtls_x509_time;
 
+/**
+ * From RFC 5280 section 4.2.1.6:
+ * OtherName ::= SEQUENCE {
+ *      type-id    OBJECT IDENTIFIER,
+ *      value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * Future versions of the library may add new fields to this structure or
+ * to its embedded union and structure.
+ */
+typedef struct mbedtls_x509_san_other_name {
+    /**
+     * The type_id is an OID as defined in RFC 5280.
+     * To check the value of the type id, you should use
+     * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
+     */
+    mbedtls_x509_buf type_id;                   /**< The type id. */
+    union {
+        /**
+         * From RFC 4108 section 5:
+         * HardwareModuleName ::= SEQUENCE {
+         *                         hwType OBJECT IDENTIFIER,
+         *                         hwSerialNum OCTET STRING }
+         */
+        struct {
+            mbedtls_x509_buf oid;               /**< The object identifier. */
+            mbedtls_x509_buf val;               /**< The named value. */
+        }
+        hardware_module_name;
+    }
+    value;
+}
+mbedtls_x509_san_other_name;
+
+/**
+ * A structure for holding the parsed Subject Alternative Name,
+ * according to type.
+ *
+ * Future versions of the library may add new fields to this structure or
+ * to its embedded union and structure.
+ */
+typedef struct mbedtls_x509_subject_alternative_name {
+    int type;                              /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
+    union {
+        mbedtls_x509_san_other_name other_name;
+        mbedtls_x509_name directory_name;
+        mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */
+    }
+    san; /**< A union of the supported SAN types */
+}
+mbedtls_x509_subject_alternative_name;
+
+typedef struct mbedtls_x509_san_list {
+    mbedtls_x509_subject_alternative_name node;
+    struct mbedtls_x509_san_list *next;
+}
+mbedtls_x509_san_list;
+
 /** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
+/** \} addtogroup x509_module */
 
 /**
  * \brief          Store the certificate DN in printable form into buf;
@@ -256,6 +322,44 @@ mbedtls_x509_time;
  */
 int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn);
 
+/**
+ * \brief            Convert the certificate DN string \p name into
+ *                   a linked list of mbedtls_x509_name (equivalent to
+ *                   mbedtls_asn1_named_data).
+ *
+ * \note             This function allocates a linked list, and places the head
+ *                   pointer in \p head. This list must later be freed by a
+ *                   call to mbedtls_asn1_free_named_data_list().
+ *
+ * \param[out] head  Address in which to store the pointer to the head of the
+ *                   allocated list of mbedtls_x509_name. Must point to NULL on
+ *                   entry.
+ * \param[in] name   The string representation of a DN to convert
+ *
+ * \return           0 on success, or a negative error code.
+ */
+int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name);
+
+/**
+ * \brief          Return the next relative DN in an X509 name.
+ *
+ * \note           Intended use is to compare function result to dn->next
+ *                 in order to detect boundaries of multi-valued RDNs.
+ *
+ * \param dn       Current node in the X509 name
+ *
+ * \return         Pointer to the first attribute-value pair of the
+ *                 next RDN in sequence, or NULL if end is reached.
+ */
+static inline mbedtls_x509_name *mbedtls_x509_dn_get_next(
+    mbedtls_x509_name *dn)
+{
+    while (dn->MBEDTLS_PRIVATE(next_merged) && dn->next != NULL) {
+        dn = dn->next;
+    }
+    return dn->next;
+}
+
 /**
  * \brief          Store the certificate serial in printable form into buf;
  *                 no more than size characters will be written.
@@ -269,6 +373,31 @@ int mbedtls_x509_dn_gets(char *buf, size_t size, const mbedtls_x509_name *dn);
  */
 int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *serial);
 
+/**
+ * \brief          Compare pair of mbedtls_x509_time.
+ *
+ * \param t1       mbedtls_x509_time to compare
+ * \param t2       mbedtls_x509_time to compare
+ *
+ * \return         < 0 if t1 is before t2
+ *                   0 if t1 equals t2
+ *                 > 0 if t1 is after t2
+ */
+int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1, const mbedtls_x509_time *t2);
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief          Fill mbedtls_x509_time with provided mbedtls_time_t.
+ *
+ * \param tt       mbedtls_time_t to convert
+ * \param now      mbedtls_x509_time to fill with converted mbedtls_time_t
+ *
+ * \return         \c 0 on success
+ * \return         A non-zero return value on failure.
+ */
+int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now);
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
 /**
  * \brief          Check a given mbedtls_x509_time against the system time
  *                 and tell if it's in the past.
@@ -297,60 +426,63 @@ int mbedtls_x509_time_is_past(const mbedtls_x509_time *to);
  */
 int mbedtls_x509_time_is_future(const mbedtls_x509_time *from);
 
-/** \} addtogroup x509_module */
-
-#if defined(MBEDTLS_SELF_TEST)
-
 /**
- * \brief          Checkup routine
+ * \brief          This function parses an item in the SubjectAlternativeNames
+ *                 extension. Please note that this function might allocate
+ *                 additional memory for a subject alternative name, thus
+ *                 mbedtls_x509_free_subject_alt_name has to be called
+ *                 to dispose of this additional memory afterwards.
  *
- * \return         0 if successful, or 1 if the test failed
+ * \param san_buf  The buffer holding the raw data item of the subject
+ *                 alternative name.
+ * \param san      The target structure to populate with the parsed presentation
+ *                 of the subject alternative name encoded in \p san_buf.
+ *
+ * \note           Supported GeneralName types, as defined in RFC 5280:
+ *                 "rfc822Name", "dnsName", "directoryName",
+ *                 "uniformResourceIdentifier" and "hardware_module_name"
+ *                 of type "otherName", as defined in RFC 4108.
+ *
+ * \note           This function should be called on a single raw data of
+ *                 subject alternative name. For example, after successful
+ *                 certificate parsing, one must iterate on every item in the
+ *                 \c crt->subject_alt_names sequence, and pass it to
+ *                 this function.
+ *
+ * \warning        The target structure contains pointers to the raw data of the
+ *                 parsed certificate, and its lifetime is restricted by the
+ *                 lifetime of the certificate.
+ *
+ * \return         \c 0 on success
+ * \return         #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
+ *                 SAN type.
+ * \return         Another negative value for any other failure.
  */
-int mbedtls_x509_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
+int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
+                                        mbedtls_x509_subject_alternative_name *san);
+/**
+ * \brief          Unallocate all data related to subject alternative name
+ *
+ * \param san      SAN structure - extra memory owned by this structure will be freed
+ */
+void mbedtls_x509_free_subject_alt_name(mbedtls_x509_subject_alternative_name *san);
 
-/*
- * Internal module functions. You probably do not want to use these unless you
- * know you do.
+/**
+ * \brief          This function parses a CN string as an IP address.
+ *
+ * \param cn       The CN string to parse. CN string MUST be null-terminated.
+ * \param dst      The target buffer to populate with the binary IP address.
+ *                 The buffer MUST be 16 bytes to save IPv6, and should be
+ *                 4-byte aligned if the result will be used as struct in_addr.
+ *                 e.g. uint32_t dst[4]
+ *
+ * \note           \p cn is parsed as an IPv6 address if string contains ':',
+ *                 else \p cn is parsed as an IPv4 address.
+ *
+ * \return         Length of binary IP address; num bytes written to target.
+ * \return         \c 0 on failure to parse CN string as an IP address.
  */
-int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end,
-                          mbedtls_x509_name *cur);
-int mbedtls_x509_get_alg_null(unsigned char **p, const unsigned char *end,
-                              mbedtls_x509_buf *alg);
-int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
-                         mbedtls_x509_buf *alg, mbedtls_x509_buf *params);
-#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
-int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params,
-                                       mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
-                                       int *salt_len);
-#endif
-int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig);
-int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
-                             mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
-                             void **sig_opts);
-int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
-                          mbedtls_x509_time *t);
-int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end,
-                            mbedtls_x509_buf *serial);
-int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end,
-                         mbedtls_x509_buf *ext, int tag);
-int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
-                              mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
-                              const void *sig_opts);
-int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name);
-int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name);
-int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
-                               int critical, const unsigned char *val,
-                               size_t val_len);
-int mbedtls_x509_write_extensions(unsigned char **p, unsigned char *start,
-                                  mbedtls_asn1_named_data *first);
-int mbedtls_x509_write_names(unsigned char **p, unsigned char *start,
-                             mbedtls_asn1_named_data *first);
-int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
-                           const char *oid, size_t oid_len,
-                           unsigned char *sig, size_t size,
-                           mbedtls_pk_type_t pk_alg);
+size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst);
 
 #define MBEDTLS_X509_SAFE_SNPRINTF                          \
     do {                                                    \
@@ -365,4 +497,4 @@ int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start,
 }
 #endif
 
-#endif /* x509.h */
+#endif /* MBEDTLS_X509_H */

+ 27 - 13
thirdparty/mbedtls/include/mbedtls/x509_crl.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_X509_CRL_H
 #define MBEDTLS_X509_CRL_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/x509.h"
 
@@ -34,16 +31,28 @@ extern "C" {
 /**
  * Certificate revocation list entry.
  * Contains the CA-specific serial numbers and revocation dates.
+ *
+ * Some fields of this structure are publicly readable. Do not modify
+ * them except via Mbed TLS library functions: the effect of modifying
+ * those fields or the data that those fields points to is unspecified.
  */
 typedef struct mbedtls_x509_crl_entry {
+    /** Direct access to the whole entry inside the containing buffer. */
     mbedtls_x509_buf raw;
-
+    /** The serial number of the revoked certificate. */
     mbedtls_x509_buf serial;
-
+    /** The revocation date of this entry. */
     mbedtls_x509_time revocation_date;
-
+    /** Direct access to the list of CRL entry extensions
+     * (an ASN.1 constructed sequence).
+     *
+     * If there are no extensions, `entry_ext.len == 0` and
+     * `entry_ext.p == NULL`. */
     mbedtls_x509_buf entry_ext;
 
+    /** Next element in the linked list of entries.
+     * \p NULL indicates the end of the list.
+     * Do not modify this field directly. */
     struct mbedtls_x509_crl_entry *next;
 }
 mbedtls_x509_crl_entry;
@@ -70,12 +79,15 @@ typedef struct mbedtls_x509_crl {
 
     mbedtls_x509_buf crl_ext;
 
-    mbedtls_x509_buf sig_oid2;
-    mbedtls_x509_buf sig;
-    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
-    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
-    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+    mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2);
+    mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
+    mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk);           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *MBEDTLS_PRIVATE(sig_opts);             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
 
+    /** Next element in the linked list of CRL.
+     * \p NULL indicates the end of the list.
+     * Do not modify this field directly. */
     struct mbedtls_x509_crl *next;
 }
 mbedtls_x509_crl;
@@ -132,6 +144,7 @@ int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, si
 int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path);
 #endif /* MBEDTLS_FS_IO */
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
  * \brief          Returns an informational string about the CRL.
  *
@@ -145,6 +158,7 @@ int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path);
  */
 int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix,
                           const mbedtls_x509_crl *crl);
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
 
 /**
  * \brief          Initialize a CRL (chain)

+ 251 - 139
thirdparty/mbedtls/include/mbedtls/x509_crt.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_X509_CRT_H
 #define MBEDTLS_X509_CRT_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/x509.h"
 #include "mbedtls/x509_crl.h"
@@ -36,10 +33,14 @@ extern "C" {
 
 /**
  * Container for an X.509 certificate. The certificate may be chained.
+ *
+ * Some fields of this structure are publicly readable. Do not modify
+ * them except via Mbed TLS library functions: the effect of modifying
+ * those fields or the data that those fields points to is unspecified.
  */
 typedef struct mbedtls_x509_crt {
-    int own_buffer;                     /**< Indicates if \c raw is owned
-                                         *   by the structure or not.        */
+    int MBEDTLS_PRIVATE(own_buffer);                     /**< Indicates if \c raw is owned
+                                                          *   by the structure or not.        */
     mbedtls_x509_buf raw;               /**< The raw certificate data (DER). */
     mbedtls_x509_buf tbs;               /**< The raw certificate body (DER). The part that is To Be Signed. */
 
@@ -62,72 +63,34 @@ typedef struct mbedtls_x509_crt {
     mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
     mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
     mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
-    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
+    mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */
+    mbedtls_x509_buf subject_key_id;    /**< Optional X.509 v3 extension subject key identifier. */
+    mbedtls_x509_authority authority_key_id;    /**< Optional X.509 v3 extension authority key identifier. */
 
     mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
 
-    int ext_types;              /**< Bit string containing detected and parsed extensions */
-    int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
-    int max_pathlen;            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
+    int MBEDTLS_PRIVATE(ext_types);              /**< Bit string containing detected and parsed extensions */
+    int MBEDTLS_PRIVATE(ca_istrue);              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
+    int MBEDTLS_PRIVATE(max_pathlen);            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
 
-    unsigned int key_usage;     /**< Optional key usage extension value: See the values in x509.h */
+    unsigned int MBEDTLS_PRIVATE(key_usage);     /**< Optional key usage extension value: See the values in x509.h */
 
     mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
 
-    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
+    unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */
 
-    mbedtls_x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
-    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
-    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
-    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+    mbedtls_x509_buf MBEDTLS_PRIVATE(sig);               /**< Signature: hash of the tbs part signed with the private key. */
+    mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk);           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *MBEDTLS_PRIVATE(sig_opts);             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
 
-    struct mbedtls_x509_crt *next;     /**< Next certificate in the CA-chain. */
+    /** Next certificate in the linked list that constitutes the CA chain.
+     * \p NULL indicates the end of the list.
+     * Do not modify this field directly. */
+    struct mbedtls_x509_crt *next;
 }
 mbedtls_x509_crt;
 
-/**
- * From RFC 5280 section 4.2.1.6:
- * OtherName ::= SEQUENCE {
- *      type-id    OBJECT IDENTIFIER,
- *      value      [0] EXPLICIT ANY DEFINED BY type-id }
- */
-typedef struct mbedtls_x509_san_other_name {
-    /**
-     * The type_id is an OID as defined in RFC 5280.
-     * To check the value of the type id, you should use
-     * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
-     */
-    mbedtls_x509_buf type_id;                   /**< The type id. */
-    union {
-        /**
-         * From RFC 4108 section 5:
-         * HardwareModuleName ::= SEQUENCE {
-         *                         hwType OBJECT IDENTIFIER,
-         *                         hwSerialNum OCTET STRING }
-         */
-        struct {
-            mbedtls_x509_buf oid;               /**< The object identifier. */
-            mbedtls_x509_buf val;               /**< The named value. */
-        }
-        hardware_module_name;
-    }
-    value;
-}
-mbedtls_x509_san_other_name;
-
-/**
- * A structure for holding the parsed Subject Alternative Name, according to type
- */
-typedef struct mbedtls_x509_subject_alternative_name {
-    int type;                              /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
-    union {
-        mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
-        mbedtls_x509_buf   unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
-    }
-    san; /**< A union of the supported SAN types */
-}
-mbedtls_x509_subject_alternative_name;
-
 /**
  * Build flag from an algorithm/curve identifier (pk, md, ecp)
  * Since 0 is always XXX_NONE, ignore it.
@@ -138,6 +101,26 @@ mbedtls_x509_subject_alternative_name;
  * Security profile for certificate verification.
  *
  * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
+ *
+ * The fields of this structure are part of the public API and can be
+ * manipulated directly by applications. Future versions of the library may
+ * add extra fields or reorder existing fields.
+ *
+ * You can create custom profiles by starting from a copy of
+ * an existing profile, such as mbedtls_x509_crt_profile_default or
+ * mbedtls_x509_ctr_profile_none and then tune it to your needs.
+ *
+ * For example to allow SHA-224 in addition to the default:
+ *
+ *  mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default;
+ *  my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 );
+ *
+ * Or to allow only RSA-3072+ with SHA-256:
+ *
+ *  mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_none;
+ *  my_profile.allowed_mds = MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 );
+ *  my_profile.allowed_pks = MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_RSA );
+ *  my_profile.rsa_min_bitlen = 3072;
  */
 typedef struct mbedtls_x509_crt_profile {
     uint32_t allowed_mds;       /**< MDs for signatures         */
@@ -153,36 +136,120 @@ mbedtls_x509_crt_profile;
 #define MBEDTLS_X509_CRT_VERSION_2              1
 #define MBEDTLS_X509_CRT_VERSION_3              2
 
-#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
+#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 20
 #define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15
 
 #if !defined(MBEDTLS_X509_MAX_FILE_PATH_LEN)
 #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
 #endif
 
+/* This macro unfolds to the concatenation of macro invocations
+ * X509_CRT_ERROR_INFO( error code,
+ *                             error code as string,
+ *                             human readable description )
+ * where X509_CRT_ERROR_INFO is defined by the user.
+ * See x509_crt.c for an example of how to use this. */
+#define MBEDTLS_X509_CRT_ERROR_INFO_LIST                                  \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXPIRED,            \
+                        "MBEDTLS_X509_BADCERT_EXPIRED",          \
+                        "The certificate validity has expired") \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_REVOKED,            \
+                        "MBEDTLS_X509_BADCERT_REVOKED",          \
+                        "The certificate has been revoked (is on a CRL)") \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_CN_MISMATCH,                  \
+                        "MBEDTLS_X509_BADCERT_CN_MISMATCH",                \
+                        "The certificate Common Name (CN) does not match with the expected CN") \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NOT_TRUSTED,                             \
+                        "MBEDTLS_X509_BADCERT_NOT_TRUSTED",                           \
+                        "The certificate is not correctly signed by the trusted CA") \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_NOT_TRUSTED,                      \
+                        "MBEDTLS_X509_BADCRL_NOT_TRUSTED",                    \
+                        "The CRL is not correctly signed by the trusted CA") \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_EXPIRED,    \
+                        "MBEDTLS_X509_BADCRL_EXPIRED",  \
+                        "The CRL is expired")          \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_MISSING,   \
+                        "MBEDTLS_X509_BADCERT_MISSING", \
+                        "Certificate was missing")     \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_SKIP_VERIFY,         \
+                        "MBEDTLS_X509_BADCERT_SKIP_VERIFY",       \
+                        "Certificate verification was skipped")  \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_OTHER,                          \
+                        "MBEDTLS_X509_BADCERT_OTHER",                        \
+                        "Other reason (can be used by verify callback)")    \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_FUTURE,                         \
+                        "MBEDTLS_X509_BADCERT_FUTURE",                       \
+                        "The certificate validity starts in the future")    \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_FUTURE,     \
+                        "MBEDTLS_X509_BADCRL_FUTURE",   \
+                        "The CRL is from the future")  \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_KEY_USAGE,                      \
+                        "MBEDTLS_X509_BADCERT_KEY_USAGE",                    \
+                        "Usage does not match the keyUsage extension")      \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_EXT_KEY_USAGE,                       \
+                        "MBEDTLS_X509_BADCERT_EXT_KEY_USAGE",                     \
+                        "Usage does not match the extendedKeyUsage extension")   \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_NS_CERT_TYPE,                        \
+                        "MBEDTLS_X509_BADCERT_NS_CERT_TYPE",                      \
+                        "Usage does not match the nsCertType extension")         \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_MD,                              \
+                        "MBEDTLS_X509_BADCERT_BAD_MD",                            \
+                        "The certificate is signed with an unacceptable hash.")  \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_PK,                                                  \
+                        "MBEDTLS_X509_BADCERT_BAD_PK",                                                \
+                        "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).")  \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCERT_BAD_KEY,                                                            \
+                        "MBEDTLS_X509_BADCERT_BAD_KEY",                                                          \
+                        "The certificate is signed with an unacceptable key (eg bad curve, RSA too short).")    \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_MD,                          \
+                        "MBEDTLS_X509_BADCRL_BAD_MD",                        \
+                        "The CRL is signed with an unacceptable hash.")     \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_PK,                                            \
+                        "MBEDTLS_X509_BADCRL_BAD_PK",                                          \
+                        "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).")   \
+    X509_CRT_ERROR_INFO(MBEDTLS_X509_BADCRL_BAD_KEY,                                                    \
+                        "MBEDTLS_X509_BADCRL_BAD_KEY",                                                  \
+                        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short).")
+
 /**
  * Container for writing a certificate (CRT)
  */
 typedef struct mbedtls_x509write_cert {
-    int version;
-    mbedtls_mpi serial;
-    mbedtls_pk_context *subject_key;
-    mbedtls_pk_context *issuer_key;
-    mbedtls_asn1_named_data *subject;
-    mbedtls_asn1_named_data *issuer;
-    mbedtls_md_type_t md_alg;
-    char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
-    char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
-    mbedtls_asn1_named_data *extensions;
+    int MBEDTLS_PRIVATE(version);
+    unsigned char MBEDTLS_PRIVATE(serial)[MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN];
+    size_t MBEDTLS_PRIVATE(serial_len);
+    mbedtls_pk_context *MBEDTLS_PRIVATE(subject_key);
+    mbedtls_pk_context *MBEDTLS_PRIVATE(issuer_key);
+    mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject);
+    mbedtls_asn1_named_data *MBEDTLS_PRIVATE(issuer);
+    mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
+    char MBEDTLS_PRIVATE(not_before)[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    char MBEDTLS_PRIVATE(not_after)[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    mbedtls_asn1_named_data *MBEDTLS_PRIVATE(extensions);
 }
 mbedtls_x509write_cert;
 
+/**
+ * \brief           Set Subject Alternative Name
+ *
+ * \param ctx       Certificate context to use
+ * \param san_list  List of SAN values
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            "dnsName", "uniformResourceIdentifier", "IP address",
+ *                  "otherName", and "DirectoryName", as defined in RFC 5280,
+ *                  are supported.
+ */
+int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx,
+                                                       const mbedtls_x509_san_list *san_list);
+
 /**
  * Item in a verification chain: cert and flags for it
  */
 typedef struct {
-    mbedtls_x509_crt *crt;
-    uint32_t flags;
+    mbedtls_x509_crt *MBEDTLS_PRIVATE(crt);
+    uint32_t MBEDTLS_PRIVATE(flags);
 } mbedtls_x509_crt_verify_chain_item;
 
 /**
@@ -194,15 +261,15 @@ typedef struct {
  * Verification chain as built by \c mbedtls_crt_verify_chain()
  */
 typedef struct {
-    mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
-    unsigned len;
+    mbedtls_x509_crt_verify_chain_item MBEDTLS_PRIVATE(items)[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
+    unsigned MBEDTLS_PRIVATE(len);
 
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
     /* This stores the list of potential trusted signers obtained from
      * the CA callback used for the CRT verification, if configured.
      * We must track it somewhere because the callback passes its
      * ownership to the caller. */
-    mbedtls_x509_crt *trust_ca_cb_result;
+    mbedtls_x509_crt *MBEDTLS_PRIVATE(trust_ca_cb_result);
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
 } mbedtls_x509_crt_verify_chain;
 
@@ -213,23 +280,23 @@ typedef struct {
  */
 typedef struct {
     /* for check_signature() */
-    mbedtls_pk_restart_ctx pk;
+    mbedtls_pk_restart_ctx MBEDTLS_PRIVATE(pk);
 
     /* for find_parent_in() */
-    mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
-    mbedtls_x509_crt *fallback_parent;
-    int fallback_signature_is_good;
+    mbedtls_x509_crt *MBEDTLS_PRIVATE(parent); /* non-null iff parent_in in progress */
+    mbedtls_x509_crt *MBEDTLS_PRIVATE(fallback_parent);
+    int MBEDTLS_PRIVATE(fallback_signature_is_good);
 
     /* for find_parent() */
-    int parent_is_trusted; /* -1 if find_parent is not in progress */
+    int MBEDTLS_PRIVATE(parent_is_trusted); /* -1 if find_parent is not in progress */
 
     /* for verify_chain() */
     enum {
         x509_crt_rs_none,
         x509_crt_rs_find_parent,
-    } in_progress;  /* none if no operation is in progress */
-    int self_cnt;
-    mbedtls_x509_crt_verify_chain ver_chain;
+    } MBEDTLS_PRIVATE(in_progress);  /* none if no operation is in progress */
+    int MBEDTLS_PRIVATE(self_cnt);
+    mbedtls_x509_crt_verify_chain MBEDTLS_PRIVATE(ver_chain);
 
 } mbedtls_x509_crt_restart_ctx;
 
@@ -246,12 +313,12 @@ typedef void mbedtls_x509_crt_restart_ctx;
  * and compatibility with current deployments.
  *
  * This profile permits:
- * - SHA2 hashes.
- * - All supported elliptic curves.
+ * - SHA2 hashes with at least 256 bits: SHA-256, SHA-384, SHA-512.
+ * - Elliptic curves with 255 bits and above except secp256k1.
  * - RSA with 2048 bits and above.
  *
  * New minor versions of Mbed TLS may extend this profile, for example if
- * new curves are added to the library. New minor versions of Mbed TLS will
+ * new algorithms are added to the library. New minor versions of Mbed TLS will
  * not reduce this profile unless serious security concerns require it.
  */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
@@ -259,6 +326,7 @@ extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
 /**
  * Expected next default profile. Recommended for new deployments.
  * Currently targets a 128-bit security level, except for allowing RSA-2048.
+ * This profile may change at any time.
  */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
 
@@ -267,6 +335,12 @@ extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
  */
 extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
 
+/**
+ * Empty profile that allows nothing. Useful as a basis for constructing
+ * custom profiles.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_none;
+
 /**
  * \brief          Parse a single DER formatted certificate and add it
  *                 to the end of the provided chained list.
@@ -400,7 +474,7 @@ int mbedtls_x509_crt_parse_der_with_ext_cb(mbedtls_x509_crt *chain,
  *                 mbedtls_x509_crt_init().
  * \param buf      The address of the readable buffer holding the DER encoded
  *                 certificate to use. On success, this buffer must be
- *                 retained and not be changed for the liftetime of the
+ *                 retained and not be changed for the lifetime of the
  *                 CRT chain \p chain, that is, until \p chain is destroyed
  *                 through a call to mbedtls_x509_crt_free().
  * \param buflen   The size in Bytes of \p buf.
@@ -490,35 +564,8 @@ int mbedtls_x509_crt_parse_file(mbedtls_x509_crt *chain, const char *path);
 int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
 
 #endif /* MBEDTLS_FS_IO */
-/**
- * \brief          This function parses an item in the SubjectAlternativeNames
- *                 extension.
- *
- * \param san_buf  The buffer holding the raw data item of the subject
- *                 alternative name.
- * \param san      The target structure to populate with the parsed presentation
- *                 of the subject alternative name encoded in \p san_buf.
- *
- * \note           Only "dnsName" and "otherName" of type hardware_module_name
- *                 as defined in RFC 4180 is supported.
- *
- * \note           This function should be called on a single raw data of
- *                 subject alternative name. For example, after successful
- *                 certificate parsing, one must iterate on every item in the
- *                 \c crt->subject_alt_names sequence, and pass it to
- *                 this function.
- *
- * \warning        The target structure contains pointers to the raw data of the
- *                 parsed certificate, and its lifetime is restricted by the
- *                 lifetime of the certificate.
- *
- * \return         \c 0 on success
- * \return         #MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE for an unsupported
- *                 SAN type.
- * \return         Another negative value for any other failure.
- */
-int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
-                                        mbedtls_x509_subject_alternative_name *san);
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
  * \brief          Returns an informational string about the
  *                 certificate.
@@ -548,6 +595,7 @@ int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
  */
 int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
                                  uint32_t flags);
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
 
 /**
  * \brief          Verify a chain of certificates.
@@ -596,8 +644,12 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
  * \param cn       The expected Common Name. This will be checked to be
  *                 present in the certificate's subjectAltNames extension or,
  *                 if this extension is absent, as a CN component in its
- *                 Subject name. Currently only DNS names are supported. This
- *                 may be \c NULL if the CN need not be verified.
+ *                 Subject name. DNS names and IP addresses are fully
+ *                 supported, while the URI subtype is partially supported:
+ *                 only exact matching, without any normalization procedures
+ *                 described in 7.4 of RFC5280, will result in a positive
+ *                 URI verification.
+ *                 This may be \c NULL if the CN need not be verified.
  * \param flags    The address at which to store the result of the verification.
  *                 If the verification couldn't be completed, the flag value is
  *                 set to (uint32_t) -1.
@@ -766,7 +818,6 @@ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
 
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
 
-#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
 /**
  * \brief          Check usage of certificate against keyUsage extension.
  *
@@ -790,9 +841,7 @@ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
  */
 int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
                                      unsigned int usage);
-#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
 
-#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
 /**
  * \brief           Check usage of certificate against extendedKeyUsage.
  *
@@ -809,7 +858,6 @@ int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
 int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt,
                                               const char *usage_oid,
                                               size_t usage_len);
-#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
 /**
@@ -851,6 +899,35 @@ void mbedtls_x509_crt_restart_free(mbedtls_x509_crt_restart_ctx *ctx);
 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
+/**
+ * \brief               Query certificate for given extension type
+ *
+ * \param[in] ctx       Certificate context to be queried, must not be \c NULL
+ * \param ext_type      Extension type being queried for, must be a valid
+ *                      extension type. Must be one of the MBEDTLS_X509_EXT_XXX
+ *                      values
+ *
+ * \return              0 if the given extension type is not present,
+ *                      non-zero otherwise
+ */
+static inline int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *ctx,
+                                                int ext_type)
+{
+    return ctx->MBEDTLS_PRIVATE(ext_types) & ext_type;
+}
+
+/**
+ * \brief               Access the ca_istrue field
+ *
+ * \param[in] crt       Certificate to be queried, must not be \c NULL
+ *
+ * \return              \c 1 if this a CA certificate \c 0 otherwise.
+ * \return              MBEDTLS_ERR_X509_INVALID_EXTENSIONS if the certificate does not contain
+ *                      the Optional Basic Constraint extension.
+ *
+ */
+int mbedtls_x509_crt_get_ca_istrue(const mbedtls_x509_crt *crt);
+
 /** \} name Structures and functions for parsing and writing X.509 certificates */
 
 #if defined(MBEDTLS_X509_CRT_WRITE_C)
@@ -871,15 +948,43 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx);
  */
 void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version);
 
+#if defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
 /**
  * \brief           Set the serial number for a Certificate.
  *
+ * \deprecated      This function is deprecated and will be removed in a
+ *                  future version of the library. Please use
+ *                  mbedtls_x509write_crt_set_serial_raw() instead.
+ *
+ * \note            Even though the MBEDTLS_BIGNUM_C guard looks redundant since
+ *                  X509 depends on PK and PK depends on BIGNUM, this emphasizes
+ *                  a direct dependency between X509 and BIGNUM which is going
+ *                  to be deprecated in the future.
+ *
  * \param ctx       CRT context to use
  * \param serial    serial number to set
  *
  * \return          0 if successful
  */
-int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial);
+int MBEDTLS_DEPRECATED mbedtls_x509write_crt_set_serial(
+    mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial);
+#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
+
+/**
+ * \brief           Set the serial number for a Certificate.
+ *
+ * \param ctx          CRT context to use
+ * \param serial       A raw array of bytes containing the serial number in big
+ *                     endian format
+ * \param serial_len   Length of valid bytes (expressed in bytes) in \p serial
+ *                     input buffer
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer
+ *                  is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN)
+ */
+int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
+                                         unsigned char *serial, size_t serial_len);
 
 /**
  * \brief           Set the validity period for a Certificate
@@ -985,7 +1090,7 @@ int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
 int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
                                                 int is_ca, int max_pathlen);
 
-#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_MD_CAN_SHA1)
 /**
  * \brief           Set the subjectKeyIdentifier extension for a CRT
  *                  Requires that mbedtls_x509write_crt_set_subject_key() has been
@@ -1007,7 +1112,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx
  * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
  */
 int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx);
-#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_MD_CAN_SHA1 */
 
 /**
  * \brief           Set the Key Usage Extension flags
@@ -1021,6 +1126,19 @@ int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *c
 int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
                                         unsigned int key_usage);
 
+/**
+ * \brief           Set the Extended Key Usage Extension
+ *                  (e.g. MBEDTLS_OID_SERVER_AUTH)
+ *
+ * \param ctx       CRT context to use
+ * \param exts      extended key usage extensions to set, a sequence of
+ *                  MBEDTLS_ASN1_OID objects
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
+                                            const mbedtls_asn1_sequence *exts);
+
 /**
  * \brief           Set the Netscape Cert Type flags
  *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
@@ -1049,19 +1167,16 @@ void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx);
  * \param ctx       certificate to write away
  * \param buf       buffer to write to
  * \param size      size of the buffer
- * \param f_rng     RNG function (for signature, see note)
+ * \param f_rng     RNG function. This must not be \c NULL.
  * \param p_rng     RNG parameter
  *
  * \return          length of data written if successful, or a specific
  *                  error code
  *
- * \note            f_rng may be NULL if RSA is used for signature and the
- *                  signature is made offline (otherwise f_rng is desirable
- *                  for countermeasures against timing attacks).
- *                  ECDSA signatures always require a non-NULL f_rng.
+ * \note            \p f_rng is used for the signature operation.
  */
 int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
-                              int (*f_rng)(void *, unsigned char *, size_t),
+                              mbedtls_f_rng_t *f_rng,
                               void *p_rng);
 
 #if defined(MBEDTLS_PEM_WRITE_C)
@@ -1071,18 +1186,15 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, unsigned char *buf, s
  * \param ctx       certificate to write away
  * \param buf       buffer to write to
  * \param size      size of the buffer
- * \param f_rng     RNG function (for signature, see note)
+ * \param f_rng     RNG function. This must not be \c NULL.
  * \param p_rng     RNG parameter
  *
  * \return          0 if successful, or a specific error code
  *
- * \note            f_rng may be NULL if RSA is used for signature and the
- *                  signature is made offline (otherwise f_rng is desirable
- *                  for countermeasures against timing attacks).
- *                  ECDSA signatures always require a non-NULL f_rng.
+ * \note            \p f_rng is used for the signature operation.
  */
 int mbedtls_x509write_crt_pem(mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
-                              int (*f_rng)(void *, unsigned char *, size_t),
+                              mbedtls_f_rng_t *f_rng,
                               void *p_rng);
 #endif /* MBEDTLS_PEM_WRITE_C */
 #endif /* MBEDTLS_X509_CRT_WRITE_C */

+ 108 - 26
thirdparty/mbedtls/include/mbedtls/x509_csr.h

@@ -9,12 +9,9 @@
  */
 #ifndef MBEDTLS_X509_CSR_H
 #define MBEDTLS_X509_CSR_H
+#include "mbedtls/private_access.h"
 
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "mbedtls/build_info.h"
 
 #include "mbedtls/x509.h"
 
@@ -33,6 +30,10 @@ extern "C" {
 
 /**
  * Certificate Signing Request (CSR) structure.
+ *
+ * Some fields of this structure are publicly readable. Do not modify
+ * them except via Mbed TLS library functions: the effect of modifying
+ * those fields or the data that those fields point to is unspecified.
  */
 typedef struct mbedtls_x509_csr {
     mbedtls_x509_buf raw;           /**< The raw CSR data (DER). */
@@ -45,11 +46,17 @@ typedef struct mbedtls_x509_csr {
 
     mbedtls_pk_context pk;          /**< Container for the public key context. */
 
+    unsigned int key_usage;     /**< Optional key usage extension value: See the values in x509.h */
+    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
+    mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */
+
+    int MBEDTLS_PRIVATE(ext_types);              /**< Bit string containing detected and parsed extensions */
+
     mbedtls_x509_buf sig_oid;
-    mbedtls_x509_buf sig;
-    mbedtls_md_type_t sig_md;       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
-    mbedtls_pk_type_t sig_pk;       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
-    void *sig_opts;         /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+    mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
+    mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk);       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *MBEDTLS_PRIVATE(sig_opts);         /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
 }
 mbedtls_x509_csr;
 
@@ -57,10 +64,10 @@ mbedtls_x509_csr;
  * Container for writing a CSR
  */
 typedef struct mbedtls_x509write_csr {
-    mbedtls_pk_context *key;
-    mbedtls_asn1_named_data *subject;
-    mbedtls_md_type_t md_alg;
-    mbedtls_asn1_named_data *extensions;
+    mbedtls_pk_context *MBEDTLS_PRIVATE(key);
+    mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject);
+    mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
+    mbedtls_asn1_named_data *MBEDTLS_PRIVATE(extensions);
 }
 mbedtls_x509write_csr;
 
@@ -68,7 +75,9 @@ mbedtls_x509write_csr;
 /**
  * \brief          Load a Certificate Signing Request (CSR) in DER format
  *
- * \note           CSR attributes (if any) are currently silently ignored.
+ * \note           Any unsupported requested extensions are silently
+ *                 ignored, unless the critical flag is set, in which case
+ *                 the CSR is rejected.
  *
  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
  *                 subsystem must have been initialized by calling
@@ -83,6 +92,67 @@ mbedtls_x509write_csr;
 int mbedtls_x509_csr_parse_der(mbedtls_x509_csr *csr,
                                const unsigned char *buf, size_t buflen);
 
+/**
+ * \brief          The type of certificate extension callbacks.
+ *
+ *                 Callbacks of this type are passed to and used by the
+ *                 mbedtls_x509_csr_parse_der_with_ext_cb() routine when
+ *                 it encounters either an unsupported extension.
+ *                 Future versions of the library may invoke the callback
+ *                 in other cases, if and when the need arises.
+ *
+ * \param p_ctx    An opaque context passed to the callback.
+ * \param csr      The CSR being parsed.
+ * \param oid      The OID of the extension.
+ * \param critical Whether the extension is critical.
+ * \param p        Pointer to the start of the extension value
+ *                 (the content of the OCTET STRING).
+ * \param end      End of extension value.
+ *
+ * \note           The callback must fail and return a negative error code
+ *                 if it can not parse or does not support the extension.
+ *                 When the callback fails to parse a critical extension
+ *                 mbedtls_x509_csr_parse_der_with_ext_cb() also fails.
+ *                 When the callback fails to parse a non critical extension
+ *                 mbedtls_x509_csr_parse_der_with_ext_cb() simply skips
+ *                 the extension and continues parsing.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+typedef int (*mbedtls_x509_csr_ext_cb_t)(void *p_ctx,
+                                         mbedtls_x509_csr const *csr,
+                                         mbedtls_x509_buf const *oid,
+                                         int critical,
+                                         const unsigned char *p,
+                                         const unsigned char *end);
+
+/**
+ * \brief          Load a Certificate Signing Request (CSR) in DER format
+ *
+ * \note           Any unsupported requested extensions are silently
+ *                 ignored, unless the critical flag is set, in which case
+ *                 the result of the callback function decides whether
+ *                 CSR is rejected.
+ *
+ * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
+ *                 subsystem must have been initialized by calling
+ *                 psa_crypto_init() before calling this function.
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ * \param cb       A callback invoked for every unsupported certificate
+ *                 extension.
+ * \param p_ctx    An opaque context passed to the callback.
+ *
+ * \return         0 if successful, or a specific X509 error code
+ */
+int mbedtls_x509_csr_parse_der_with_ext_cb(mbedtls_x509_csr *csr,
+                                           const unsigned char *buf, size_t buflen,
+                                           mbedtls_x509_csr_ext_cb_t cb,
+                                           void *p_ctx);
+
 /**
  * \brief          Load a Certificate Signing Request (CSR), DER or PEM format
  *
@@ -115,6 +185,7 @@ int mbedtls_x509_csr_parse(mbedtls_x509_csr *csr, const unsigned char *buf, size
 int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path);
 #endif /* MBEDTLS_FS_IO */
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /**
  * \brief          Returns an informational string about the
  *                 CSR.
@@ -129,6 +200,7 @@ int mbedtls_x509_csr_parse_file(mbedtls_x509_csr *csr, const char *path);
  */
 int mbedtls_x509_csr_info(char *buf, size_t size, const char *prefix,
                           const mbedtls_x509_csr *csr);
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
 
 /**
  * \brief          Initialize a CSR
@@ -207,6 +279,20 @@ void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_typ
  */
 int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned char key_usage);
 
+/**
+ * \brief           Set Subject Alternative Name
+ *
+ * \param ctx       CSR context to use
+ * \param san_list  List of SAN values
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            Only "dnsName", "uniformResourceIdentifier" and "otherName",
+ *                  as defined in RFC 5280, are supported.
+ */
+int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ctx,
+                                                       const mbedtls_x509_san_list *san_list);
+
 /**
  * \brief           Set the Netscape Cert Type flags
  *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
@@ -226,6 +312,7 @@ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
  * \param ctx       CSR context to use
  * \param oid       OID of the extension
  * \param oid_len   length of the OID
+ * \param critical  Set to 1 to mark the extension as critical, 0 otherwise.
  * \param val       value of the extension OCTET STRING
  * \param val_len   length of the value data
  *
@@ -233,6 +320,7 @@ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
  */
 int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
                                         const char *oid, size_t oid_len,
+                                        int critical,
                                         const unsigned char *val, size_t val_len);
 
 /**
@@ -252,19 +340,16 @@ void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx);
  * \param ctx       CSR to write away
  * \param buf       buffer to write to
  * \param size      size of the buffer
- * \param f_rng     RNG function (for signature, see note)
+ * \param f_rng     RNG function. This must not be \c NULL.
  * \param p_rng     RNG parameter
  *
  * \return          length of data written if successful, or a specific
  *                  error code
  *
- * \note            f_rng may be NULL if RSA is used for signature and the
- *                  signature is made offline (otherwise f_rng is desirable
- *                  for countermeasures against timing attacks).
- *                  ECDSA signatures always require a non-NULL f_rng.
+ * \note            \p f_rng is used for the signature operation.
  */
 int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
-                              int (*f_rng)(void *, unsigned char *, size_t),
+                              mbedtls_f_rng_t *f_rng,
                               void *p_rng);
 
 #if defined(MBEDTLS_PEM_WRITE_C)
@@ -275,18 +360,15 @@ int mbedtls_x509write_csr_der(mbedtls_x509write_csr *ctx, unsigned char *buf, si
  * \param ctx       CSR to write away
  * \param buf       buffer to write to
  * \param size      size of the buffer
- * \param f_rng     RNG function (for signature, see note)
+ * \param f_rng     RNG function. This must not be \c NULL.
  * \param p_rng     RNG parameter
  *
  * \return          0 if successful, or a specific error code
  *
- * \note            f_rng may be NULL if RSA is used for signature and the
- *                  signature is made offline (otherwise f_rng is desirable
- *                  for countermeasures against timing attacks).
- *                  ECDSA signatures always require a non-NULL f_rng.
+ * \note            \p f_rng is used for the signature operation.
  */
 int mbedtls_x509write_csr_pem(mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
-                              int (*f_rng)(void *, unsigned char *, size_t),
+                              mbedtls_f_rng_t *f_rng,
                               void *p_rng);
 #endif /* MBEDTLS_PEM_WRITE_C */
 #endif /* MBEDTLS_X509_CSR_WRITE_C */

+ 0 - 126
thirdparty/mbedtls/include/mbedtls/xtea.h

@@ -1,126 +0,0 @@
-/**
- * \file xtea.h
- *
- * \brief XTEA block cipher (32-bit)
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
- */
-#ifndef MBEDTLS_XTEA_H
-#define MBEDTLS_XTEA_H
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define MBEDTLS_XTEA_ENCRYPT     1
-#define MBEDTLS_XTEA_DECRYPT     0
-
-/** The data input has an invalid length. */
-#define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH             -0x0028
-
-/* MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED is deprecated and should not be used. */
-/** XTEA hardware accelerator failed. */
-#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED                  -0x0029
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if !defined(MBEDTLS_XTEA_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          XTEA context structure
- */
-typedef struct mbedtls_xtea_context {
-    uint32_t k[4];       /*!< key */
-}
-mbedtls_xtea_context;
-
-#else  /* MBEDTLS_XTEA_ALT */
-#include "xtea_alt.h"
-#endif /* MBEDTLS_XTEA_ALT */
-
-/**
- * \brief          Initialize XTEA context
- *
- * \param ctx      XTEA context to be initialized
- */
-void mbedtls_xtea_init(mbedtls_xtea_context *ctx);
-
-/**
- * \brief          Clear XTEA context
- *
- * \param ctx      XTEA context to be cleared
- */
-void mbedtls_xtea_free(mbedtls_xtea_context *ctx);
-
-/**
- * \brief          XTEA key schedule
- *
- * \param ctx      XTEA context to be initialized
- * \param key      the secret key
- */
-void mbedtls_xtea_setup(mbedtls_xtea_context *ctx, const unsigned char key[16]);
-
-/**
- * \brief          XTEA cipher function
- *
- * \param ctx      XTEA context
- * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
- * \param input    8-byte input block
- * \param output   8-byte output block
- *
- * \return         0 if successful
- */
-int mbedtls_xtea_crypt_ecb(mbedtls_xtea_context *ctx,
-                           int mode,
-                           const unsigned char input[8],
-                           unsigned char output[8]);
-
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-/**
- * \brief          XTEA CBC cipher function
- *
- * \param ctx      XTEA context
- * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
- * \param length   the length of input, multiple of 8
- * \param iv       initialization vector for CBC mode
- * \param input    input block
- * \param output   output block
- *
- * \return         0 if successful,
- *                 MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH if the length % 8 != 0
- */
-int mbedtls_xtea_crypt_cbc(mbedtls_xtea_context *ctx,
-                           int mode,
-                           size_t length,
-                           unsigned char iv[8],
-                           const unsigned char *input,
-                           unsigned char *output);
-#endif /* MBEDTLS_CIPHER_MODE_CBC */
-
-#if defined(MBEDTLS_SELF_TEST)
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mbedtls_xtea_self_test(int verbose);
-
-#endif /* MBEDTLS_SELF_TEST */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* xtea.h */

Kaikkia tiedostoja ei voida näyttää, sillä liian monta tiedostoa muuttui tässä diffissä